Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Penn SafeDNS Service

Information Systems & Computing operates a central Domain Name System (DNS) firewall service, called SafeDNS. This service performs conventional DNS resolver functions—translating human-readable hostnames to IP addresses on behalf of client computers—but when asked to resolve the name of a server that is known to host malicious content, it responds instead with the address of a safe server on campus.


It has become increasingly difficult to protect client workstations from becoming compromised by malicious software. Even if workstations are patched and running up-to-date anti-virus software, some risks remain because of the:

  • Increasing prevalence of 0-day threats (attacks that exploit vulnerabilities for which there is no patch);
  • Incomplete effectiveness of anti-virus software in detecting polymorphic malware; and
  • The prevalence of malicious third-party ads hosted on otherwise legitimate web sites.

This is the problem SafeDNS aims to solve.

An ordinary DNS resolver performs recursive name resolution of network name to network address on behalf of its clients, caching the responses to improve performance for subsequent queries for the same names. An ordinary firewall examines packets in transit, and selectively blocks ("discards") those that match rules defining undesirable traffic. A DNS firewall examines only the responses to DNS queries, not all packets, and instead of blocking those that are deemed undesirable, replaces them with known-safe responses.

The SafeDNS service at Penn is built using the same high performance, high availability resolver architecture as our standard resolvers: the service is distributed across physical servers in multiple, distinct data centers across the Penn campus, and uses anycast routing to enable maintenance and failure recovery that are transparent to end users.

Using the SafeDNS service

SafeDNS is an opt-in alternative to the standard Penn resolver service. If a workstation is configured to use SafeDNS as its DNS servers, any attempt to reach a suspected malicious host will be redirected to a SafeDNS web server. Each SafeDNS web server responds to every request with a small, static web page (sample) advising the user that their request was redirected.

To use SafeDNS:

  1. Review the Terms of Service
  2. Review the Privacy Statement
  3. Configure participating client machines to use the SafeDNS resolvers
    DNS 1 ("Primary"):
    DNS 2 ("Secondary"):

If the clients you manage receive their DNS server configuration from the central DHCP service, contact Client Care to discuss converting a DHCP subnet to publish the SafeDNS resolver addresses.

Be aware that SafeDNS cannot know about every host that might serve malicious content, and, conversely, may incorrectly block a legitimate host from time to time. Please report suspected false negatives and false positives to Client Care promptly, and continue to employ other, complementary methods of preventing and detecting compromised client computers.

Please refer any questions, issues, or problems with the SafeDNS service first to the local computing organization for your school or center, if appropriate, or to ISC's Client Care via email at or phone at 215-898-1000.

Last updated: 2015-02-05

Last reviewed: 2016-08-18


SafeDNS Servers


Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania