<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div><b>What</b></div>
<div><br>
IS&T will be disabling open recursion on MIT's Domain Name Servers (DNS). <br>
<br>
MIT's DNS servers are located at the following IP addresses: 18.70.0.160, 18.71.0.151, and 18.72.0.3.<br>
<br>
<b>When</b><br>
<br>
Monday, March 18, 2013<br>
<br>
<b>Why</b><br>
<br>
DNS servers that have open recursion enabled can be leveraged in denial of service attacks (DoS) on third-party networks by persons or groups outside of MIT. When DNS servers are abused in this manner, it is referred to as a DNS amplification attack. <br>
<br>
In order to better protect our DNS servers, and be a good Internet citizen, IS&T will disable open recursion on 18.70.0.160, 18.71.0.151, and 18.72.0.3.<br>
<br>
<b>What is open recursion?<br>
</b><br>
Open recursion allows a DNS server to respond to domain name requests for hosts that are not a member of its domain.<br>
<br>
Most DNS servers are configured to respond to internal domain name requests only (example: if you're connected to MIT's network and ask an MIT DNS server who <a href="http://google.com/">google.com</a> is it is appropriate for it to return an IP address to
your machine). <br>
<br>
Most DNS servers are also configured to ignore external domain name requests (example: if you're not connected to MIT's network and ask an MIT DNS server who <a href="http://google.com/">google.com</a> is it should not return an IP address to your machine).<br>
<br>
<b>Who might be affected?</b></div>
<div><b><br>
</b></div>
<div>Users that are on-campus, and those that are served by MIT's network via remote links, will be unaffected by this change.<br>
<br>
This change will only impact those that have made a deliberate configuration change to their off-campus router or computer -- instructing it to use MIT's DNS servers for all domain name lookups.<br>
<br>
<b>What if I don't want to use my Internet Service Provider's (ISP) DNS servers?<br>
</b><br>
Google offers a free open recursive DNS service available to those that do not wish to use their ISP's DNS offering (<a href="https://developers.google.com/speed/public-dns/">https://developers.google.com/speed/public-dns/</a>).</div>
<div><br>
</div>
<div><b>Additional Help</b></div>
<div><br>
</div>
<div>For additional help, please contact the IS&T Computing Help Desk (<a href="http://ist.mit.edu/help">http://ist.mit.edu/help</a>).</div>
<div><br>
</div>
<div>Regards,</div>
<div>Andrew Munchbach</div>
<div><i>on behalf of Operations & Infrastructure</i></div>
<div>
<div>--</div>
<div>Andrew Munchbach</div>
<div>Network Security Analyst</div>
<div>Massachusetts Institute of Technology</div>
<div>IS&T | Operations & Infrastructure | IT Security Services</div>
<div><br>
</div>
<div><a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a></div>
</div>
</body>
</html>