DNS queries to blocked countries?

Chris Buxton cbuxton at menandmice.com
Thu Jun 21 17:21:02 UTC 2007 

You could use forward zones for specific domains. For example:

zone "samsung.com." {
	type forward;
	forwarders { ip-addr-1; ip-addr-2; };
	forward only;
};

I don't know of any way to do this based on IP addresses, subnets, or  
initial failures. Therefore, unless you want to turn on forwarding  
globally, I don't see any solution other than the one above.

Chris Buxton
Men & Mice

On Jun 21, 2007, at 9:33 AM, Jeff Lightner wrote:

> The countries themselves are being blocked by network security.   As I
> said that is a political football others are trying to move.
>
> My questions is basically trying to see if there is a way I could  
> setup
> something similar to hints used for root servers so that something  
> else
> would do the lookup.   It doesn't seem likely to me but figured I  
> might
> not be the first person to run across this.
>
> -----Original Message-----
> From: Vinny Abello [mailto:vinny at tellurian.com]
> Sent: Thursday, June 21, 2007 12:29 PM
> To: Jeff Lightner
> Cc: bind-users at isc.org
> Subject: Re: DNS queries to blocked countries?
>
> How are you blocking them? Why not just allow DNS query responses from
> anywhere? Would that fix it?
>
> Jeff Lightner wrote:
>> OK I know this sounds like a stupid question but figured I'd ask
> anyway.
>> We currently have customers who have signed up to get email from us.
>> However, the MX record won't resolve because the primary DNS for the
>> customers is in a country we block inbound/outbound.    Essentially
> the
>> dig +trace and whois both stop at the point the root servers hand off
> to
>> servers in those remote countries.
>>
>> An example would be "Samsung.com".   Although the user is actually in
>> the U.S., Samsung is a South Korean company.  Due to this we can't  
>> get
>> the MX record which may or may not point to a U.S. server.   I'm
>> wondering if there is any way I can setup things so the resolution  
>> for
>> countries we block is reported back by some other server that  
>> would be
>> U.S. based that doesn't block these countries?
>>
>> dig +trace -t MX samsung.com
>>
>> ; <<>> DiG 9.2.1 <<>> +trace -t MX samsung.com
>> ;; global options:  printcmd
>> .                       169576  IN      NS      K.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      L.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      M.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      A.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      B.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      C.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      D.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      E.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      F.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      G.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      H.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      I.ROOT-SERVERS.NET.
>> .                       169576  IN      NS      J.ROOT-SERVERS.NET.
>> ;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 25 ms
>>
>> com.                    172800  IN      NS      a.gtld-servers.net.
>> com.                    172800  IN      NS      b.gtld-servers.net.
>> com.                    172800  IN      NS      c.gtld-servers.net.
>> com.                    172800  IN      NS      d.gtld-servers.net.
>> com.                    172800  IN      NS      e.gtld-servers.net.
>> com.                    172800  IN      NS      f.gtld-servers.net.
>> com.                    172800  IN      NS      g.gtld-servers.net.
>> com.                    172800  IN      NS      h.gtld-servers.net.
>> com.                    172800  IN      NS      i.gtld-servers.net.
>> com.                    172800  IN      NS      j.gtld-servers.net.
>> com.                    172800  IN      NS      k.gtld-servers.net.
>> com.                    172800  IN      NS      l.gtld-servers.net.
>> com.                    172800  IN      NS      m.gtld-servers.net.
>> ;; Received 489 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 119
> ms
>>
>> samsung.com.            172800  IN      NS      dnssm.samsung.com.
>> samsung.com.            172800  IN      NS      dnsss.samsung.com.
>> ;; Received 101 bytes from 192.5.6.30#53(a.gtld-servers.net) in 22 ms
>>
>> dig: Couldn't find server 'dnssm.samsung.com': Name or service not
> known
>>
>> P.S.  Don't tell me to unblock the countries - that's a political
>> football being tussled over at a different level.
>>
>>
>>
>>
>
> -- 
>
> Vinny Abello
> Network Engineer
> vinny at tellurian.com
> (973)940-6100
> PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100  
> 977A
>
> Tellurian Networks - The Ultimate Internet Connection
> http://www.tellurian.com (888)TELLURIAN
>
> "Courage is resistance to fear, mastery of fear - not absence of fear"
> -- Mark Twain
>
>

More information about the bind-users mailing list