IT Knowledge - DNS Firewall - IT Service Portal

Overview

IT Services provides a Domain Name Service (DNS) so that networked systems can look up domain names (which humans use) and resolve them to IP addresses (which computers use). IT Services' DNS servers utilize a DNS Firewall to block access to malicious domains. The DNS server checks every request against a constantly updated database of known bad domains and IP addresses (e.g., confirmed usage by malware or phishing). Requests to look up known bad domains/IPs receive a special response that redirects the requester to a safe system rather than the malicious system.

Usage

How to Tell If You Are Affected

Requests for malicious domains that are blocked by the DNS Firewall will receive a response containing the IP 10.52.20.25 which is a server controlled by IT Services. Requests via a web browser will display an informative warning page.

If you are unsure if the DNS Firewall is blocking some activity, you can manually check using tools available on any modern computer. The most common tool is nslookup. From any system command prompt type (without quotes) "nslookup" and select Return. From the resulting prompt, type the domain name you want to check and select Return. The resulting output may vary by system, but it should include an Address line. If the address is 10.52.20.25, then you are affected. If you see anything else, then you are not affected by the DNS Firewall.

Example:

system> nslookup > enter-domain-or-IP-to-check ...snipped output... Address: 10.52.20.25

Follow these steps to get to the command line on your operating system:

Windows: Open the Start menu or press the Windows key + R.Type cmd or cmd.exe in the Run command box, then select Enter.
Mac: Access the Terminal command line.
Linux: Use Ctrl-Alt-T.

How to Request a Safe List or Exception

Please keep in mind:

Domains blocked by the DNS Firewall are being blocked for a reason because one or more professional security organizations have reported involvement with malicious activity.
Legitimate domains can be hijacked by malicious intruders resulting in the site being blocked.
Inclusion in the list of blocked sites does not necessarily mean that the legitimate domain owners are malicious; similarly, domains that have been allowed to expire can be purchased or otherwise be controlled by someone malicious.
The database is updated throughout the day and sites may transition from blocked to unblocked without intervention. For example, a benign website that is compromised and misused by a malicious intruder may get added to the block list; when the site owner retakes control of the site and stops the malicious behavior the site will eventually be automatically cleared from the block list.
The DNS Firewall is only active if you are using the campus DNS provided by IT Services.

If you believe that a benign domain site is being wrongly blocked, please contact IT Services.

Technical Details

The IT Services DNS Firewall implements BIND's Response Policy Zone (RPZ). For details, watch this YouTube video DNS Response Policy Zone (DNSRPZ) that is published by the Interagency Security Committee (ISC).