Skip to end of metadata
Go to start of metadata
External DNS Record Requirements
Pointing IPs and CNAMEs outside LBL space (in the cloud) can help Berkeley Lab projects make the best use of external resources. However, there are risks associated with making outside systems appear to be within LBL control.
All externally facing CNAMEs and other IP records must be approved and must have short TTLs (30 minutes) to facilitate redirection in the event of a security issue.
Approved by LBLnet (LBLnet notifies Cyber Security)
- Points to any LBL domain name (nersc.gov, es.net, etc)
- Points to any UC campus (berkeley.edu, ucdavis.edu, etc)
- Points to another national laboratory (e.g. anl.gov, etc)
- Requested by an IT Division Service Owner for a pilot or production service approved by management (e.g. Cloudflare, Zimride, etc)
- Points to the LBNL controlled hosting environments at ghs.googlehosted.com, cloudflare, or wpengine.com
Note: The LBNL controlled hosting environments at wpengine.com contains these subdomains: als, ameriflux, berkeleylab, biosciences, climatemulti, csarea2, eesa2, ehsd, esd, etalbl, intranet4lbnl, jbei, jgi, lbldedicated, lbldir, lblensci, lbleta, lblinternal, lblmain, lblops, lblops2, lblops3, lblsci, lblsci2, lblstatic, lblvhosts, lblwww2, msdiv, physci, tough, uho, wwwdev
Approved by Cyber Security
Anything that does not fall into Category 1.
Cyber Security will work with the requester to determine the appropriate risk and controls per.
If you are the requester, please fill our our "Cloud Hosting Request Form" form based on Cloud Services - Cyber Controls.