The purpose of our DNS RPZ system is to block access to known malicious sites, especially sites that target the University. It should be a helpful security improvement, not a censorious lockdown.
Principles
Focus on information security.
The purpose of these blocks is to protect against malware and phishing. We will not block sites for moral or political reasons.
Transparent implementation.
We publish the list of sites that are blocked and the reasons for blocking them. In most cases, when you encounter a blocked site you will be redirected to a web page that explains what is happening.
Unobtrusive.
You should not normally encounter a blocked site; if you do, it should be apparent that the block is helpful rather than obstructive.
Collaborative.
We are keen for you to report domains to us that should or should not be blocked, to help us make the blocks more effective and less annoying. Please mail them to <servicedesk@uis.cam.ac.uk>.
Optional.
There are legitimate reasons that you might need to bypass these blocks, so we have alternative recursive DNS servers that allow you to do so, without switching to a non-University Internet connection.
Blocking policies
Whether a domain is blocked or not is a result of a combination of the following policies.
CSIRT block list
Our computer security incident response team maintain a local block list. We may block a domain:
If it hosts a phishing site that targets login credentials for systems run by the University of Cambridge and related institutions, or which specifically targets Cambridge people.
If it hosts malware that is causing disruption and which is not adequately blocked by other means (such as anti-virus software).
A site might not be blocked:
If it has substantial legitimate use which the block would disrupt. For example, we can't reasonably block phishing forms hosted by popular services such as Google Docs.
If it hosts a phishing site that targets a non-Cambridge service such as online banking, which we would expect to be blocked by other means such as safe browsing.
CSIRT "nxdomain" list
Our computer security incident response team maintain
a denial-of-existence list. This is a special case
list of domains that need to be blocked outright rather than
redirected to this web server. The normal block list should be used
unless there's an external requirement that prevents redirection, for
instance use-application-dns.net
.
CSIRT "passthru" list
Our computer security incident response team maintain a local pass-through list. The purpose of this list is to address problems that might be caused by an erroneous or disruptive entry in a third-party block list.
This list is usually empty.
Spamhaus DROP list
The Spamhaus DROP (Don't Route Or Peer) lists are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.
We are only using the basic DROP list, not EDROP or DROPv6.