Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
ISC Networking and Telecommunications

Integrated Communications
Introduction
Data Services
Classlists
Email
Internet2
Mailing Lists
PennNet
Web Hosting
Wireless
Voice Services
Cellular Phones
Lines & Equipment
Teleconferencing
Voicemail
Video Services
Cable Television
Production/Distribution
Satellite Downlinking
Videoconferencing
Web Streaming
Financial
Service Rates
Billing Information
Network Planning Task Force
Quick Tips
Save Money
Increase Productivity
Quickly Inform
Enhance Classwork
Communications
Announcements
System/Service Availability

Frequently Asked Questions about DNS

General info

  1. What is a recursive DNS query?
  2. Why is Penn making this change?
  3. Why would someone need to use Penn's DNS servers from their home computer?
  4. How can I tell if I'm using Penn's DNS servers from home?
  5. I use my laptop on PennNet during the day, but I take it with me at night. How can I easily transition to using my ISP's DNS servers when I'm off-campus?
  6. I can still access Penn's home page, but I can't visit my favorite movie site from my home computer. What's going on?

Q: What is a recursive DNS query?
A:

When a query is made to Penn's DNS servers, every attempt will be made to return an IP address regardless of whether or not we are authoritative for the domain queried. This means that our DNS servers will proceed to traverse the DNS tree, recursively making queries to other DNS servers, in order to obtain an answer before responding to the client.

 

Q: Why is Penn making this change?
A:

Disabling off-campus recursive access to Penn's name servers helps to protect Penn (and the Internet as a whole) against two types of name service-related attacks:

  1. DDoS attacks. Name servers can be used as distributed denial of service (DDoS) attack amplifiers (the attacker sends a small spoofed UDP name service query to an open name server, forging the victim's IP address; the open name server then returns a large "answer" to the forged IP address--even though the victim didn't actually make the DNS query in the first place). If this is done on an ongoing basis with a large number of open name servers, it can flood the victim's IP address with responses from thousands (or tens of thousands) of name servers, thereby exhausting the victim's available network bandwidth).[1] Attacks of this sort can result in multi-Gbps flow volumes.
  2. Cache poisoning attacks. Attackers can generate spoofed traffic to open recursive DNS servers that can result in so-called "cache poisoning" attacks, whereby vulnerable caching name servers can be made to return bogus results for a user's name service queries.[2]

In a nutshell: The attacker "primes" the caching name server to respond to queries with an IP address of his/her choice, rather than the real/normal IP address for that site. The innocent victim asks the caching name server for the IP address of a site of interest, such as the IP address of their bank's website. If the domain name of that site happens to be one that the attacker has poisoned, the victim is automatically and transparently misdirected to a website of the attacker's choice rather than to their bank's real web page, and confidential data can then be stolen (some refer to this type of attack as "pharming").

A variant of this attack uses cache poisoning to redirect queries for popular sites (such as google.com or hotmail.com) to a site that contains a virus or other malware. If your caching name server has been poisoned, when you try to visit one of these popular sites you can unknowingly be redirected to another site that stealthily tries to infect your PC with malware.

While blocking off campus recursive access to Penn's name servers won't completely eliminate the possibility of their participating in such an attack, eliminating recursive access will substantially reduce the likelihood of their being abused.


Q: Why would someone need to use Penn's DNS servers from their home computer?
A:

The vast majority of home users receive their DNS settings from their ISP's DHCP server. However, in some cases, people have relied on name service from Penn because their appropriate name servers--the ones that are provided for their use by their ISP--were broken or otherwise had problems. For example, on a couple of occasions in April 2005, Comcast had problems with its name servers [3]. As a stopgap measure, some Comcast users configured their systems to use other name servers (such as Penn's name servers) instead. Although Comcast's name server problems are now in the distant past, those workarounds were never removed.


Q: How can I tell if I'm using Penn's DNS servers from home ?
A:

To verify whether or not you're using Penn's DNS servers, you can visit How to check or change your DNS settings


Q: I use my laptop on PennNet during the day, but take it with me at night. How can I easily transition to using my ISP's DNS servers when I'm off-campus?
A:

Individuals who carry a laptop between on-campus locations and off-campus locations may need to configure their laptop to use appropriate DNS settings for multiple locations. Visit the "Help for Laptop users" section of this web site to learn about utilities available by certain computer manufacturers as well as in our supported operating systems that will help you manage DNS settings for multiple environments.


Q: I can still access Penn's home page, but I can't visit my favorite movie site from my home computer. What's going on?
A:

For off-campus users, beginning July 11th, Penn's DNS servers will only provide information for things we have authority for (all upenn.edu names). Off-campus users who have configured their computer to use Penn's DNS servers may not successfully connect to some web sites if they continue to use those servers after July 11th.

Individuals encountering problems should check and if necessary change their DNS settings to use the DNS service recommended by their ISP.

Useful links:

 

Some content on this page was developed from parent materials provided by the
University of Oregon's Computing Center

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania