Carnegie Mellon University

Recursive DNS Server Operation Guideline

This document contains the following sections:


Overview

DNS server services for Carnegie Mellon University are provided by Computing Services.  Campus groups who host their own domain names may need to run their own DNS server services.  All others should disable DNS server services entirely on their systems.

If DNS server services are required, recursive DNS should be disabled for all Off-Campus DNS requests. 

Furthermore, when DNS servers are not configured correctly, queries using RFC1918 addressing (also known as "private" addressing) may be leaked to the root name servers, causing a degradation in service for legitimate queries to those servers. These guidelines enumerate to departmental administrators and groups proper procedures and usage when these servers are operated independently of those provided by Computing Services.

Applies to

Departmental administrators and groups operating recursive/caching DNS (Domain Name Service) servers independent of those provided by Computing Services.

Purpose of the Guideline

The Carnegie Mellon University Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to Recursive DNS Server Operation.

This guideline was established to ensure that the Carnegie Mellon University community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be reflected on this web page.

Computing Services has designed certain DNS servers as authoritative for RFC1918 domain name space on campus. By creating these servers and funneling all on-campus requests for RFC1918 DNS resolution to them, we can ensure that we do not leak any queries for this space off-campus. Also, queries for the private address space accounts for significant load on the root name servers. We can do our part in reducing this load by stopping RFC1918 queries before they leave campus. The purpose of these guidelines is to ensure that DNS servers administered by departmental administrators and organizations other than Computing Services are configured in such a way that they support that goal.

Definition / Clarification

DNS - Domain Name Service

Background Information - RFC1918 IP addresses are reserved for use on private networks. This allows organizations to create networks of machines that need to have an IP address, but would never need to connect directly to the internet outside the organization. As a result, global IP addresses (those that may be used for communication with the internet) are not consumed unnecessarily by machines that don't need them.

For example, Computing Services currently uses RFC1918 address space to implement the QuickReg feature of NetReg. QuickReg grants unregistered users a "local" (RFC1918) IP address for the purpose of accessing NetReg and registering the machine. Once registered, the machine is granted a global IP address. Our VPN service also uses RFC1918 space for the local side of the point-to-point links. 

Additionally, as part of ongoing efforts to improve the security of the campus network infrastructure, Computing Services expects to move some infrastructure devices into RFC1918 address space in the coming months. To prevent these addresses from being associated with globally-accessing DNS data, the hostnames will also change to the privately-scoped domain "cmu.local." In some cases this has been replaced with "local.cmu.edu".

Queries for the private address space accounts for significant load on the root name servers. We can do our part in reducing this load by stopping RFC1918 queries before they leave campus.

Guideline Statement

All on-campus recursive DNS servers must be configured in such a manner that queries for any of the following Local Use Zones (listed below) will not be sent to the root name servers.

Local Use Zones
10.IN-ADDR.ARPA.(10.0.0.0/8)
{16-31}.172.IN-ADDR.ARPA.(172.16.0.0/12)
254.169.IN-ADDR.ARPA.(169.254.0.0/16)
2.0.192.IN-ADDR.ARPA (192.0.2.0/24)
168.192.IN-ADDR.ARPA.(192.168.0.0/16)
LOCAL.

For an exhaustive list of local IN-ADDRARPA zones please reference RFC 6890 for a list of special-use IP blocks.

To do so, Computing Services recommends one of the following four strategies for complying with this requirement:

  • Configure your DNS servers to forward all unknown queries to the campus resolver IPs (128.2.1.10 and 128.2.1.11) as nscache1.net.cmu.edu and nscache2.net.cmu.edu. Doing this also helps achieve maximum efficiency in on-campus caching of DNS information.
  • All use of RFC1918 address space should be coordinated with Computing Services to ensure proper implementation and avoid unexpected conflicts. We recommend the use of the 172.16.0.0/12 block of RFC1918 space for campus use, due to the extensive use of other space by client products.

In following best common practices, we recommend any DNS records containing an RFC1918 address should be in a "private" zone tree. Requests for subdomains should be sent to the Computing Services Network Group.

If a machine is observed querying the root servers for information about a Local Use Zone, the machine's administrator will be contacted and asked to reconfigure the server following these guidelines. If the machine is not promptly reconfigured, it may be filtered against any off-campus access.

User Responsibilities and Procedures

Departmental administrators and groups operating recursive/caching DNS (Domain Name Service) servers, independent of those provided by Computing Services, must be aware of the way their DNS servers are configured.

Revision History

Status Date Published Author Description
Published 02/27/2003 Initial document
Reviewed 09/13/2023 Matthew Nicolai
Updated 09/13/2023 Matthew Nicolai

Removed outdated verbiage and fixed links