IT Services



DNS Redirection of ox.ac.uk hosts to non-University of Oxford IP addresses


Contents



Summary

The DNS Naming Policy states, "For reasons of accountability and security, hostnames within the ox.ac.uk domain may not ordinarily be pointed at IP addresses outside the address space allocated to the University. An exception may be granted where IT Services are satisfied the Unit retains a level of control over the hosted service comparable with a service hosted on the University network. All exceptions will be reviewed periodically". The conditions under which an exception may be granted are detailed below and are intended to help ensure that the University may make an informed decision about external hosting and, where an exception is granted, retain adequate control over systems hosted externally (ie not under direct control of University staff).



Conditions

In order to qualify the Head of Unit must certify that:

  1. There is a process (which includes appropriate remote access arrangements be they physical and/or virtual) to take down the server within 30 minutes (during normal working hours) of being requested to do so by IT Services (normally OxCERT). IT Services will make reasonable efforts to contact the unit's IT support staff by email (to the Unit's generic IT support address where available) and telephone.
    • In exceptional circumstances there may be an urgent need to suspend service outside of normal working hours. IT Services will nevertheless make reasonable efforts to ensure the unit's IT support staff are aware as soon as possible.
  2. IT Services will set a "time to live" (TTL) of no more than 1800 seconds on all DNS entries pointing to systems outside the University network.
    • If the unit cannot be contacted or are unable to take down the server in a timely manner, then IT Services may withdraw the DNS entry in question.
    • Should this occur, the DNS entry will be pointed at a University IP address. This will return a generic "Service unavailable" error to HTTP requests on port 80, but will not respond to any other protocols.
  3. It is the Unit's responsibility to ensure that procedures are in place to restore service in a timescale appropriate to their requirements. Before full service can be restored, IT Services (usually OxCERT) will need to be satisfied that appropriate measures have been taken to resolve the problem(s) identified.
  4. They must maintain appropriate logs securely and recoverably so that OxCERT/ any other lawfully entitled party can get these on request in a timely fashion.
  5. The system must be operated, and adequate data protection measures implemented, in accord with the University's IT Regulations and Information Security Policy.
  6. An annual self-certification process will be carried out. It is the responsibility of the Unit to ensure that this is returned complete within one month of receipt. DNS Registration will contact the Unit’s generic IT-support email address where available (otherwise all registered ITSS for the unit).
  7. Any failure to meet these conditions will result in a 30-day notice of withdrawal of the redirection.