SafeDNS

SafeDNS

Information Systems & Computing operates a central Domain Name System (DNS) firewall service, called SafeDNS. This service performs conventional DNS resolver functions—translating human-readable hostnames to IP addresses on behalf of client computers—but when asked to resolve the name of a server that is known to host malicious content, it responds instead with the address of a safe server on campus.

It has become increasingly difficult to protect client workstations from becoming compromised by malicious software. Even if workstations are patched and running up-to-date anti-virus software, some risks remain because of the:

• Increasing prevalence of 0-day threats (attacks that exploit vulnerabilities for which there is no patch);
• Incomplete effectiveness of anti-virus software in detecting polymorphic malware; and
• The prevalence of malicious third-party ads hosted on otherwise legitimate web sites.

This is the problem SafeDNS aims to solve.

An ordinary DNS resolver performs recursive name resolution of network name to network address on behalf of its clients, caching the responses to improve performance for subsequent queries for the same names. An ordinary firewall examines packets in transit, and selectively blocks ("discards") those that match rules defining undesirable traffic. A DNS firewall examines only the responses to DNS queries, not all packets, and instead of blocking those that are deemed undesirable, replaces them with known-safe responses.

The SafeDNS service at Penn is built using the same high performance, high availability resolver architecture as our standard resolvers: the service is distributed across physical servers in multiple, distinct data centers across the Penn campus, and uses anycast routing to enable maintenance and failure recovery that are transparent to end users.

Using the SafeDNS service

SafeDNS is an opt-in alternative to the standard Penn resolver service. If a workstation is configured to use SafeDNS as its DNS servers, any attempt to reach a suspected malicious host will be redirected to a SafeDNS web server. Each SafeDNS web server responds to every request with a small, static web page (sample) advising the user that their request was redirected.

To use SafeDNS:

1. Review the Terms of Service
2. Review the Privacy Statement

3. Configure participating client machines to use the SafeDNS resolvers

   	IPv4	IPv6
   DNS 1 ("Primary"):	128.91.18.2	2607:f470:1001:1001: :2
   DNS 2 ("Secondary"):	128.91.49.2	2607:f470:1002:1002: :2

If the clients you manage receive their DNS server configuration from the central DHCP service, contact Client Care to discuss converting a DHCP subnet to publish the SafeDNS resolver addresses. The IPv6 SafeDNS resolver addresses can be distributed to hosts on a specified subnet via the RDNSS option in Neighbor Discovery (ND) Router Advertisement (RA) messages. Contact Client Care to request this configuration. ISC recommends coordinating IPv4 and IPv6 configuration on a given subnet.

Be aware that SafeDNS cannot know about every host that might serve malicious content, and, conversely, may incorrectly block a legitimate host from time to time. Please report suspected false negatives and false positives to Client Care promptly, and continue to employ other, complementary methods of preventing and detecting compromised client computers.

Penn SafeDNS Terms of Service
 

• SafeDNS is intended to be used by end-user workstations, not by servers or other infrastructure devices. For example, a system running a mail or web server should not use the service.
• We recommend that you take reasonable steps to notify users prior to deploying the service in your area. This should help minimize any support issues that might otherwise arise when a user encounters the redirect page.
• The SafeDNS service is only provided to end-points that connect to it from a valid PennNet IP. In practice this means it is limited to on-campus computers and those that appear in Penn IP space through a VPN.
• SafeDNS is not a substitute for other security mechanisms and best practices, such as anti-virus software, host-based or departmental firewalls, and timely patching.

Penn SafeDNS Privacy Statement

The SafeDNS service reduces the likelihood that a computer will be compromised through web browsing. The service does this by tracking domain names known to be the source of malicious content. If the computer attempts to reach such a site in the course of web browsing or other activity, the service will redirect the computer to a safe location.

In the course of providing this service, certain information is tracked for the purposes of monitoring service health and detecting anomalous usage patterns. Ordinarily, this information consists of bulk statistics that do not identify the IP address of a subscribed computer nor the specific domains for which any given subscribed computer submits queries. From time to time, ISC may temporarily enable additional data collection in order to help resolve an operational or security incident, during which interval the timestamp, IP address, and domain name queried would be recorded.

In the event that the service redirects a subscribed computer to a safe web server, and the subscribed computer submits a web request to the safe web server, we record some information about that web request, including

• the time of the request,
• the full URL requested, and
• the initial site, if any, that directed the subscribed computer to the malicious site,

but we do not record information that could associate the subscribed computer with the web request.