DNS queries to blocked countries?

[Edward Lewis]

At 12:12 -0400 6/21/07, Jeff Lightner wrote:
>OK I know this sounds like a stupid question but figured I'd ask anyway.
>We currently have customers who have signed up to get email from us.
>However, the MX record won't resolve because the primary DNS for the
>customers is in a country we block inbound/outbound.    Essentially the
>dig +trace and whois both stop at the point the root servers hand off to
>servers in those remote countries.
>
>An example would be "Samsung.com".   Although the user is actually in
>the U.S., Samsung is a South Korean company.  Due to this we can't get
>the MX record which may or may not point to a U.S. server.   I'm
>wondering if there is any way I can setup things so the resolution for
>countries we block is reported back by some other server that would be
>U.S. based that doesn't block these countries?

This isn't a BIND-"users" question, but I understand why you would 
ask here.  This is a network design and application design issue.

If you are denying UDP or UDP/53 (and/ot TCP) from a range of 
addresses associated with a country (in)to your infrastructure, 
perhaps a solution is to place a slave server elsewhere.

Usually it's the case that a client A is told by DNS B that the 
server is at C, with A<->B and maybe B<->C, but A<-/->C.  The DNS 
can't help with that (easily) so the application that is trying to go 
from A to C has to.  A solution is to provide many C's (anycast) or a 
choice of servers at C, D, E,  (or both) and hope that A figures out 
it can reach one.

There are commercial services that offer customized responses to 
queries based upon criteria (like source IP address).  Not that you 
need one, but, just to let you know there is work in that field.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Sarcasm doesn't scale.