University at Albany University at Albany University at AlbanyUAlbany Site IndexUAlbany Search
ITS News



Printable   



Non-UAlbany Recursive* Access to UAlbany DNS Servers will End Monday, March 12

What does this mean?

If you are affected, it means you won't be able to connect to Internet sites using names (e.g., yahoo.com, cnn.com.) Please note that 99.9% of UAlbany network users will NOT be affected.  

Who WON'T Be Affected

  • On-campus users connecting via a wired connection or via WiUAlbany

  • Off-campus users who simply get their IP address and other network configuration information via DHCP from their ISPs (e.g., Time Warner, EarthLink)

  • Off-campus users who manually configure their system, but who have NOT manually configured their system to use the UAlbany's name servers

  • Users who get an IP address in the 169.226.0.0/16 range

Who WILL Be Affected

Users who meet both of the following conditions:  

1. You are not connected via the UAlbany campus network, e.g., you're connecting to the Internet using a third- party Internet service provider (ISP) such as Road Runner, Verizon or Earthlink,

and...

2. Even though you're not connected to the UAlbany network, for some reason your system is manually configured to use UAlbany's domain name servers instead of using the name servers normally provided by your ISP.

If, for whatever reason, you, or someone else, has manually configured your computer to use UAlbany's name servers from an off-campus location, name service via those UAlbany servers will no longer work for you as of March 12.

All other users will notice no difference when this change is made.  

How Do I Know If I'm Using UAlbany DNS Servers?

To help you identify whether or not you are using one of our DNS servers, here are their names and IP addresses:  

ns1.albany.edu  169.226.1.100
ns2.albany.edu  169.226.1.103
ns3.albany.edu  169.226.46.100
saratoga.univ.albany.edu  169.226.63.21
epoch.univ.albany.edu  169.226.46.21

For more information about how to verify whether or not you're using UAlbany's DNS servers, click here.

What should I do if I'm one of the handful of people affected?

On or before March 12, you'll need to reconfigure your system to use the name server supplied by your ISP instead of using UAlbany's name servers.  

How do I do that?

Most people get all the information they need to connect to the Internet from their ISP. If you are getting your Internet service from a Internet service provider, you simply need to delete any reference to the UAlbany domain name servers from your connection settings. Once you delete those references, you will automatically receive the correct domain name settings from your ISP. This link can help you delete any references to UAlbany DNS services in your Internet settings: Verify Your DNS Settings. 

Why are you doing this?

To prevent the University DNS servers from participating in Distributed Denial of Service attacks[1]; and to protect the members of the University community who use the University's domain name servers from DNS cache poisoning. When DNS cash poisoning occurs, it means that the University's domain name service is no longer reliable and community members who use the Internet from the campus can be surreptitiously sent to fraudulent sites.[2] 

UAlbany Is Not Alone When It Comes to DNS-Related Vulnerabilities

We should emphasize that the UAlbany is not unique when it comes to DNS-related vulnerabilities. Studies have shown that as many as 75% of all the 7.5 million or so externally visible DNS servers on the Internet are open or misconfigured, providing recursive name service for arbitrary queries.[3]

UAlbany is committed to being a good network neighbor and to doing what we can to secure our servers and protect our local users and the Internet at large from possible UAlbany-related DNS-based attacks. We will be taking an important step in that regard on March 12 when we secure UAlbany's name servers against arbitrary recursive queries as recommended by leading security authorities.[4]  

Questions or Concerns?

If you're a UAlbany faculty member, student, or staff member and have questions about the change that will occur on March 12, 2007, please feel free to contact the your Technology Coordinator. A list of UAlbany Technology Coordinators can be found here: http://apps.albany.edu/tc/tc.php.

*What Is a Recursive DNS Query?

Before any connection can be made to a remote host (e.g., CNN, Google), the name of the site must be translated into a numeric address (e.g., 128.204.12.33). DNS servers provide that address translation. No one DNS server contains all the records for every name on the Internet. DNS solves this by asking other DNS servers who are responsible (authoritive) for their domain space. This is called a recursive query.

When a recursive query is made to our DNS servers, every attempt will be made to return an IP address regardless of whether or not we are authoritative for the domain queried. This means that our DNS servers will proceed to traverse the DNS tree, recursively making queries to other DNS servers, in order to obtain an answer before responding to the client.  

Sources

[1] "The Continuing Denial of Service Threat Posed by DNS Recursion"
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf

[2] "DNS Cache Poisoning The Next Generation"
http://www.lurhq.com/dnscache.pdf

[3] "Domain Name Servers: Pervasive and Critical, Yet Often Overlooked"
http://dns.measurement-factory.com/surveys/sum1.html

[4] "SANS Top 20 Vulnerabilities: The Expert Consensus"
http://www.sans.org/top20/#c6 (C6.5, "Do not allow your recursive DNS servers to be used except by your own network blocks except as required.")