Recursive DNS Server Operation Guideline
This document contains the following sections:
DNS server services for Carnegie Mellon are provided by Computing Services. Campus groups who host their own domain names may need to run their own DNS server services. All others should disable DNS server services entirely on their systems.
If DNS server services are required, recursive DNS should be disabled for all Off-Campus DNS requests.
Furthermore, when DNS servers are not configured correctly, queries using RFC1918 addressing (also known as "private" addressing) may be leaked to the root name servers, causing a degradation in service for legitimate queries to those servers. These guidelines enumerate to departmental administrators and groups proper procedures and usage when these servers are operated independently of those provided by Computing Services.
Departmental administrators and groups operating recursive/caching DNS (Domain Name Service) servers independent of those provided by Computing Services.
Purpose of the Guideline
The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to Recursive DNS Server Operation.
This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
Computing Services has designed certain DNS servers as authoritative for RFC1918 domain name space on campus. By creating these servers and funneling all on-campus requests for RFC1918 DNS resolution to them, we can ensure that we do not leak any queries for this space off-campus. Also, queries for the private address space accounts for significant load on the root name servers. We can do our part in reducing this load by stopping RFC1918 queries before they leave campus. The purpose of these guidelines is to ensure that DNS servers administered by departmental administrators and organizations other than Computing Services are configured in such a way that they support that goal.
Definition / Clarification
DNS - Domain Name Service
Background Information - RFC1918 IP addresses are reserved for use on private networks. This allows organizations to create networks of machines that need to have an IP address, but would never need to connect directly to the internet outside the organization. As a result, global IP addresses (those that may be used for communication with the internet) are not consumed unnecessarily by machines that don't need them.
For example, Computing Services currently uses RFC1918 address space to implement the QuickReg feature of NetReg. QuickReg grants unregistered users a "local" (RFC1918) IP address for the purpose of accessing NetReg and registering the machine. Once registered, the machine is granted a global IP address. Our VPN service also uses RFC1918 space for the local side of the point-to-point links. In this configuration, remote end of each connection receives an address within Carnegie Mellon's primary IP address range (128.2.#.#).
Additionally, as part of ongoing efforts to improve the security of the campus network infrastructure, Computing Services expects to move some infrastructure devices into RFC1918 address space in the coming months. To prevent these addresses from being associated with globally-accessing DNS data, the hostnames will also change to the privately-scoped domain "cmu.local."
Queries for the private address space accounts for significant load on the root name servers. We can do our part in reducing this load by stopping RFC1918 queries before they leave campus.
All on-campus recursive DNS servers must be configured in such a manner that queries for any of the following Local Use Zones (listed below) will not be sent to the root name servers.
Local Use Zones
To do so, Computing Services recommends one of the following three strategies for complying with this requirement:
- Configure your DNS servers to forward all unknown queries to the Computing Services recursive DNS servers, AC-CDNS1.NET.CMU.EDU and AC-CDNS2.NET.CMU.EDU. Doing this also helps achieve maximum efficiency in on-campus caching of DNS information.
- Configure your DNS servers to forward queries for the specific Local Use Zone to the authoritative servers for the zones, AC-LDNS1.NET.CMU.EDU and AC-LDNS2.NET.CMU.EDU.
- Configure your DNS servers to mirror the zone contents of the Local Use zones.
All use of RFC1918 address space should be coordinated with Computing Services to ensure proper implementation and avoid unexpected conflicts. We recommend the use of the 172.16.0.0/12 block of RFC1918 space for campus use, due to the extensive use of other space by client products.
In following best common practices, we recommend any DNS records containing an RFC1918 address should be in a "private" zone tree, such as the .LOCAL zone. Requests for .LOCAL subdomains should be sent to the Computing Services Network Group.
If a machine is observed querying the root servers for information about a Local Use Zone, the machine's administrator will be contacted and asked to reconfigure the server following these guidelines. If the machine is not promptly reconfigured, it may be filtered against any off-campus access.
User Responsibilities and Procedures
Departmental administrators and groups operating recursive/caching DNS (Domain Name Service) servers, independent of those provided by Computing Services, must be aware of the way their DNS servers are configured.
Guideline Modified: October 17, 2005
Guideline Modified: February 27, 2003