1. The DNS web interface
The Hydra IPAM Interface is the preferred mechanism for updating the Oxford University hosts database.
For access to this please review: Hydra IPAM Permissions.
The web interface allows for manipulation of the following:
- A records
- The principal name
<->number mapping for hosts. For instance, IP address
- CNAMEs (aliases)
- These allow multiple names to point at a single host. For instance, a machine registered as
foo.misc.ox.ac.ukmay act as the webserver for the college, and thus a CNAME entry pointing
www.misc.ox.ac.ukat that machine can be put in. Note that the alias points at a name, not a number.
- MX (mailer) records
These allow for mail addressed to one host to be handled by a different host, for instance all mail addressed to
foo.misc.ox.ac.ukwill be sent instead to
bar.misc.ox.ac.uk. Note that this will not affect the username portion of an email address
firstname.lastname@example.org; it only allows one to perform per-hostname filtering.
The record name need not exist as an A record; while the A record
mail.misc.ox.ac.ukmight not exist, it can exist as an MX record, ensuring that any mail to addresses with
mail.misc.ox.ac.ukto the right of the "@" sign is directed to a mail server.
An MX record may point to multiple hosts, in which case systems will attempt to pass on mail in order of priority should the primary mailserver be unavailable. Often
oxmail.ox.ac.ukwill act as the secondary mailserver. A name in an MX record must not be a CNAME record.
- Other records
- In a few cases, DNS records may be required which cannot be processed by the DNS web interface. In these cases, please contact email@example.com with your requirements.
2. DNS technical Rules and Guidelines
These are a set of guidelines used in assigning DNS entries, and which must be adhered to by network administrators. See the official University IT rules.
The official contact address for all DNS-related queries is firstname.lastname@example.org. You should receive an autoreply giving you a ticket number; please keep it in the subject line of all subsequent correspondence relating to your request or query.
University IT Regulations
- A valid "A" record within the
ox.ac.ukdomain must be present for all hardware assigned and using IP addresses within the ranges assigned to Oxford University.
This includes printers and network hardware, especially if they are sending or receiving packets via the University backbone (from time to time packets may leak onto the backbone even if you do not expect them to). Lack of DNS entry may result in access being denied to certain services; moreover it makes it easier for IT Services and external sites to identify machines in the event of problems. Obviously machines on private networks within departments (using "private" IP address ranges such as
10.0.0.0/24) need not be registered in the DNS, but any gateway/firewall connecting them to the University network must be registered.
Network Advisory Group
- Library public machines may be placed within the
library-public.ox.ac.uksubdomain in an effort to prevent their being used to access central email services.
- Please note that while there are around 100 hosts registered in this domain, it is not believed that central email services still adhere to NAG's policy.
IT Services Registration
- Normally most hosts on your network will lie within a single subdomain, although some departments may have multiple subdomain names to reflect internal organisation.
- Some units may wish for certain servers to be accessible via a different subnet name, for instance the long-format name as used on email addresses. Hostmaster may choose to allow these as aliases for primary public WWW and FTP servers (eg
www.longunitname.ox.ac.uk), but other machines will remain within the standard unit name.
IT Services Security
- To avoid your NAT gateway being mistaken for a standard host, IT Services strongly recommend that you give it a distinctive name in the DNS, for example student-nat.unit.ox.ac.uk.
- The DNS resolvers may respond to queries with information as directed by OxCERT on security grounds.
IT Services Networks
- IT support staff may access Hydra, please review: Hydra IPAM Permissions
- The University is running short of unallocated IPv4 subnets. We have to ensure that we are able to allocate subnets to new departments over the next decade and longer that it will take before it will be viable to run IPv6 only. This means that we are unable to allocate new subnets greater than /24 in size and that existing Units will be expected to stay within their existing allocation (e.g. by the use of NAT/PAT).
IT support staff may self-register here.
- A DNS entry must not contain characters other than alphanumeric characters, dashes, and dots to separate the various components. DNS is case-insensitive.
3. Windows Active Directory and DNS
Some Windows services, in particular Active Directory, require that the DNS servers support SRV (service) records and prefer also that dynamic updates are supported.
While the main Oxford DNS servers can in principle handle SRV records, dynamic update requests from Windows clients are best handled in a secure manner by the Microsoft DNS server software.
In view of this and other operational considerations, the decision was taken that each unit wishing to use Active Directory services operate its own local Windows DNS server. Notes and minutes relating to the relevant meetings may be found on the Active Directory pages.
In order to integrate with the Oxford University DNS, it is required that six subdomains be delegated to each unit DNS server. These subdomains are as follows (the final two do not apply to Windows 2000-only domains):
The delegations will be made to one or more servers within your own unit. Server delegations should be registered via the Hydra IPAM ADSRV record template.
Refer to the instructions on Installing and Configuring Windows DNS to Support Active Directory together with the Active Directory pages for further information and full details of configuring DNS to support both configurations.
The zones listed above are public zones and so in theory your Active Directory authoritative server should be able to be contacted on UDP/TCP 53 from anywhere in the world. In practice however, you may want to restrict it to the Oxford subnets, either on the servers themselves or via a firewall.
If however, you wish to restrict it further to just the Oxford resolvers (220.127.116.11, 18.104.22.168, 22.214.171.124), then you will need to open up your firewall to their recursive source IPs. These IPs are on the subnet range 126.96.36.199/29.
3.3. Disabling dynamic DNS registration
By default PCs running Windows 2000 and above (both workstation and server products) will try to register their name and IP address in the DNS each time that they boot up. To minimise the extra load that this will cause on the Oxford DNS servers, we'd be grateful if you would turn this option off when you install Windows XP, Vista etc. Never disable this setting on domain controllers as this will also stop them registering their service records.
To disable automatic registration after Windows has been installed, open the
[Network] control panel, bring up the
[Properties] box for the
Local Area Connection, open the
[Properties] for TCP/IP, go to
[Advanced/DNS] and turn off the option
[Register this connection's addresses in DNS]. You can also disable registration during a custom install of XP by going into the
[Properties] of TCP/IP at the appropriate point in the installation process.