CNS home page

Access to caching DNS servers to be restricted


WHAT: For important security reasons, IST will be reconfiguring the campus caching DNS servers to only respond to queries from on-campus IP addresses.


WHEN: Beginning July 1, 2006, off-campus users will be denied access to the campus caching nameservers.  Between July 1 and August 1, the nameservers will be configured to deny access to an increasingly large part of the global Internet address space, except for campus address space. By August 1, only campus clients will be allowed to use the campus caching nameservers.   It is hoped that this gradual approach will prevent campus and departmental support personnel from being inundated with help requests at once.


WHY: A much longer background document is available here.  To summarize, there are two serious security risks that occur with caching DNS servers that allow anyone on the Internet to query them.  To minimize these risks, and to follow standard Internet best practices, UC Berkeley is joining a number of other universities and ISPs in restricting access to our nameservers.


WHO IS AFFECTED: Users of off-campus ISP services (i.e. those who do not have a campus IP address) who also configure their computers to use the campus DNS servers.  This does not include users of the campus VPN service (see below).


WHO IS NOT AFFECTED:

  • Campus users
  • Off-campus UCB offices that get service from the campus via T1 lines or Comcast fiber
  • Users who dial into the campus modems
  • Residence Hall users
  • Off-campus ISP users who do not specifically configure their hosts to use the campus DNS services.

NOTE: Users who log into the Campus VPN from an off-campus ISP should configure their computers using the instructions below. Once logged into the campus VPN, the computer will automatically use the campus nameservers, but until then, you will need to use your ISP's nameservers. By following the instructions below, you will ensure that your computer uses the proper nameservers at the proper time.


WHAT TO DO IF YOU ARE AN AFFECTED USER:


Most ISPs will automatically configure your system to use their nameservers when you log into their service.  For example, ATT/SBC DSL users ordinarily have their nameservers configured when the user logs in via the PPPoE client.  Comcast uses DHCP to properly configure hosts.  Only users who override this configuration are affected.

If (and only if) you are one of the affected users, you can use the following guide (courtesy of the University of Oregon) to ensure that your computer is configured correctly.

NOTE: On-campus users who are connecting to AirBears or use the campus DHCP service should also configure their computers according to the instructions below--they will automatically be configured to use the campus nameservers. Other on-campus users who manually configure the IP information on their computer should NOT leave the nameserver field blank, but instead should manually configure their systems to use the campus DNS servers.


Mac OS X

  1. From the Apple menu, select System Preferences
  2. Click the Network button
  3. From the Show menu select your network interface (Ethernet or wireless, for example)
  4. Click the TCP/IP button
  5. Check the DNS Servers box--make sure the box is blank

Mac OS 9

  1. Open the TCP/IP Control Panel. (Apple menu -> Control Panels -> TCP/IP)
  2. Change the user mode to Advanced. (Edit-> User Mode -> Advanced)
  3. Look at the "Connect via:" setting and remember it (or write this down). It will typically say "Ethernet" or "ppp."
  4. Verify that the "name server addr.:" field is blank for each "Connect via:" drop-down. Make sure you restore the "Connect via:" setting to what you started with.

Windows XP

  1. From the Start Menu select Control Panel
  2. Right-click on your network connection and select Properties
  3. Double-click on "Internet Protocol (TCP/IP)"
  4. Make sure that the "Obtain DNS server address automatically" is selected

Unix:

If you are off-campus, and not connecting through the UCB network, then check your resolv.conf, usually found in /etc/resolv.conf, to verify that you are not using the campus caching DNS servers for name resolution.

Detailed Information

For additional help please see the IST Assistance Page.

Last revised: June 10, 2008
Contact Information