[Macpartners] IS&T to disable open recursion on MIT DNS servers on March 18, 2013

Andrew Munchbach amunch at MIT.EDU
Wed Mar 13 16:01:35 EDT 2013 

What

IS&T will be disabling open recursion on MIT's Domain Name Servers (DNS).

MIT's DNS servers are located at the following IP addresses: 18.70.0.160, 18.71.0.151, and 18.72.0.3.

When

Monday, March 18, 2013

Why

DNS servers that have open recursion enabled can be leveraged in denial of service attacks (DoS) on third-party networks by persons or groups outside of MIT.  When DNS servers are abused in this manner, it is referred to as a DNS amplification attack.

In order to better protect our DNS servers, and be a good Internet citizen, IS&T will disable open recursion on 18.70.0.160, 18.71.0.151, and 18.72.0.3.

What is open recursion?

Open recursion allows a DNS server to respond to domain name requests for hosts that are not a member of its domain.

Most DNS servers are configured to respond to internal domain name requests only (example: if you're connected to MIT's network and ask an MIT DNS server who google.com<http://google.com/> is it is appropriate for it to return an IP address to your machine).

Most DNS servers are also configured to ignore external domain name requests (example: if you're not connected to MIT's network and ask an MIT DNS server who google.com<http://google.com/> is it should not return an IP address to your machine).

Who might be affected?

Users that are on-campus, and those that are served by MIT's network via remote links, will be unaffected by this change.

This change will only impact those that have made a deliberate configuration change to their off-campus router or computer -- instructing it to use MIT's DNS servers for all domain name lookups.

What if I don't want to use my Internet Service Provider's (ISP) DNS servers?

Google offers a free open recursive DNS service available to those that do not wish to use their ISP's DNS offering (https://developers.google.com/speed/public-dns/).

Additional Help

For additional help, please contact the IS&T Computing Help Desk (http://ist.mit.edu/help).

Regards,
Andrew Munchbach
on behalf of Operations & Infrastructure
--
Andrew Munchbach
Network Security Analyst
Massachusetts Institute of Technology
IS&T | Operations & Infrastructure | IT Security Services

http://ist.mit.edu/secure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/macpartners/attachments/20130313/cd804e97/attachment.htm

More information about the Macpartners mailing list