Skip to main content

Cornell University

How to Comply with Network Registration Policy

This article applies to: DNS

If you're responsible for network connections in your department or building, you need to register all the network devices into DNS as per University Policy 5.7, Network Registry

Unregistered machines may be difficult to locate. This may cause a problem, for example, if a machine is flooding the network with traffic. Although CIT can locate the machine via port traffic, it can take a week or more to locate the individual responsible for the machine. If you scan your networks for a vulnerability or virus and discover a machine that is affected, it is much more difficult to identify the machine if it is unregistered or using dynamic DHCP.

Options

How you enter the data required by Cornell's Network Registry depends on the method your subnet uses for assigning IP addresses. Network registry is assigning Cornell NetIDs and MAC addresses to registered DNS/IP names.

To use the tools described here, you need to be a registered network administrator as described on the How to Manage DNS Registrations for Your Subnet page.

Static IP Addressing

Once the host names are entered in CIT's DNS database (DNSdb), add two additional fields using either:

  • The host list web page for updating one machine at a time.
  • The batch load interface for updating multiple machines at once:
    • To create a record (necessary only if the DNS has not already been entered): addhost hostnam ipaddr
    • To record the MAC address: addmac ipaddr macaddr
    • To record the NetID: chgowner hostname netid
You must be on the campus network or using VPN to access these sites.

CIT's DHCP Registration Service

These subnets are already in compliance with the Network Registry policy; information already in DNSdb does not need to be re-entered.

A Departmental DHCP Service

Network administrators should:

  • Limit their service to known MAC addresses.
  • Record machines in the Network Registry using DNSdb's batch load commands shown above. If a dynamic pool of known MAC addresses is used, each MAC should be registered in DNSDB with an IP address in the "0" address space, which is reserved for network registry (no network traffic is routed to or from a "0" address, nor are "0" addresses served in DNS). For example, if the subnet is 128.253.230.0/24 then the netadmin can assign "0" addresses 0.253.230.11 - 0.253.230.254 in the network registry.

A Departmental Firewall and/or a Single Circuit Gateway (Separated Subnets)

The network administrator should send email to hostmaster to set up a meeting to talk about how CIT can help you comply with the policy.

 

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.