CAE is going to end DNS relaying on December 27. 2010. You are receiving this email because our records indicate that you used this service at least once in the last 6 months. Please check your settings at home and update if needed. There is more information on what to look for and how to correct your settings below.

What is DNS Relaying?

A DNS (Domain Name System) server looks up the IP address (Internet location) of a web address (http://www.cae.wisc.edu, for example) and tells your web browser how to reach that location. CAE has 2 DNS servers. You appear to have used relaying when you were connected to the internet at a location outside the UW campus (home, hotel, cafe, etc.) and asked CAE's servers to find web addresses that were also off campus.

Does This Apply to Me?

This only applies to offcampus computers and laptops taken off campus. You can check whether you are doing this by using the instructions at the following links:

https://kb.wisc.edu/cae/page.php?id=15730 for Windows
https://kb.wisc.edu/cae/page.php?id=15853 for MacOS.

If you don't see this in the settings of your home computer or laptop, you may have already made the correction. There is also a possibility that you have a wireless router or other home networking equipment that has this information set in its configuration.

What Should I Do?

If you are using CAE's DNS servers from offcampus, you should change that setting before December 27th. Use the information at the following links:

https://kb.wisc.edu/cae/page.php?id=15731 for Windows
https://kb.wisc.edu/cae/page.php?id=15853 for MacOS.

You may have to restart your computer after making the change, but you should not see any difference in performance.

Why is Relaying Bad?

We are making this change primarily to protect our servers from malicious attacks. While relaying is convenient, it was never designed to be secure and DNS servers were not designed to handle any lookup requests. Inherently, DNS trusts all the traffic it receives and it will blindly attempt to fulfill the client's request. There are some cases where this trust can be abused. In such an abuse scenario, a malicious client can ask the DNS server for something that cannot be answered, so the server asks several other servers if they know the answer. All of these servers respond directly to the client that the server thinks asked the question. This is called an amplification attack and with relative ease can reach a scale that can do some serious damage to a network (attacks surpassing 25 Gb/sec have been seen).

Why can't CAE support such a service while Google and others can?

Very few educational institutions provide DNS relay service. DoIT ended theirs over a year ago. Most companies that provide it, like Google, Charter, and ATT, are using the data to profile Internet network traffic, have a revenue model built around it, or some have some other business purpose. They have time and resources to monitor and prevent attacks. The UW is not pursuing such a business model and does not have the resources to dedicate to handling the security threats that come with the service.