DNS queries to blocked countries?
Chris Buxton
cbuxton at menandmice.com
Thu Jun 21 17:21:02 UTC 2007
You could use forward zones for specific domains. For example:
zone "samsung.com." {
type forward;
forwarders { ip-addr-1; ip-addr-2; };
forward only;
};
I don't know of any way to do this based on IP addresses, subnets, or
initial failures. Therefore, unless you want to turn on forwarding
globally, I don't see any solution other than the one above.
Chris Buxton
Men & Mice
On Jun 21, 2007, at 9:33 AM, Jeff Lightner wrote:
> The countries themselves are being blocked by network security. As I
> said that is a political football others are trying to move.
>
> My questions is basically trying to see if there is a way I could
> setup
> something similar to hints used for root servers so that something
> else
> would do the lookup. It doesn't seem likely to me but figured I
> might
> not be the first person to run across this.
>
> -----Original Message-----
> From: Vinny Abello [mailto:vinny at tellurian.com]
> Sent: Thursday, June 21, 2007 12:29 PM
> To: Jeff Lightner
> Cc: bind-users at isc.org
> Subject: Re: DNS queries to blocked countries?
>
> How are you blocking them? Why not just allow DNS query responses from
> anywhere? Would that fix it?
>
> Jeff Lightner wrote:
>> OK I know this sounds like a stupid question but figured I'd ask
> anyway.
>> We currently have customers who have signed up to get email from us.
>> However, the MX record won't resolve because the primary DNS for the
>> customers is in a country we block inbound/outbound. Essentially
> the
>> dig +trace and whois both stop at the point the root servers hand off
> to
>> servers in those remote countries.
>>
>> An example would be "Samsung.com". Although the user is actually in
>> the U.S., Samsung is a South Korean company. Due to this we can't
>> get
>> the MX record which may or may not point to a U.S. server. I'm
>> wondering if there is any way I can setup things so the resolution
>> for
>> countries we block is reported back by some other server that
>> would be
>> U.S. based that doesn't block these countries?
>>
>> dig +trace -t MX samsung.com
>>
>> ; <<>> DiG 9.2.1 <<>> +trace -t MX samsung.com
>> ;; global options: printcmd
>> . 169576 IN NS K.ROOT-SERVERS.NET.
>> . 169576 IN NS L.ROOT-SERVERS.NET.
>> . 169576 IN NS M.ROOT-SERVERS.NET.
>> . 169576 IN NS A.ROOT-SERVERS.NET.
>> . 169576 IN NS B.ROOT-SERVERS.NET.
>> . 169576 IN NS C.ROOT-SERVERS.NET.
>> . 169576 IN NS D.ROOT-SERVERS.NET.
>> . 169576 IN NS E.ROOT-SERVERS.NET.
>> . 169576 IN NS F.ROOT-SERVERS.NET.
>> . 169576 IN NS G.ROOT-SERVERS.NET.
>> . 169576 IN NS H.ROOT-SERVERS.NET.
>> . 169576 IN NS I.ROOT-SERVERS.NET.
>> . 169576 IN NS J.ROOT-SERVERS.NET.
>> ;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 25 ms
>>
>> com. 172800 IN NS a.gtld-servers.net.
>> com. 172800 IN NS b.gtld-servers.net.
>> com. 172800 IN NS c.gtld-servers.net.
>> com. 172800 IN NS d.gtld-servers.net.
>> com. 172800 IN NS e.gtld-servers.net.
>> com. 172800 IN NS f.gtld-servers.net.
>> com. 172800 IN NS g.gtld-servers.net.
>> com. 172800 IN NS h.gtld-servers.net.
>> com. 172800 IN NS i.gtld-servers.net.
>> com. 172800 IN NS j.gtld-servers.net.
>> com. 172800 IN NS k.gtld-servers.net.
>> com. 172800 IN NS l.gtld-servers.net.
>> com. 172800 IN NS m.gtld-servers.net.
>> ;; Received 489 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 119
> ms
>>
>> samsung.com. 172800 IN NS dnssm.samsung.com.
>> samsung.com. 172800 IN NS dnsss.samsung.com.
>> ;; Received 101 bytes from 192.5.6.30#53(a.gtld-servers.net) in 22 ms
>>
>> dig: Couldn't find server 'dnssm.samsung.com': Name or service not
> known
>>
>> P.S. Don't tell me to unblock the countries - that's a political
>> football being tussled over at a different level.
>>
>>
>>
>>
>
> --
>
> Vinny Abello
> Network Engineer
> vinny at tellurian.com
> (973)940-6100
> PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100
> 977A
>
> Tellurian Networks - The Ultimate Internet Connection
> http://www.tellurian.com (888)TELLURIAN
>
> "Courage is resistance to fear, mastery of fear - not absence of fear"
> -- Mark Twain
>
>
More information about the bind-users
mailing list