DNS queries to blocked countries?

[Merton Campbell Crockett]

On 21 Jun 2007, at 09:12:58, Jeff Lightner wrote:

> OK I know this sounds like a stupid question but figured I'd ask  
> anyway.
> We currently have customers who have signed up to get email from us.
> However, the MX record won't resolve because the primary DNS for the
> customers is in a country we block inbound/outbound.    Essentially  
> the
> dig +trace and whois both stop at the point the root servers hand  
> off to
> servers in those remote countries.

Did DIS present their annual Counter-Intelligence Briefing recently?   
Sounds like there was on overreaction to to the espionage threats  
portion of the briefing.

When you are blocking IP CIDR address blocks, you need to allow UDP  
port 53, TCP port 53, and "established" TCP sessions.  This is to  
needed for you own intelligence gathering to identify the threat and  
to obtain information about products that you may be using or  
planning to purchase.

As you are not in a position to change the rules being applied at  
your security perimeter, you have two options.

(1)  Obtain permission from an external organization to use their  
name server(s) for recursive queries for all IP CIDR address blocks  
that are being blocked and any domains in those address ranges that  
you can identify.  Then set up the necessary forwarders statements  
for those zones.

(2)  Define master zones for the IP CIDR address blocks and domains  
that you can identify and return NXDOMAIN responses to all DNS queries.

As the security policies won't permit access, the latter is, perhaps,  
the better approach.  The users in your organization will get  
irritated about not being able to access the specifications of the  
HDTV they were planning to buy.  The furor that arises will get the  
policies changed.  Or not.


Merton Campbell Crockett
m.c.crockett at roadrunner.com