DNS queries to blocked countries?

Danny Mayer mayer at gis.net
Sun Jun 24 16:55:35 UTC 2007 

Jeff Lightner wrote:
> Apparently you missed my admonition to NOT tell me to unblock the
> countries.

You are not blocking countries, you are blocking netblocks. Surely you
are not blocking South Korea as a country?

The problem is that you are ignoring the whole picture. Your company has
painted itself into a corner with this strategy.

Let's look at what's going on here:
1) You don't allow ANY inbound or outbound access to these netblocks so
your DNS cannot successfully send or successfully receive responses to
queries. Well there are about two ways around that:
a) to forward to a server whose operators have irresponsibly left it
open to recursion by others that they do not have to serve. In addition
you want them to take the hit for net blocking those addresses that you are!
b) add the necessary addresses to /etc/hosts or set up a zone with the
addresses in it. Of course that results in much more work for you to
maintain since they can change their addresses at any time without any
notice to you.

2) Even if you had the MX records you cannot send any email messages to
that SMTP server since you said you are blocking those addresses. Of
course you could send your messages to a server that's foolishly left
itself open to relaying messages.

Did I miss something here? Don't forget you will have to do something
similar for each and every email address you want to send to.

> Not only that you apparently didn't read the rest of my post or the
> several responses that DID attempt to address the question as I outlined
> it.   Restated I'm not asking IF a country should be blocked but rather
> if there is any way to get around it via DNS if it is.

I did pay attention and I did read the post. See above. What you aren't
willing to accept is that your company needs to fix this and you are
looking to work around your company's problems rather than trying to
resolve the core issue.

> It hardly helps
> me to tell me YOUR servers don't block it.  I already knew it was
> something internal to our security setup here.  Also I mentioned whois
> only because it was my first check after seeing failed email - you
> apparently missed my mention of dig +trace for DNS that confirmed the
> issue for DNS.

Nope. whois is irrelevant here. It might tell you the way things SHOULD
be but it doesn't tell you anything about about reality. I did read the
dig trace. However, the only thing you can conclude from the trace is
that either the root servers are pointing to the wrong addresses, which
happens more often than you might think, or that you are being blocked
from going further. There is a difference and that does need to be checked.

Danny

More information about the bind-users mailing list