The Weirdest DNS in Japan

There’s a very interesting new site for renewing your Japan visa / status of residence online, available at https://www.ras-immi.moj.go.jp/WC01/WCAAS010/ras?dispOutputEvent= which looks a bit like this:

在留申請オンラインシステム

You may notice a funny line there which reads:

【利用者登録等に使用するメールアドレスについて】
令和4年3月16日(水)から開始した外国人本人の方や弁護士・行政書士の方等の個人向けの利用者登録において、通知メールが届かないとのお問い合わせを頂いております。
本システムでは海外IPアドレスのアクセス制限を行っているため、利用者登録時に海外のサーバを経由する可能性があるGメールやHotメールなどのフリーメールのアドレスを登録されると、通知メールが届かない場合があります。
お手数ですが、プロバイダのメールアドレスなどにより利用者登録をお願いいたします。
また、利用者の方のメール設定において受信拒否設定がなされている場合もありますので、「@ras-immi.moj.go.jp」のドメインの受信が可能となるように設定をお願いいたします。

Or in English:

[About the email address used for user registration, etc.]

We have received inquiries about not receiving notification emails during user registration for individuals such as foreigners, lawyers, and administrative scriveners, which started on March 16, 4th (Wednesday)...

Since this system restricts access to overseas IP addresses, if you register a free email address such as Gmail or Hotmail that may go through an overseas server when you register as a user, you will receive a notification email. It may not be there.

We apologize for the inconvenience, but please register as a user using the email address of your provider.

In addition, there may be cases where the user’s mail settings are set to reject reception, so please set so that the domain of “@ ras-immi.moj.go.jp” can be received.

So, let’s see how this domain name resolves using DNS from a foreign computer, which we can do using dig +trace:

Well would you look at that! Google DNS traces a cache-miss, through root -> sub -> local, finally asking ns.moj.go.jp, the Ministry of Justice Nameserver in Japan for an IP, which says “NO”.

However, running dig locally in Japan we get a rather different answer from OCN’s nameservers:

So, we’ve learned two things about this interesting bespoke mechanism to secure the website to Japan-only:

  • They’ve set the TTL of the A record to 0 to indicate that it shouldn’t be cached (ie, every resolution request will have to go through their DNS server)
  • Their DNS server tries to avoid giving out an IP address to overseas DNS queries using some secret method

One side effect is that if they’re using that domain for mail, as they note in their warning above, it won’t be able to be delivered to overseas MTAs.

What an interesting little “great firewall” style DNS hack.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Elliott

Personal interests in literature, SF, and whisky/whiskey/scotch, Software Engineer by Trade