Penn State Mark ITS Mark

Search ITS   | User Guides |   | Services |   | Policies |   | Forms |   | Help |   | Home |  

TNS News & Alerts

ITS TO RESTRICT RECURSIVE LOOKUPS ON CENTRAL DNS SERVERS – JULY 9, 2007   off-campus machines using non-Penn State networks must take action

Notice

In an effort to enhance DNS security and improve resource usage on the Penn State Network, ITS will restrict a feature called “Recursive DNS lookups” in the University’s domain name service (DNS) on July 9, 2007. As a result, any off-campus computer using a non-Penn State network such as Comcast, Verizon DSL, a hotel, conference or meeting network that is configured to use the University’s DNS server settings – instead of using the DNS IP settings of the off-campus Internet service network provider – will experience unpredictable results when trying to access Internet sites outside of the psu.edu domain until the computer’s settings are reconfigured for proper off-campus DNS access.

Who is NOT affected?

Anyone using the Penn State network (includes dial-up), or anyone using a non-Penn State network from a computer configured with the IP settings of that non-Penn State network service provider or else using the PSU Anywhere service, will not be affected by this change and will notice no difference. Using the PSU Anywhere service when connecting from a non-Penn State network is recommended.

The five central authoritative DNS servers for Penn State (psu.edu) are:

      • 128.118.25.3
      • 128.118.70.5
      • 130.203.1.4
      • 146.186.163.66
      • 128.118.141.32 

When you are using a Penn State network as your internet service provider, configure your settings to use at least two of the above authoritative DNS servers, any combination will do. When connecting while off campus, follow the recommendations of your non-Penn State Internet service provider and do not use the psu.edu DNS servers listed above.

Who IS affected?

Any off-campus computer using a non-Penn State network such as; Comcast, Verizon DSL, a hotel, conference or meeting network that is configured to use the University’s DNS server settings – instead of using the DNS IP settings of the off-campus Internet service network provider – will experience unpredictable results when trying to access Internet sites outside of the psu.edu domain until

the computer’s settings are reconfigured for proper off-campus DNS access.

Instructions for changing DNS Configuration Settings

To determine if this change affects you and to change your DNS settings so you can continue to access Internet sites outside of the psu.edu domain after July 9th, follow these steps:

Step 1: Determine if your IP address is a Penn State (psu.edu) IP address

Does your IP address begin with one of the three following number sequences?

      • 66.71.0. through 66.71.127.
      • 128.118.
      • 130.203.
      • 146.186.
      • 150.231.

Yes. Stop here. You do not need to change your DNS setting.

No. If your IP address does not begin with one of the sequences above, go to step 2.

Step 2: Check/Change your DNS setting

Instructions for checking and changing your DNS setting are provided below. Select your operating system and follow the directions.

Windows XP

  1. From the Start Menu select Control Panel
  2. Click on "Network and Internet Connections", then "Network Connections"
  3. Right-click on your network connection and select Properties
  4. Double-click on "Internet Protocol (TCP/IP)"
  5. If you see 128.118.25.3, 128.118.70.5, 130.203.1.4, 146.186.163.66 and/or 128.118.141.32 in the DNS server address fields, you will need to change your settings. In most cases, the "Obtain DNS server address automatically" option is the correct setting. Check with your Internet Service Provider to be sure.

Mac OSX

  1. From the Apple menu, select System Preferences
  2. Click the Network button
  3. From the Show menu select your network interface (Built-in Ethernet or Airport, for example)
  4. Click the TCP/IP button
  5. If you see 128.118.25.3, 128.118.70.5, 130.203.1.4, 146.186.163.66 and/or 128.118.141.32 in the DNS server address fields, you will need to change your settings. In most cases, the "Obtain DNS server address automatically" option is the correct setting. Check with your Internet Service Provider to be sure.

Windows 2000

  1. From the Start Menu select Settings, then Control Panel
  2. Double-click on "Network and Dial-up Connections"
  3. Right-click on your network connection and select Properties
  4. Double-click on "Internet Protocol (TCP/IP)"
  5. If you see 128.118.25.3, 128.118.70.5, 130.203.1.4, 146.186.163.66 and/or 128.118.141.32 in the DNS server address fields, you will need to change your settings. In most cases, the "Obtain DNS server address automatically" option is the correct setting. Check with your Internet Service Provider to be sure.

FAQs

What is DNS?

DNS stands for Domain Name System. DNS servers are a critical part of the campus network infrastructure and the Internet at large. These servers contain information pertaining to every host on the Internet, and are the mechanism that allows information on the Internet to be available when you enter a URL in your Web browser. To enhance the security of the campus DNS, we are restricting a feature of DNS --recursive DNS for off site users. An example of recursive DNS is when someone who subscribes to an ISP (e.g. Comcast) configures their computer to use the Penn State DNS servers rather than their ISP’s DNS serves to access the Internet.

What is DNS Recursion?

DNS recursion is when the DNS server does not know the IP address of an Internet name but queries other DNS servers to look up the name. When a query is made to Penn State’s DNS servers, every attempt will be made to return an IP address regardless of whether or not Penn State servers are authoritative for the domain queried. This means that Penn State’s DNS servers will proceed to traverse the DNS tree, recursively making queries to other DNS servers, in order to obtain an answer before responding to the client — even if the query is about a host that isn't on the University's network.

When and Why is Penn State disabling Recursion for non-PSU?

Enhancing DNS security is necessary due to the potential for security attacks. Disabling off-campus recursive access to the University's name servers will help to protect the University (and the Internet as a whole) against two types of name service-related attacks: distributed denial of service and Cache poisoning attacks.

Who is affected by the disabling of recursive lookups on central DNS servers?

Any off-campus computer using a non-Penn State network such as; Comcast, Verizon DSL, a hotel, conference or meeting network that is configured to use the University’s DNS server settings – instead of using the DNS IP settings of the off-campus Internet service network provider – will experience unpredictable results when trying to access Internet sites outside of the psu.edu domain until the computer’s settings are reconfigured for proper off-campus DNS access.

What security risks are involved in Recursive DNS?

  • DDoS attacks. Name servers can be used as distributed denial of service (DDoS) attack amplifiers (the attacker sends a small spoofed UDP name service query to an open name server, forging the victim's IP address; the open name server then returns a large "answer" to the forged IP address — even though the victim didn't actually make the DNS query in the first place). If this is done on an ongoing basis with a large number of open name servers, it can flood the victim's IP address with responses from thousands (or tens of thousands) of name servers, thereby exhausting the victim's available network bandwidth).[1] Attacks of this sort can result in multi-Gbps flow volumes.
  • Cache poisoning attacks. Attackers can generate spoofed traffic to open recursive DNS servers that can result in so-called "cache poisoning" attacks, whereby vulnerable caching name servers can be made to return bogus results for a user's name service queries. [2]

In a nutshell: The attacker "primes" the caching name server to respond to queries with an IP address of his/her choice, rather than the real/normal IP address for that site. The innocent victim asks the caching name server for the IP address of a site of interest, such as the IP address of their bank's website. If the domain name of that site happens to be one that the attacker has poisoned, the victim is automatically and transparently misdirected to a website of the attacker's choice rather than to their bank's real web page, and confidential data can then be stolen (some refer to this type of attack as "pharming").

A variant of this attack uses cache poisoning to redirect queries for popular sites (such as google.com or hotmail.com) to a site that contains a virus or other malware. If your caching name server has been poisoned, when you try to visit one of these popular sites you can unknowingly be redirected to another site that stealthily tries to infect your PC with malware.

While blocking off campus recursive access to the University's name servers won't completely eliminate the possibility of their participating in such an attack, eliminating recursive access will substantially reduce the likelihood of their being abused.

Where can I find instructions for changing my DNS configuration settings?

See Instructions for changing DNS Configuration Settings.

How can I get information from my non-Penn State Internet Service Provider (ISP) about their DNS servers?

You should contact your ISP directly for information about properly configuring your DNS setting. If you do not know who your ISP is, contact the ITS Help Desk 814-863-1035 or 814-863-2494, or write to helpdesk@psu.edu. For locations and hours, see Consulting Services.

Where can I get Help? 

Consult with your departmental network administrator.

Or contact the ITS Help Desk 814-863-1035 or 814-863-2494, or write to helpdesk@psu.edu. For locations and hours, see Consulting Services.

References

[1] "The Continuing Denial of Service Threat Posed by DNS Recursion"
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf

[2] "DNS Cache Poisoning The Next Generation"
http://www.lurhq.com/dnscache.pdf

Acknowledgments

University of Chicago http://support.uchicago.edu/announcements/secure/dns/

UC Davis University of California http://security.ucdavis.edu/dns.cfm

 

The Pennsylvania State University © 2004. All rights reserved. Alternative Media Statement and Nondiscrimination Policy
This site maintained by Telecommunications and Network Services, a unit of Information Technology Services.
Provide site feedback to TNSWebmaster@mail.tns.its.psu.edu. 07/27/07