Upcoming changes to ISPnet name servers

Bob Tinkelman bob at TINK.COM
Mon Feb 23 12:09:04 EST 2009 

INTRODUCTION

ISPnet will be making some configuration changes to its name
servers.

For most customers, these changes will have no effect.

In what we expect to be only a small number of cases, some
customers will need to make minor changes to the setup on
some of their systems.

This email provides a warning of this change and some
guidance as to what actions you may need to take.  If you
have any questions, you are encouraged to email or phone us.


SYSTEMS THAT ARE NOT AFFECTED

Any system that accesses the Internet through ISPnet, either
from a customer office or from an ISPnet colocation site
(e.g., 25 Broadway, 7 Teleport Drive, 165 Halsey St) is NOT
affected by the planned changes.  Multi-homed systems are not
affected so long as one upstream path involves ISPnet.


SYSTEMS THAT ARE AFFECTED

Systems that do not access the Internet through ISPnet and
yet are configured to use one or more ISPnet name server as
a resolver are affected.  

For example, if you are an ISPnet customer, have configured
your notebook computer to always use ISPnet name servers,
and sometimes use your notebook from home via a Verizon DSL
or Time Warner cable service, then you ARE affected.



So...  If you are not affected, you could stop reading here.
Or, if you're curious, you can continue.



BACKGROUND

ISPnet operates three name servers available to its
customers and to the general Internet:

   ns1.ispnetinc.net   199.224.0.146   (on net)
   ns2.ispnetinc.net   199.224.0.154   (on net)
   ns3.ispnetinc.net   204.141.40.135  (off net)

These servers are "dual-purpose"

   o  They are the authoritative servers for a number of
      zones related to ISPnet itself and to its customers.  

   o  They are available to ISPnet customers for use as
      caching name servers.
     
When any system on the Internet needs dns information for a
domain, and when that domain is one for which ISPnet name
servers are authoritative, a query eventually reaches an
ISPnet server which responds with the requested info.

When an ISPnet customer system is configured to use the
ISPnet servers as a resolver and needs information on ANY
domain on the net, it sends its query to an ISPnet server
which obtains and returns the requested information.


WHAT'S CHANGING

Despite the fact that non-customer systems should not be
configured to use ISPnet servers as resolvers, and queries
from non-customer systems should all be related to domains
for which the ISPnet servers are authoritative, previously
we have not enforced this restriction.

We WILL be enforcing this in the future.


WHAT YOU SHOULD DO

First, you need to determine if any of your systems will be
affected by our changes.  For most, this will be clear.

The most straightforward way to change an affected system is
to update its dns configurations to use a list of name
servers provided you by the relevant ISP.  If your system is
being assigned a dynamic address, then you should configure
your system to obtain the dns server info that way also.

If you want to test to see if your system will be affected
by the change, you can use
   ns0.ispnetinc.net   199.224.15.160
which we have set up, temporarily, for this type of testing.

Here again, if you have any problems or questions, do not
hesitate to call or email.

Note: ns0 is a test system.  You should not leave any of
your systems configured to use it, other than during this
testing period.


WHEN ALL THIS WILL HAPPEN

   ns0.ispnetinc.net   199.224.15.160    02/22/09
   ns1.ispnetinc.net   199.224.0.146     03/01/09
   ns3.ispnetinc.net   204.141.40.135    03/08/09
   ns2.ispnetinc.net   199.224.0.154     03/15/09


WHY THIS IS HAPPENING

It's basically a convenience-vs-security tradeoff.

Leaving everything "open" is easier; we don't need to
maintain "access lists" of which systems are permitted to
make certain types of request.  

But, there are certain types of denial-of-service attacks
which make use of name servers as amplifiers, and our
monitoring indicates that this has now become an issue.

--
Bob Tinkelman          <bob at tink.com>
ISPnet, Inc.  http://www.ispnetinc.net

+1 (718) 464-4747  office
+1 (800) 806-NETS  toll free
+1 (718) 217-9407  fax

More information about the ispnet-announce mailing list