With docker-services.de I am hosting a domain, which is crucial for being public available. Within the last month, I noticed, that corporate DNS stopped resolving the same. As often in large enterprises and corporations, it’s hard finding the root-cause of such actions. Therefore, I want to share an interesting story for ensuring your DNS records are clean and can reach your audience.
Over the years, many corporates integrate into large providers, especially from Silicon Valley, for their Vritual Private Network (VPN) solutions. This also integrates certain other services, such as DNS, from these providers. Corporates have their own DNS and connect the DNS lists from these providers for additional proteciton. This delegates DNS blacklisting to external providers and makes resolution of issues troublesome, as corporate lose understanding of DNS propagation.
While some corporates resolve public domains directly via public DNS servers (dotted line), many delegate DNS via their own DNS service and cause additional traffic and securing clients with advanced DNS (ADNS). This is also done for public domains (yellow line). These servers collect their own blacklist by using artificial intelligence for rating and labeling domains, once requested by clients. This procedure also cause incorrect labeling and blocking domains from corporate access, leading to reduced traffic, as your DNS cannot be resolved. When checking nameservers, your DNS is properly configured, but still not reachable. Some ADNS providers offer websites for checking your domain and provide a mailbox for correcting incorrect labeling, such as:
- Palo Alot
https://urlfiltering.paloaltonetworks.com/query/ - Symantec
https://sitereview.bluecoat.com/#/ - zScaler
https://sitereview.zscaler.com/
If you found yourself blacklisted, you can resolve DNS blocks at many corporations all-at-once by submitting a ticket for re-classification, which updates the label. Once submitted, a reply is provided with an update for the request, such as the following from Palo Alto for my domain:
You might also consider monitoring your domain records in ADNS systems for keeping your Domain accessable for your target audience and address secruity side-effects, in case of security flaws.
