You are confused; sorry for not being clearer.
Our DNS server answers regular DNS queries. The firewall, however, does
not.
Calling DNS APIs on hosts behind the firewall does RPCs to the firewall,
which then in turn (I believe) does DNS protocol to the outside.
The RPC protocol is RR-type specific; there is no provision for
extension of types.
In such configurations, raw port-53-dest traffic is blocked.
Thus, on hosts behind such firewalls, it does not matter what code you
install locally, you can't query DNS for new RR types.
Bob
You can get the server to ask for you though, right?
Through a RR-type specific RPC protocol, yes.
Your server doesn't answer regular DNS queries? Is it a "DNS Server"
or is
it an <-RPC|DNS-> gateway? If the latter, why are we supposed to be
bothered by what your gateway does or does not do?