HEADS UP: Access to caching DNS servers to be restricted

Thread: HEADS UP: Access to caching DNS servers to be restricted

Search this list only Search all lists
HEADS UP: Access to caching DNS servers to be restricted
	2006-05-25 21:22:38
Apologies in advance for the cross-posting. It's important that we get the word out. Beginning July 1, 2006, IST will be restricting access to the main campus caching DNS servers, ns1.berkeley.edu (128.32.136.9, 128.32.206.9) and ns2.berkeley.edu (128.32.136.12, 128.32.206.12) to CAMPUS IP ADDRESSES ONLY. The details and reasons behind this action are explained at the following web pages: http://ne t.berkeley.edu/DNS/recursion.shtml and ht tp://net.berkeley.edu/DNS/recursion-detail.shtml These pages will be linked from the DNS page on the CNS Data Services web page by the end of the day. Unfortunately, open caching DNS servers are being exploited in generating amplified distributed denial-of-service (DDoS) attacks, some of which have exceeded 4gb/s in sustained bandwidth received by the victim. Much of the talk in the community of DNS server operators and network engineers is that we should begin treating these servers in a manner similar to open mail relays: caching nameservers should never be open to the world by default and such open servers represent a threat to the entire Internet. The changes we plan to make will cause problems to those who use non-campus ISPs at home and hard-code campus nameserver information in their home computer's configuration. Solutions for this issue are included in the first document. On-campus users, or users who dial in to campus, have T1 or fiber access to the campus network (or generally use campus IP address space, a list of which is linked in the first document) will not be affected. A number of universities similar to UCB have imposed the same restrictions in recent months and have reported that their users were able to cope well with the changes. Currently, the University of Oregon, UCLA, and University of Virginia (among many others), and many ISPs restrict access to their caching nameservers in the same way that we will be restricting access. Please write back to me if you have any questions/comments. michael ------------------------------------------------------------ ------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.be rkeley.edu/>.

[1]

about | contact Other archives ( Real Estate discussion Medical topics )