Physics Computing Services

Off-Campus DNS Recursion To End May 1, 2006

Attn: Home Computer Users:

Effective May 1, 2006, off-campus DNS clients requesting DNS recursion ("external recursion") from the Physics DNS servers (128.111.16.39 and 128.111.8.32) as well as UCSB's DNS servers (128.111.1.1 and 128.111.1.2) will be denied.

What this means for you:
------------------------
Before May 1 -- If you have a home computer, laptop or home wired or wireless router, you should check to see if any of your devices are statically configured to use the UCSB or UCSB Physics DNS servers (IP addresses listed above) from an off-campus location.

If so, you will need to change these devices to receive their DNS server information automatically from your ISP's DHCP server.  Usually this just means removing any DNS servers from the list in your device's TCP/IP configuration and leaving that field blank, and/or selecting the option "Obtain DNS server information automatically." (Consult your ISP's technical support if you need to know the IP address of their DNS servers for static entry.)

For Windows computers, go to the Network Connections control panel, then select the appropriate network adapter (usually Built-In Ethernet)--> Properties--> Internet Protocol (TCP/IP)--> Properties--> General. Ensure that "Obtain DNS Server Address Automatically" is chosen and there are no IP addresses entered manually in the box below.

For Mac OS X computers, go to System Preferences--> Network--> Show "Ethernet" (choose a different adapter, i.e. Airport for wireless, if necessary)--> TCP/IP. In the DNS servers area, ensure that there are no IP addresses entered manually in the box.

For other devices like wired and wireless routers, you may need to consult the device documentation to determine how to connect to the management interface of the device.

As always -- if something on your home network or computer stops working after this change, call PCS at x8366 or email us at pcs@physics.ucsb.edu and we'd be happy to help you get things re-configured for your ISP.


The "long" and technical version from campus:
---------------------------------------------
To elaborate, DNS recursion involves a nameserver looking up a DNS entry for which it does not have an answer and thus must recursively query other nameservers.  A specific example would be a query from 68.12.34.56 to ns1.ucsb.edu for aol.com MX (email server) records; ns1 is not the authoritative nameserver for aol.com, so it may have to query other servers to find the correct answer.  This type of recursive query from off-campus locations will not be processed effective May 1.  Recursive queries from on-campus locations will still be processed, as will off-campus queries for authoritative data (such as queries for www.ucsb.edu).

The systems likely to be impacted by this change are laptops or home NAT routers that have been statically configured to use ns1 and/or ns2 as DNS servers from off-campus locations.  These devices should use DHCP-assigned DNS servers in the same manner as they receive IP address assignments.

The reason for disabling external recursion involves denial of service attacks.  A typical scenario involves a spoofed DNS query for aol.com's MX records; the spoofed source address is actually the address of the intended victim, and a small query for AOL's mail server list returns a large number of entries, thus flooding the victim with traffic.  The victim is often unable to block the "attack" because the traffic is from legitimate DNS servers.  This process is similar to the classic "smurf" DoS attack. Just as SMTP servers used to be open relays by default, DNS servers have traditionally been open recursive resolvers by default. Due to the behavior described above, it is time to halt external recursion services.

For more information on this issue:
  http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf

All DNS servers -- including non-authoritative recursion-only servers -- at UCSB will be required to adopt similar restrictions against external recursion.  A separate note will be distributed in the next two weeks with additional resource references and timelines.

This step is unfortunate and predictable.  As you may have guessed, the "aol.com MX record" example was from a real attack using UCSB nameservers. More recently, 15 nameservers at UCSB were used to conduct an attack on Feb. 22, and there is mounting evidence that this type of attack will increase in the near future.

Please direct questions or comments to hostmaster@ucsb.edu.
 

 

Page last updated 4/10/2006 by Physics Computing Services (pcs@physics.ucsb.edu)