DNS queries to blocked countries?

Dawn Connelly dawn.connelly at gmail.com
Thu Jun 21 17:08:38 UTC 2007


You can set up that specific domain to forward to DNS servers that will
allow recursive queries. Most likely your ISP will have DNS servers that you
can bounce queries off of. Syntax would look like:
zone "samsung.com" {
        type forward;
        forwarders { ISP.DNS.IP.Address1; ISP.DNS.IP.Address2; };
On 6/21/07, Jeff Lightner <jlightner at water.com> wrote:
>
> The countries themselves are being blocked by network security.   As I
> said that is a political football others are trying to move.
>
> My questions is basically trying to see if there is a way I could setup
> something similar to hints used for root servers so that something else
> would do the lookup.   It doesn't seem likely to me but figured I might
> not be the first person to run across this.
>
> -----Original Message-----
> From: Vinny Abello [mailto:vinny at tellurian.com]
> Sent: Thursday, June 21, 2007 12:29 PM
> To: Jeff Lightner
> Cc: bind-users at isc.org
> Subject: Re: DNS queries to blocked countries?
>
> How are you blocking them? Why not just allow DNS query responses from
> anywhere? Would that fix it?
>
> Jeff Lightner wrote:
> > OK I know this sounds like a stupid question but figured I'd ask
> anyway.
> > We currently have customers who have signed up to get email from us.
> > However, the MX record won't resolve because the primary DNS for the
> > customers is in a country we block inbound/outbound.    Essentially
> the
> > dig +trace and whois both stop at the point the root servers hand off
> to
> > servers in those remote countries.
> >
> > An example would be "Samsung.com".   Although the user is actually in
> > the U.S., Samsung is a South Korean company.  Due to this we can't get
> > the MX record which may or may not point to a U.S. server.   I'm
> > wondering if there is any way I can setup things so the resolution for
> > countries we block is reported back by some other server that would be
> > U.S. based that doesn't block these countries?
> >
> > dig +trace -t MX samsung.com
> >
> > ; <<>> DiG 9.2.1 <<>> +trace -t MX samsung.com
> > ;; global options:  printcmd
> > .                       169576  IN      NS      K.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      L.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      M.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      A.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      B.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      C.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      D.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      E.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      F.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      G.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      H.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      I.ROOT-SERVERS.NET.
> > .                       169576  IN      NS      J.ROOT-SERVERS.NET.
> > ;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 25 ms
> >
> > com.                    172800  IN      NS      a.gtld-servers.net.
> > com.                    172800  IN      NS      b.gtld-servers.net.
> > com.                    172800  IN      NS      c.gtld-servers.net.
> > com.                    172800  IN      NS      d.gtld-servers.net.
> > com.                    172800  IN      NS      e.gtld-servers.net.
> > com.                    172800  IN      NS      f.gtld-servers.net.
> > com.                    172800  IN      NS      g.gtld-servers.net.
> > com.                    172800  IN      NS      h.gtld-servers.net.
> > com.                    172800  IN      NS      i.gtld-servers.net.
> > com.                    172800  IN      NS      j.gtld-servers.net.
> > com.                    172800  IN      NS      k.gtld-servers.net.
> > com.                    172800  IN      NS      l.gtld-servers.net.
> > com.                    172800  IN      NS      m.gtld-servers.net.
> > ;; Received 489 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 119
> ms
> >
> > samsung.com.            172800  IN      NS      dnssm.samsung.com.
> > samsung.com.            172800  IN      NS      dnsss.samsung.com.
> > ;; Received 101 bytes from 192.5.6.30#53(a.gtld-servers.net) in 22 ms
> >
> > dig: Couldn't find server 'dnssm.samsung.com': Name or service not
> known
> >
> > P.S.  Don't tell me to unblock the countries - that's a political
> > football being tussled over at a different level.
> >
> >
> >
> >
>
> --
>
> Vinny Abello
> Network Engineer
> vinny at tellurian.com
> (973)940-6100
> PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A
>
> Tellurian Networks - The Ultimate Internet Connection
> http://www.tellurian.com (888)TELLURIAN
>
> "Courage is resistance to fear, mastery of fear - not absence of fear"
> -- Mark Twain
>
>
>




More information about the bind-users mailing list