Summary

There are three changes to DNS that we are planning. If you see potential problems with any of these please let us know so that we can address them before we cut over.

1. External DNS – splitting DNS services such that the rest of the world only sees DNS entries for IPs that are available through the campus firewall.
2. Blackhole DNS – intercepting DNS requests for known spyware and phishing sites.
3. New DNS servers – changing the real IP addresses for the internal DNS servers (the virtual addresses will not change).

External DNS

Around May 5, 2008 we (Computer Services, Networking) are planning on splitting DNS services between on-campus (internal) and off-campus (external). Internal DNS will work the same as it is now. That is, every computer that receives a DHCP lease is put into DNS for both forward and reverse lookups. A forward lookup is looking up an IP address by name and a reverse lookup is looking up the name by the IP address. There are also a number of other DNS entries that are added manually such as aliases (CNAME) and mail server records (MX). Finally the internal DNS server resolves recursive lookups. These are requests for names that it doesn’t know about such as www.google.com. The DNS server recursively requests other servers starting with the root name servers to find the IP address(es) for these names.

With the installation of the firewall that protects our campus network, most of the addresses on campus are not accessible from the Internet. The external DNS servers will only resolve names for IP addresses that are permitted through the campus firewall. It will not resolve any reverse lookups nor will it resolve recursive lookups.

There are two main advantages of splitting DNS this way. The first is security. If a hacker wished to target Missouri State he could easily find all of the computers on our campus by doing reverse lookups on the entire 146.7 address space. With this information he can target attacks to these specific addresses. Any information about our network that we can keep from attackers will make attacks more difficult and possibly prevent the attack all together. Splitting DNS is a relatively simple step that increases the security for the whole campus.

The second advantage of splitting DNS is limiting the scope of a failure. If DNS is attacked by a Denial-of-Service or some other type of attack from the Internet, then the internal DNS will be unaffected. Likewise, if something happens to the internal DNS then external will continue to work. We have mechanisms in place to prevent these from happening, but we want to be as well prepared as we can.

The external DNS servers will be conceptually in front of the campus firewall and the internal servers we be behind it. We currently permit DNS traffic from the Internet to our internal servers. Once the external servers are in place this will no longer be necessary and we will block this traffic. Any off-campus users that are using Missouri State DNS servers will cease to function at this time. The only reason that I know of for this to occur is if someone hardcoded the DNS server on their home computer to one of our addresses. Usually home computers will use the DNS server of their ISP retrieved through DHCP.

Users connected to the Missouri State network through a VPN connection will use the internal DNS servers and will be able to see all DNS entries.

Internal DNS Servers:

• 146.7.4.129 (Powerball)
• 146.7.4.130 (Keno)

External DNS Servers:

• 146.7.4.136 (Sirius)
• 150.199.1.11 (Argus.more.net)

Blackhole DNS

On May 31, 2008 Computer Services, Networking will be implementing black hole DNS.  The purpose of this service is to help prevent malware and spyware from spreading to the Missouri State network.  This works by intercepting all DNS requests to known malware and spyware domains and redirecting them to a web server on campus.  The list of these domains is maintained at http://malwaredomains.com/.  This site explains black hole DNS in much more detail if you are interested.  Though we don’t expect this service to block any legitimate web sites, should that occur there is an e-mail address on their site to discuss the removal of a domain from their list.

New DNS Servers

Upgrades to DNS servers will occur on May 31.  The old DNS server IP addresses (146.7.7.76 and 146.7.7.78) will be disabled at that time.  We recommend all computers be configured to obtain DNS server IP addresses from DHCP requests.  However, if a computer is hard-coded to point to the DNS server, these must be changed to the virtual IP addresses (146.7.4.129 and 146.7.4.130) before the 31^st.  The virtual IP addresses load-balance the real DNS servers.  On the 31^st we will change the virtual IPs to point to the new DNS servers.

Virtual Load-Balanced DNS Servers (all computers on campus should be using these two servers)

• 146.7.4.129
• 146.7.4.130

Old DNS Servers (these will stop working in June)

• 146.7.7.76
• 146.7.7.78

To check the DNS servers in Windows type the following at a command prompt:

Locate the section for your network card. The IP address should start with 146.7. The DNS servers are listed towards the bottom. Mine looks like this:

If you have any questions or concerns please contact us at Networking@missouristate.edu or JoshStuppy@missouristate.edu.