There’s a very interesting new site for renewing your Japan visa / status of residence online, available at https://www.ras-immi.moj.go.jp/WC01/WCAAS010/ras?dispOutputEvent= which looks a bit like this:
You may notice a funny line there which reads:
【利用者登録等に使用するメールアドレスについて】
令和4年3月16日(水)から開始した外国人本人の方や弁護士・行政書士の方等の個人向けの利用者登録において、通知メールが届かないとのお問い合わせを頂いております。
本システムでは海外IPアドレスのアクセス制限を行っているため、利用者登録時に海外のサーバを経由する可能性があるGメールやHotメールなどのフリーメールのアドレスを登録されると、通知メールが届かない場合があります。
お手数ですが、プロバイダのメールアドレスなどにより利用者登録をお願いいたします。
また、利用者の方のメール設定において受信拒否設定がなされている場合もありますので、「@ras-immi.moj.go.jp」のドメインの受信が可能となるように設定をお願いいたします。
Or in English:
[About the email address used for user registration, etc.]
We have received inquiries about not receiving notification emails during user registration for individuals such as foreigners, lawyers, and administrative scriveners, which started on March 16, 4th (Wednesday)...
Since this system restricts access to overseas IP addresses, if you register a free email address such as Gmail or Hotmail that may go through an overseas server when you register as a user, you will receive a notification email. It may not be there.
We apologize for the inconvenience, but please register as a user using the email address of your provider.
In addition, there may be cases where the user’s mail settings are set to reject reception, so please set so that the domain of “@ ras-immi.moj.go.jp” can be received.
So, let’s see how this domain name resolves using DNS from a foreign computer, which we can do using dig +trace:
. 22041 IN NS e.root-servers.net.
. 22041 IN NS h.root-servers.net.
. 22041 IN NS l.root-servers.net.
. 22041 IN NS i.root-servers.net.
. 22041 IN NS a.root-servers.net.
. 22041 IN NS d.root-servers.net.
. 22041 IN NS c.root-servers.net.
. 22041 IN NS b.root-servers.net.
. 22041 IN NS j.root-servers.net.
. 22041 IN NS k.root-servers.net.
. 22041 IN NS g.root-servers.net.
. 22041 IN NS m.root-servers.net.
. 22041 IN NS f.root-servers.net.
;; Received 228 bytes from 8.8.4.4#53(8.8.4.4) in 48 ms
jp. 172800 IN NS a.dns.jp.
jp. 172800 IN NS d.dns.jp.
jp. 172800 IN NS e.dns.jp.
jp. 172800 IN NS f.dns.jp.
jp. 172800 IN NS h.dns.jp.
jp. 172800 IN NS g.dns.jp.
jp. 172800 IN NS c.dns.jp.
jp. 172800 IN NS b.dns.jp.
;; Received 496 bytes from 192.58.128.30#53(192.58.128.30) in 814 ms
moj.go.jp. 86400 IN NS ns01.vips.ne.jp.
moj.go.jp. 86400 IN NS ns00.vips.ne.jp.
moj.go.jp. 86400 IN NS ns.moj.go.jp.
;; Received 235 bytes from 161.232.72.25#53(161.232.72.25) in 654 ms
ras-immi.moj.go.jp. 600 IN NS ns1.ras-immi.moj.go.jp.
/usr/bin/dig: couldn't get address for 'ns1.ras-immi.moj.go.jp': no moreWell would you look at that! Google DNS traces a cache-miss, through root -> sub -> local, finally asking ns.moj.go.jp, the Ministry of Justice Nameserver in Japan for an IP, which says “NO”.
However, running dig locally in Japan we get a rather different answer from OCN’s nameservers:
$ dig www.ras-immi.moj.go.jp; <<>> DiG 9.16.27-Debian <<>> www.ras-immi.moj.go.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56082
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ras-immi.moj.go.jp. IN A;; ANSWER SECTION:
www.ras-immi.moj.go.jp. 0 IN A <redacted IP>;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed May 25 18:20:26 JST 2022
;; MSG SIZE rcvd: 67
So, we’ve learned two things about this interesting bespoke mechanism to secure the website to Japan-only:
- They’ve set the TTL of the A record to 0 to indicate that it shouldn’t be cached (ie, every resolution request will have to go through their DNS server)
- Their DNS server tries to avoid giving out an IP address to overseas DNS queries using some secret method
One side effect is that if they’re using that domain for mail, as they note in their warning above, it won’t be able to be delivered to overseas MTAs.
What an interesting little “great firewall” style DNS hack.
![[Getting Hired] Chapter 1: How to Show The Best Version of You Through Your Resume](https://miro.medium.com/v2/resize:fit:1358/1*1AIfruJHPJjRy5XyZg6MZQ.png)
