On Sun, 22 Aug 2004, Friedrich Gurtler wrote:
> I am not sure what their reasons for blocking VPNs or DNS requests
> were. But I am sure they were valid. So valid that after talking with
> the network people, they didnt justify it -- they promised to lift
> them. I have since given up on running my own DNS server (hey, that
> wouldnt have been a good educational experience or anything), and I no
> longer to try VPN into Entery.
DNS servers are often the target of exploit attempts, so networks are
constantly being scanned looking for vulnerable servers. This generates a
lot of ARP and SYN/RST packets on the network. Even if the actual
bandwidth usage and router/firewall CPU usage is neglible due to this, it
is still a pain to see all this useless and unnecessary traffic on the
network when trying to diagnose a real problem. (Not to mention the
protection this gives to systems that ARE vulnerable, but the owners don't
even know their system is running a DNS server). We had to start blocking
inbound http for the same reasons.
The network guys don't sound like nazi's, if they opened the port. They
probably had a problem, blocked it, and you were the first to complain.
After explaining the educational purpose, maybe you could get them to give
you a static ip and open port 53 to your ip (that's what we do at SLU).
> universities tend to have rather open policies towards network use and
> only crack down on abusers. Tulane seems to block an awful lot though,
There's a very fine line between maintaining this openess and keeping the
network secure.
ray
___________________
Nolug mailing list
nolug@nolug.org
Received on 08/22/04
This archive was generated by hypermail 2.2.0 : 12/19/08 EST