How to Comply with Network Registration Policy
This article applies to: DNS
If you're responsible for network connections in your department or building, you need to register all the network devices into DNS as per University Policy 5.7, Network Registry.
Unregistered machines may be difficult to locate. This may cause a problem, for example, if a machine is flooding the network with traffic. Although CIT can locate the machine via port traffic, it can take a week or more to locate the individual responsible for the machine. If you scan your networks for a vulnerability or virus and discover a machine that is affected, it is much more difficult to identify the machine if it is unregistered or using dynamic DHCP.
How you enter the data required by Cornell's Network Registry depends on the method your subnet uses for assigning IP addresses. Network registry is assigning Cornell NetIDs and MAC addresses to registered DNS/IP names.
- Static IP addressing
- CIT's DHCP registration service
- A departmental DHCP service
- A departmental firewall and/or a single circuit gateway
To use the tools described here, you need to be a registered network administrator as described on the How to Manage DNS Registrations for Your Subnet page.
Static IP addressing
Once the host names are entered in CIT's DNS database (DNSdb), add two additional fields using either:
- The host list web page at http://dnsdb.cit.cornell.edu/dnsdb-cgi/host.pl for updating one machine at a time.
The batch load interface at http://dnsdb.cit.cornell.edu/dnsdb-cgi/batch.pl for updating multiple machines at once:
- To create a record (necessary only if the DNS has not already been entered): addhost hostnam ipaddr
- To record the MAC address: addmac ipaddr macaddr
- To record the NetID: chgowner hostname netid
CIT's DHCP registration service
- These subnets are already in compliance with the Network Registry policy; information already in DNSdb does not need to be re-entered.
A departmental DHCP service
Network administrators should:
- Limit their service to known MAC addresses.
- Record machines in the Network Registry using DNSdb's batch load addhost, addmac and chgowner commands shown above. If a dynamic pool of known MAC addresses is used, each MAC should be registered in DNSDB with an IP address in the "0" address space, which is reserved for network registry (no network traffic is routed to or from a "0" address, nor are "0" addresses served in DNS). For example, if the subnet is 220.127.116.11/24 then the netadmin can assign "0" addresses 0.253.230.11 - 0.253.230.254 in the network registry.
A departmental firewall and/or a single circuit gateway (separated subnets)
The network administrator should send email to hostmaster to set up a meeting to talk about how CIT can help you comply with the policy.