Nov 14, 2022

Use PAL and eduroam in Purdue

Purdue is pushing for some random software to configure Wi-Fi. So here is a brief note to configure everything by hand.

PAL3.0

eduroam

For Android, select 'Use system certificates' and then enter 'dbm.i2a2.purdue.edu' as the Domain.

DNS Issues

My Windows system runs into DNS issues when using the Purdue network. After a little debugging I found that Purdue (surprisingly) blocks access to 8.8.8.8 as a DNS server.

After a little digging I found that Purdue wishes to push users to use their own DNS server to 'add security protections from various forms of Malware, Botnet, Phishing, Torrents, and monitor connected devices for on-going malicious activity.'

I think it is highly suspicious that Purdue pushes users to use their DNS servers (128.210.11.5 and 128.210.11.57) even to the extent of actively blocking other DNS servers. but these servers do work. I also find that 8.8.4.4 is not blocked so I use that one for my DNS services, at least before it is blocked in the future.

Update

I was fortunate enough to have an e-mail exchange with the Purdue IT team, in which he pointed out some rationales for the decision. I will paste the text below.

Sender: Steven M Plite <splite.cs.purdue.edu>

Recipient: luo401.purdue.edu

Date: 2024-01-10 11:36:07


Just an FYI, by using external DNS servers while on campus, you will not
receive addresses for hosts on internal-only Purdue networks (split-horizon
DNS). The ECN knowledgebase article your page references has been updated
to note that.

It's not a grand conspiracy to subvert your DNS lookups.

Subject: Re: your PAL/eduroam web page

Sender: "Luo, Zhongtang" <luo401.purdue.edu>

Recipient: Steven M Plite <splite.cs.purdue.edu>

Date: 2024-01-10 21:29:23

Wow. Never imagined someone from Purdue IT to actually contact me. Thanks for clearing this up!

Nevertheless, from the article I understand the following two points to be true:


1. In order to reduce phishing, Purdue banned external DNS servers (8.8.8.8) in the past in an attempt to force the users to use Purdue's DNS server. The way this works is that when a user visits a suspected phishing site, Purdue can subvert the lookup and redirect them to a warning page instead.
2. If a user wants to access Purdue on-campus resources, they will have to use Purdue DNS servers because Purdue employs split-horizon DNS and does not advertise its internal resource to the outside for security concerns.

I personally believe that Purdue is too busy to check what everyone's DNS record is, but I think that you also understand since Purdue controlls the DNS server it will be able to do so. If you are able to confirm these for me, I am more than glad to edit the page to reflect these points.

It would also be nice if your team can make a page on how to connect to WiFi (https://zhtluo.com/misc/use-pal-and-eduroam-in-purdue.html) and VPN (https://zhtluo.com/misc/connect-to-purdue-vpn-without-cisco.html) without random software so I do not need to keep these pages at all. :)


Zhongtang Luo

Subject: Re: your PAL/eduroam web page

Sender: Steven Plite <splite.cs.purdue.edu>

Recipient: "Luo, Zhongtang" <luo401.purdue.edu>

Date: 2024-01-10 16:49:27


1. Yes, being able to redirect lookups for known phishing sites is a considered a plus. 8.8.8.8 was specifically blocked because some versions of Chrome like to use it regardless of your DNS settings, which is a security risk and breaks access to internal-facing web servers.
2. Correct, but the split-horizon DNS is not entirely for security. To conserve precious IPv4 address space, many Purdue hosts are on non-routed networks like 10.x.x.x. Such unreachable hosts are not listed in the external-facing DNS.

There is now a page on connecting to wireless that should look suspiciously familiar:

https://engineering.purdue.edu/ECN/Support/KB/Docs/ConnectingtoPurdueswi

A more elaborate page on installing OpenConnect is at:

https://engineering.purdue.edu/ECN/Support/KB/Docs/openconnectVPNconfig