Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Security - DNS Firewall

This article explains what a DNS firewall is, how you can tell if it is affecting your network use, and what to do if you believe something benign is being blocked. IT Services has implemented a DNS Firewall to increase the security of the campus IT environment.

Overview

IT Services provides Domain Name Server (DNS) services for campus so that networked systems can look up domain names (which humans use) and resolve them to IP addresses (which computers use). IT Services' DNS servers utilize a DNS Firewall in order to block access to malicious domains. The DNS server checks every request against a constantly updated database of known bad domains and IP addresses (e.g. confirmed usage by malware or phishing). Requests to look up known bad domains/IPs receive a special response which effectively redirects the requester to a safe system rather than the malicious system.

Usage

How to tell if you are affected

Requests for malicious domains that are blocked by the DNS Firewall will receive a response containing the IP 128.135.12.62 which is a server controlled by IT Services. Requests via a web browser will see an informative warning page (http://bhz.uchicago.edu/).

If you are unsure if some activity is being blocked by the DNS Firewall, you can manually check using tools available on any modern computer. The most common tool is nslookup. From any system command prompt type (without quotes) "nslookup" and hit return. From the resulting prompt type the domain name you want to check and hit return. The resulting output may vary by system but it should include an Address line. If the address is 128.135.12.62 then you are affected. If you see anything else then you are not affected by the DNS Firewall.

system> nslookup
> enter-domain-or-IP-to-check
...snipped output...
Address: 128.135.12.62

How to request whitelisting or exceptions

Please keep in mind:

  • domains blocked by the DNS Firewall are being blocked for a reason — one or more professional security organizations have reported involvement with malicious activity
  • legitimate domains can be hijacked by malicious intruders resulting in the site being blocked -- inclusion in the list of blocked sites does not necessarily mean that the legitimate domain owners are malicious; similarly domains that have been allowed to expire can be purchased or otherwise be controlled by someone malicious
  • the database is updated throughout the day and sites may transition from blocked to unblocked without intervention -- a benign website that is compromised and misused by a malicious intruder may get added to the block list; when the site owner retakes control of the site and stops the malicious behavior the site will eventually be automatically cleared from our block list
  • the DNS Firewall is only active if you are using campus DNS provided by IT Services

If you believe that a benign domain site is being wrongly blocked please contact IT Security: security@uchicago.edu or 773-702-2378.

Technical Details

Our DNS Firewall implements BIND's Response Policy Zone (RPZ). For details see:

See Also:




Keywords:BIND, RPZ, malware, phish, domain, domain_name, lookup   Doc ID:55617
Owner:James C.Group:University of Chicago
Created:2015-08-26 12:57 CDTUpdated:2017-04-25 14:14 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  0   1