WHAT: For important security reasons, ITS/NTS will be reconfiguring the campus DNS servers. Off-campus users that have been using UCSC name servers will need to change to use the server provided by their ISP.
After the conversion only UCSC-managed names will be provided for off-campus queriers. Outside this list, web users would get a message like
www.google.com could not be found. Please check the name and try again.
WHEN: Beginning April 18, 2007, off-campus users will be denied access to the campus name servers. Experience with this conversion at other UC campuses is that very few users are affected. Those that need help can get it either from UCSC's help desk or their ISP.
WHY: A much longer background document is available at Berkeley. To summarize, there are two serious security risks that occur with caching DNS servers that allow anyone on the Internet to query them. To minimize these risks, and to follow standard Internet best practices, UCSC is joining a number of other universities and ISPs in restricting access to our name servers.
WHO IS AFFECTED: Users of off-campus ISP services (i.e. those who do not have a campus IP address) who also configure their computers to use the campus DNS servers.
WHO IS NOT AFFECTED:
- Campus users
- 2300 Delaware, NASA UARC, NASA SVC
- Off-campus UCSC offices that get service via T-1 lines or radio links
- Users who dial into the campus modems
- Residence Hall users
- Off-campus ISP users who do not specifically configure their hosts to use the campus DNS services.
NOTE: Users who log into a private campus VPN service from an off-campus ISP should configure their computers using the instructions below. Once logged into the campus VPN, the computer will automatically use the campus name
servers, but until then, you will need to use your ISP's name servers. By following the instructions below, you will ensure that your computer uses the proper name servers at the proper time.
WHAT TO DO IF YOU ARE AN AFFECTED USER:
Most ISPs will automatically configure your system to use their name servers when you log into their service. For example, ATT/SBC DSL users ordinarily have their name servers configured when the user logs in via the PPPoE client. Comcast uses DHCP to properly configure hosts. Only users who override this configuration are affected. Using your computer's default setting will give laptop users the best service when they travel and use networks as guests.
If (and only if) you are one of the affected users, you can use the following guide (courtesy of the University of Oregon) to ensure that your computer is configured correctly.
NOTE: On-campus users who are connecting to cruznet wireless service should also configure their computers according to the instructions below. They will automatically be configured to use the campus name servers. On-campus computers with manually configured static IP addresses should NOT leave the name server fields blank, but instead should manually configure their systems to use the campus DNS servers. Off-campus users with ISP static addresses will need to fill in the name server boxes with values provided by their ISP.
Mac OS X
- From the Apple menu, select System Preferences
- Click the Network button
- From the Show menu select your network interface (Ethernet or wireless,
- Click the TCP/IP button
- Check the DNS Servers box--make sure the box is blank
Mac OS 9
- Open the TCP/IP Control Panel. (Apple menu -> Control Panels -> TCP/IP)
- Change the user mode to Advanced. (Edit-> User Mode -> Advanced)
- Look at the "Connect via:" setting and remember it (or write this down). It will typically say "Ethernet" or "ppp."
- Verify that the "name server addr.:" field is blank for each "Connect via:" drop-down. Make sure you restore the "Connect via:" setting to what you started with.
- From the Start Menu select Control Panel
- Double-click network connections
- Right-click on your active network connection and select Properties
- Double-click on "Internet Protocol (TCP/IP)"
- Make sure that the "Obtain DNS server address automatically" is selected
If you are off-campus, and not connecting through the UCSC network, then check your resolv.conf, usually found in /etc/resolv.conf, to verify that you are not using the campus DNS servers for name resolution.
If your ISP has instructions that conflict with this information, you should follow your ISP's advice so that they will
be better able to support you.
For additional help please see the help desk Page.