Slashdot Mirror
Generic TLDs Threaten Name Collisions and Information Leakage
CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed."
Another way to look at it: why were they using invalid domains in the first place?
I used to work for a company where some uncommon but in use domain names where being used on the intranet, and where overriding the internet ones.. A real pain in the ass.
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
The amount of spam and phishing will be 1000 fold of what it is today.
That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
Everything I write is lies, read between the lines.
Why use some random .local when you can use intra.company.com subdomain for the internal lan.
It's much better to use a real domain which you actually own and will remember to renew.
There are no atheists when recovering from tape backup.
Currently, 25 percent of queries to the domain name system are for devices and computers that do not exist, suggesting the companies are already leaking information to the Internet
And how many of those are due to actual people as opposed to confused webcrawlers looking up dead links?
"Oh hai, a new webpage. Lookie, a link. hddp://mywobsite.youspace.com/forum/?post=1. Oh, there's nothing there.
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=2. Oh, there's nothing there
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=3. Oh, there's nothing there"
I read TFA and all I got was this lousy cookie
why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.
Seriously, the internet has reached a level of growth where ANY major change like that WILL invariably break something that grew along with it. And we didn't even reach the point yet where this alone is obviously a serious business advantage or drawback, depending on who gets certain TLDs. Who gets to have .mail? Who gets .web? Who is the lucky dog who gets that license to print money? And, worse, to keep certain people from using it at all, preferably those that would present a competitor to them?
Who gets to use .$well_known_name? .exchange? .office? Or how about .gates? .jackson?
If this does anything, it just opens up a new round of domain name turf wars and domain squatting. Only this time, there is no escape from the squatter. There is no $name.$land when $name.com is held for ransom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The Internet ought not evolve, because some network admins at companies don't know how to use it properly? Is that the argument? I'd say that's a rather bad argument.
We should reserve the domains .icann and .usa so that these 'global' top level names don't bother the rest of the world. Each country then has the choice to support these 'global' top level domain names and if they don't you can find them all by adding .usa or .icann behind their expensive name vanity. Also countries can sell a temp licence to icann and get some of that icann money, no icann money then icann top level domains remain one notch down at .icann :-)
This is a BS article.
The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.
The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.
As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".
So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M
Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.
You mean the copyrighted work that has to be licensed in order for Netflix to let you view it? The horrors.
Netflix? Is this your local torrent site? Oh, you silly Americans.
Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...
Why you'd even shell out for overpriced crap you can just as well (better, really) do yourself is beyond me. But nonetheless, there is demand for it. And so the certificate authorities deliver. Whoever thought that commercialisation of trust was a good idea... yeah.
The simple fix, though, is to reserve, say, .local or somesuch in RFC1918-like fashion, just like example.{com,net} are reserved.
But this whole discussion highlights again the complete arbitrariness of what ICANN is up to now. Why not allow anyone to register anything at all at top level for godaddy prices? Why not turn the thing into a complete bloody flat space? It'd have the same effect minus the racketeering.
What ICANN is effectively doing is turn the DNS into a big corporate playpen. Take out the racketeering and it's the same thing except for everyone, anyone at all. Isn't that what the internet was supposed to be about?
They are obviously worthless creations and only around due to legacy reasons.
They are also highly virtual in actual use so can easily be changed. ICANN can just be fired and dissolved so they can finally retire on that eleventy billion dollars they likely got from all those retards buying TLDs.
I'm for creating newsgroup hierarchy / DNS hybrid, it gets rid of the need for search engines and most advertising and fixes everything.
Microsoft previously (pre 2007) recommended the use of no registerable TLD's such as .local for internal domain naming. Current recommendation is to use a subdomain, there is however no supported method to rename an Microsoft Active Directory Domain with Exchange 2007 or newer. The only way to change is to cross forest migrate to a new domain, kind of a hard to sell to management that they have to invest a mass of time into the process, for really zero return.
Certificate Authorities are no longer registering certificates with unregisterable domains or ip addresses in them. The majority of companies have internal domains with .local, It definetly makes sense to reserve this and allow certificates to be issues for it.
Some time in the future, Microsoft admins will be banging their heads against the wall when they are told their public internal domains are no longer considered best practice.
It wasn't removed...there just aren't any more seeders.
Is it just my observation, or are there way too many stupid people in the world?
If you have heard them scream and shout and stomp their feet when we talk about GIMP here, wait until you see the reaction to .invalid
"why were they using invalid domains in the first place?"
.local or .office or .internal could ever possibly be a valid TLD.
Because they could. Because it was an easy solution. Because no one could imagine that ICANN would someday be so broken that
http://alternatives.rzero.com/
why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
The answer is "because there are a lot of idiots passing themselves off as network engineers who actually don't have a clue". It's *never* been sane to pick arbitrary unreserved addresses in any network address space and assume they won't ever be used. And frankly I've seen this time and time again, including such crazyness as people picking arbitrary unallocated IPv4 networks to use internally instead of RFC1918 networks, and then being surprised when things start breaking after those networks have been allocated out to a third party.
http://blog.nexusuk.org
This is mostly FUD.
Regarding external certificates, most certification agencies (at least those that are members of the https://www.cabforum.org/ have stopped issuing certificates for invalid domain names for any date posterior to November 1st 2015. They put this policy in place on Nov 1st 2012. Any such certificates that might be marked as valid beyond that date will be revoked on October 1st 2016.
Now, there may be a concern with internal certificates for such domains, but that is for the internal policy of businesses to fix in time. It should be easy to implement redirecting policies to new domains for any internal web site or system that could collide with gTLDs before they're actually implemented. It is certainly NOT a serious security concern in my opinion.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Never bet against incompetence.
"why were they using invalid domains in the first place?"
Because they could. Because it was an easy solution. Because no one could imagine that ICANN would someday be so broken that .local or .office or .internal could ever possibly be a valid TLD.
And sometimes, because the best documentation on setting up Exchange servers or iMail servers would actually include exampels where .exchange or .mail were the preferred choice of avoiding internet collision!
But seriously, if you aren't hosting your own DNS to begin with you've got a slew of problems to handle from the onset.
Another way to look at it: why were they using invalid domains in the first place?
Another way to look at it: why are they being dependent on an external TLD structure for their security mechanism?
now we need to go OSS in diesel cars
To answer the last point a bit. In 1986 I put the first tcp/ip network in place at the company I worked at at the time. Recall back then commercial use of the internet was not allowed. So I decided that we would never need to be on the internet, and decided I could set up Ip addresses as I pleased. (There were just 2 hosts at the time, decnet was bigger). I decided that addresses of 1.1.1.1 and 1.1.1.2 made a lot of sense and went with them. Of course things grew and times changed and later we had to move to network 10. But back in 1986 if one could have forecast the internet of today, one could have become very rich. (This was when the corporate IT folks wanted SNA and Token Ring networking because they were an IBM shop)
The former parent of the company I work for used 11.x.x.x for some of their internal systems. Stepping on the DOD's toes isn't a good idea...
If creating new top-level domains breaks your network security, you were already doing it wrong. Companies need to take a proactive approach to preventing XSS and similar attacks, and not leave themselves open to these sorts of attacks.
I hope I win.
Only if you want to do it properly, and/or be part of the Internet.
Here's a traditional automotive analogy for you:
What about my own garden tractor? Do I have to put oil in that? Why should I pay for oil if the tractor's never going to be on public roads? Why can't I just use oatmeal or tapwater in the crankcase?
Sometimes doing it right has a maintenance cost. Pay it or create some half-assed thing you'll probably be ashamed of later; either way don't bother complaining.
I'm sure major entities already re-route things like .com, .net, and .org to "internal" sites on an as-needed basis.
Let the Balkanization of the Internet begin^H^H^H^H^Hcontinue.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is bullshit.
There are no "invalid domains" These "invalid's" are domains the public infrastructure doesn't maintain.
The internet is a decentralized entity, and should remain that way. ICANN NEEDS to lose the central authority over shit like this. Even it it took major governments or large corporations each getting an address that was listed as a "root server" and each computer in the world had say any address in a single /8-/16 to pick a valid root server from. This would HOPEFULLY force multinationals to get along, at least well enough to allow the internet to function.
Or you know, a true peer to peer distributed name scheme that rewards the people spending time answering queries and validating everyone else's names. something like https://en.bitcoin.it/wiki/Namecoin . But the chances of general acceptance of that are pretty low.
If you have internal systems facing the internet where just using the right domain name would unveil what is inside to all the world, the one that "broke it" is you, either by designing "security" that way or choosing vendors that force you to work that way. Depending in the ignorance of the remote side is a bad security measure (or better, is a good insecurity measure).
In fact, probably is good that something makes evident that you have an open insecure system in internet. The bad guys (including NSA and associated companies) are already aware of this, so if something actually forces you to fix it will be something positive (but take a review of those exposed systems, odds that have been exploited in a non immediately obvious way are not low).
Not being able to print is the tip of the iceberg. That was one example of a local resource being blocked by stupid VPN dogmatism. There are many more! Here's one: You have an end user who needs to VPN-connect from a business partner site to use a single app. You've forced all the traffic from the end user through the VPN tunnel (as advocated in the post inspiring the rant) so now the end user cannot reach his local mail server. If you create some baroque combination of filters so that painfully slow access to the local mailserver works by routing traffic through the WAN and back again, so a year later when the mail service configuration changes on the local site the VPNs all have to be reconfigured - and the email admins do not know this, of course, so it's designed to fail.
It's impossible to set up a WAN link to an independently administered network without talking to the other end of the connection, so why in the world would you assume nobody has asked? Of course the question's been asked.
Smart IP netadmins have used only IANA registered names since before Jon Postel died, and smart WAN admins don't use one-size-fits-all security solutions that wreck end-user productivity.
They should have anticipated it on January 30, 1998, when the NTIA announced it wanted an ICANN like body. Multistakeholder my ass. I remember the farce those first elections were.
Hell, they should have anticpated THAT in 1982. Or maybe they did.
Oh, look, there's a Google Streetview car! Yeah, that's me waving. No, I promise I wasn't flipping you a bird:-)
Old news. This has been an issue for YEARS.
Microsoft used to use and even advocate .local in many of its articles and educational documentation even after it became used by Multicast DNS / mDNS and other systems (http://en.wikipedia.org/wiki/.local)
It was only recently that they stopped when the SSL registrars will no longer accept .local for certificates.
I have also seen several networks using .int for internal domains even though those were used for international organizations for a LONG time. Same as with .local and SSL is when these companies finally understand that the RFCs are there for a reason... .:-)
--
Time is on my side
It might be worthwhile to define some "reserved" TLDs for private use, as we have 10/8/, 192.168/16, 172.16/18 for IP addresses, so we can ensure that anybody using a reserved TLD does not have to worry about it being allocated in the future.