Completed project: DNS Filtering

Primary UITS contact: Nate Johnson

Completed: September 12, 2014

Description: DNS filtering is to DNS as spam filtering is to email.

DNS filtering checks DNS queries against a list of malware domains, redirecting users to a sinkhole page when they attempt to visit one of the bad domains. The sinkhole page has a function to report false positives. DNS filtering is totally transparent to the user.

DNS filtering has been in place for all users at IUSB for two years. IUSB has seen a significantly reduced number of compromised machines as a result.

The list of malware domains comes from the REN-ISAC SES and is whitelisted against lists of top Internet domains maintained by Alexa.com. Locally, the UISO adds its own whitelist, including all top-level IU domains. The list generally contains about 20,000 domain names.

UISO and CNI pilot tested the service for a number of months without incidents or problems. During pilot testing, users could opt in by replacing the name server addresses in their computer's DNS settings with the IP address of one of the filtering name servers. To opt out, users could reverse the procedure and revert to IU's main DNS servers. Now there is no need for users to adjust their DNS server settings. All IU name servers will filter for malicious domains, except for IU Southeast in New Albany, as it is the last regional IU campus to still run its own name servers.

For more, see At IU, what is the DNS filtering service?

Outcome and benefits:

  • Prevents some attacks and compromises
  • Reduces incidents that require responses
  • Fewer machines to rebuild
  • Helps prevent data loss and theft

Things to remember:

  • Does not prevent infection via USB, email attachments, or other methods
  • Not for blocking DoubleClick, Google Analytics, or other advertising sites
  • High-profile or critical sites serving malware will not be blocked

Concerning privacy, UISO uses automated processes to examine DNS queries for malicious indicators; UISO does not examine DNS queries without specific indicators and a valid reason covered under Privacy of Electronic Information and Information Technology Resources (IT-07).

If for some reason users need unfiltered DNS query results, such as for research or testing, they can use Google's public DNS servers (8.8.8.8 and 8.8.4.4) or OpenDNS (208.67.222.222 and 208.67.220.220).

Milestones and status:

  • March 2013: IU Messaging builds a prototype name server. Completed
  • March 2013: UISO publishes a DNS sinkhole page allowing users to report false positives. Completed
  • March 2013: UISO and Messaging begin pilot testing. Completed
  • March 2014: Pilot testing is expanded to include UITS staff DHCP IP address ranges at IUB and IUPUI. Completed
  • August 2014: The service transitions to full production for all users on all campuses. Completed
  • September 2014: This project page is finished and moved to the list of Completed UITS and OVPIT projects. Completed

Comment process: Email Nate Johnson.

Project team:

  • Nate Johnson, UISO
  • Haiyan Li, Campus Network Engineering

This is document bdcq in the Knowledge Base.
Last modified on 2015-09-30 00:00:00.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.