Penn SafeDNS Service
Information Systems & Computing operates a central Domain Name System (DNS)
firewall service, called SafeDNS. This service performs conventional DNS
resolver functions—translating human-readable hostnames to IP addresses
on behalf of client computers—but when asked to resolve the name of a server
that is known to host malicious content, it responds instead with the address
of a safe server on campus.
It has become increasingly difficult to protect client workstations from
becoming compromised by malicious software. Even if workstations are patched
and running up-to-date anti-virus software, some risks remain because of the:
- Increasing prevalence of 0-day threats (attacks that exploit
vulnerabilities for which there is no patch);
- Incomplete effectiveness of anti-virus software in detecting
polymorphic malware; and
- The prevalence of malicious third-party ads hosted on otherwise
legitimate web sites.
This is the problem SafeDNS aims to solve.
An ordinary DNS resolver performs recursive name resolution of network name
to network address on behalf of its clients, caching the responses to
improve performance for subsequent queries for the same names. An ordinary
firewall examines packets in transit, and selectively blocks ("discards")
those that match rules defining undesirable traffic. A DNS firewall examines
only the responses to DNS queries, not all packets, and instead of blocking
those that are deemed undesirable, replaces them with known-safe responses.
The SafeDNS service at Penn is built using the same high performance,
high availability resolver architecture as our standard resolvers:
the service is distributed across physical servers in multiple, distinct
data centers across the Penn campus, and uses anycast routing to enable
maintenance and failure recovery that are transparent to end users.
Using the SafeDNS service
SafeDNS is an opt-in alternative to the standard Penn resolver service. If
a workstation is configured to use SafeDNS as its DNS servers, any attempt to
reach a suspected malicious host will be redirected to a SafeDNS web server.
Each SafeDNS web server responds to every request with a small, static web
page (sample) advising the user that their request was
To use SafeDNS:
- Review the Terms of Service
- Review the Privacy Statement
- Configure participating client machines to use the SafeDNS resolvers
|DNS 1 ("Primary"):||220.127.116.11|
|DNS 2 ("Secondary"):||18.104.22.168|
If the clients you manage receive their DNS server configuration from the
central DHCP service, contact Client Care to discuss converting a DHCP
subnet to publish the SafeDNS resolver addresses.
Be aware that SafeDNS cannot know about every host that might serve malicious
content, and, conversely, may incorrectly block a legitimate host from time
to time. Please report suspected false negatives and false positives to
Client Care promptly, and continue to employ other, complementary methods of
preventing and detecting compromised client computers.
Please refer any questions, issues, or problems with the SafeDNS service first
to the local computing organization for your school or center, if
appropriate, or to ISC's Client
Care via email at
firstname.lastname@example.org or phone
Last updated: 2015-02-05
Last reviewed: 2016-08-18