UCSF home page UCSF home About UCSF Search UCSF UCSF Medical Center




?Help

image of letter Email
image of lock Remote Access (VPN)

Access to UCSF Campus DNS servers to be restricted

WHAT: For important security reasons, OAAIS will be reconfiguring UCSF Campus DNS servers to only respond to queries from UCSF campus IP addresses.

WHEN: Beginning October 30th, 2008, off-campus users will be denied access to the UCSF campus DNS servers. The UCSF campus DNS serverss will be configured to deny access to an increasingly large part of the global Internet address space, except for campus address space.

WHY: A detail background document is available here. To summarize, there are two serious security risks that occur with caching DNS servers that allow anyone on the Internet to query them. To minimize these risks, and to follow standard Internet best practices, UCSF campus is joining a number of other universities and ISPs in restricting access to the UCSF campus DNS servers.

WHO IS AFFECTED: Some off-campus users who access the UCSF network via Internet Service Provider (ISP) services. It is possible that some off-campus computers may have been configured in such a manner as to use the UCSF Campus name servers. This will not impact users if their computer has been set up for network auto configuration. This also does not affect users of the campus VPN service.  

WHAT TO DO IF YOU ARE AN AFFECTED USER:

Most ISPs will automatically configure your system to use their DNS servers when you log into their service. For example, ATT/SBC DSL users ordinarily have their DNS servers configured when the user logs in via the PPPoE client. Comcast uses DHCP to properly configure hosts. Only users who override this configuration are affected.

If (and only if) you are one of the affected users, you can use the following guide (courtesy of the University of Oregon) to ensure that your computer is configured correctly.

NOTE:  UCSF campus users who manually configure the IP information on their computer should NOT leave the DNS server field blank, but instead should manually configure their systems to use the UCSF campus DNS servers.

Mac OS X

  1. From the Apple menu, select System Preferences
  2. Click the Network button
  3. From the Show menu select your network interface (Ethernet or wireless, for example)
  4. Click the TCP/IP button
  5. Check the DNS Servers box--make sure the box is blank

Mac OS 9

  1. Open the TCP/IP Control Panel. (Apple menu -> Control Panels -> TCP/IP)
  2. Change the user mode to Advanced. (Edit-> User Mode -> Advanced)
  3. Look at the "Connect via:" setting and remember it (or write this down). It will typically say "Ethernet" or "ppp."
  4. Verify that the "name server addr.:" field is blank for each "Connect via:" drop-down. Make sure you restore the "Connect via:" setting to what you started with.

Windows XP

  1. From the Start Menu select Control Panel
  2. Right-click on your network connection and select Properties
  3. Double-click on "Internet Protocol (TCP/IP)"
  4. Make sure that the "Obtain DNS server address automatically" is selected

Unix:

If you are off-campus, and not connecting through the UCSF network, then check your resolv.conf, usually found in /etc/resolv.conf, to verify that you are not using the campus UCSF campus DNS servers for name resolution.

Please tell us what you think of our website