Skip to end of metadata
Go to start of metadata


Protect your account with MFA, sign up now at

External DNS Record Requirements


Pointing IPs and CNAMEs outside LBL space (in the cloud) can help Berkeley Lab projects make the best use of external resources. However, there are risks associated with making outside systems appear to be within LBL control.


All externally facing CNAMEs and other IP records must be approved and must have short TTLs (30 minutes) to facilitate redirection in the event of a security issue.

Category 1:
Approved by LBLnet (LBLnet notifies Cyber Security)

  1. Points to any LBL domain name (,, etc)
  2. Points to any UC campus (,, etc)
  3. Points to another national laboratory (e.g., etc)
  4. Requested by an IT Division Service Owner for a pilot or production service approved by management (e.g. Cloudflare, Zimride, etc)
  5. Points to the LBNL controlled hosting environments at, cloudflare, or

    Note:  The LBNL controlled hosting environments at contains these subdomains: als, ameriflux, berkeleylab, biosciences, climatemulti, csarea2, eesa2, ehsd, esd, etalbl, intranet4lbnl, jbei, jgi, lbldedicated, lbldir, lblensci, lbleta, lblinternal, lblmain, lblops, lblops2, lblops3, lblsci, lblsci2, lblstatic, lblvhosts, lblwww2, msdiv, physci, tough, uho, wwwdev

Category 2:
Approved by Cyber Security

Anything that does not fall into Category 1.

Cyber Security will work with the requester to determine the appropriate risk and controls per.

If you are the requester, please fill our our "Cloud Hosting Request Form" form based on Cloud Services - Cyber Controls.