Upcoming changes to ISPnet name servers
Bob Tinkelman
bob at TINK.COM
Mon Feb 23 12:09:04 EST 2009
INTRODUCTION
ISPnet will be making some configuration changes to its name
servers.
For most customers, these changes will have no effect.
In what we expect to be only a small number of cases, some
customers will need to make minor changes to the setup on
some of their systems.
This email provides a warning of this change and some
guidance as to what actions you may need to take. If you
have any questions, you are encouraged to email or phone us.
SYSTEMS THAT ARE NOT AFFECTED
Any system that accesses the Internet through ISPnet, either
from a customer office or from an ISPnet colocation site
(e.g., 25 Broadway, 7 Teleport Drive, 165 Halsey St) is NOT
affected by the planned changes. Multi-homed systems are not
affected so long as one upstream path involves ISPnet.
SYSTEMS THAT ARE AFFECTED
Systems that do not access the Internet through ISPnet and
yet are configured to use one or more ISPnet name server as
a resolver are affected.
For example, if you are an ISPnet customer, have configured
your notebook computer to always use ISPnet name servers,
and sometimes use your notebook from home via a Verizon DSL
or Time Warner cable service, then you ARE affected.
So... If you are not affected, you could stop reading here.
Or, if you're curious, you can continue.
BACKGROUND
ISPnet operates three name servers available to its
customers and to the general Internet:
ns1.ispnetinc.net 199.224.0.146 (on net)
ns2.ispnetinc.net 199.224.0.154 (on net)
ns3.ispnetinc.net 204.141.40.135 (off net)
These servers are "dual-purpose"
o They are the authoritative servers for a number of
zones related to ISPnet itself and to its customers.
o They are available to ISPnet customers for use as
caching name servers.
When any system on the Internet needs dns information for a
domain, and when that domain is one for which ISPnet name
servers are authoritative, a query eventually reaches an
ISPnet server which responds with the requested info.
When an ISPnet customer system is configured to use the
ISPnet servers as a resolver and needs information on ANY
domain on the net, it sends its query to an ISPnet server
which obtains and returns the requested information.
WHAT'S CHANGING
Despite the fact that non-customer systems should not be
configured to use ISPnet servers as resolvers, and queries
from non-customer systems should all be related to domains
for which the ISPnet servers are authoritative, previously
we have not enforced this restriction.
We WILL be enforcing this in the future.
WHAT YOU SHOULD DO
First, you need to determine if any of your systems will be
affected by our changes. For most, this will be clear.
The most straightforward way to change an affected system is
to update its dns configurations to use a list of name
servers provided you by the relevant ISP. If your system is
being assigned a dynamic address, then you should configure
your system to obtain the dns server info that way also.
If you want to test to see if your system will be affected
by the change, you can use
ns0.ispnetinc.net 199.224.15.160
which we have set up, temporarily, for this type of testing.
Here again, if you have any problems or questions, do not
hesitate to call or email.
Note: ns0 is a test system. You should not leave any of
your systems configured to use it, other than during this
testing period.
WHEN ALL THIS WILL HAPPEN
ns0.ispnetinc.net 199.224.15.160 02/22/09
ns1.ispnetinc.net 199.224.0.146 03/01/09
ns3.ispnetinc.net 204.141.40.135 03/08/09
ns2.ispnetinc.net 199.224.0.154 03/15/09
WHY THIS IS HAPPENING
It's basically a convenience-vs-security tradeoff.
Leaving everything "open" is easier; we don't need to
maintain "access lists" of which systems are permitted to
make certain types of request.
But, there are certain types of denial-of-service attacks
which make use of name servers as amplifiers, and our
monitoring indicates that this has now become an issue.
--
Bob Tinkelman <bob at tink.com>
ISPnet, Inc. http://www.ispnetinc.net
+1 (718) 464-4747 office
+1 (800) 806-NETS toll free
+1 (718) 217-9407 fax
More information about the ispnet-announce
mailing list