Generic TLDs Threaten Name Collisions and Information Leakage

← Back to Stories (view on slashdot.org)

Generic TLDs Threaten Name Collisions and Information Leakage

Posted by Unknown on Monday July 15, 2013 @07:05PM from the turns-out-bad-practices-bite-you dept.

CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed." Another way to look at it: why were they using invalid domains in the first place?

8 of 115 comments (clear)

Min score:

Reason:

Sort:

That's why I have been giving my internal by ls671 · 2013-07-15 19:11 · Score: 5, Insightful

That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

--
Everything I write is lies, read between the lines.
1. Re:That's why I have been giving my internal by Chrisq · 2013-07-15 19:17 · Score: 4, Insightful
  
  It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
  That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.
2. Re:That's why I have been giving my internal by Anonymous Coward · 2013-07-15 19:17 · Score: 5, Insightful
  
  oh, like .local ? >_>
3. Re:That's why I have been giving my internal by TheLink · 2013-07-15 20:54 · Score: 5, Insightful
  
  I actually tried to get a TLD reserved for "RFC1918" style use about 12+ years ago: http://tools.ietf.org/html/draft-yeoh-tldhere-01
  I also tried the ICANN but they weren't interested either. And when they approved stuff like .biz, .info. I got the impression they weren't really interested in improving the Internet from a technical aspect but more interested in $$$$. Did the creation of .biz etc really help the Internet that much?
  Maybe others may have more success trying it now?
  --
  
  Too many replies beneath your current threshold
4. Re:That's why I have been giving my internal by FireFury03 · 2013-07-15 23:37 · Score: 4, Insightful
  
  It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
  That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.
  I've always advocated using your own FQDN for internal networks. If you own example.com, then put your internal stuff on internal.example.com - dead easy, job done. This gets even easier with Bind's RPZ functionality - you don't even need the "internal" subdomain; you can just add/replace RRs in your main domain, which is rather useful where you want different servers to handle your internal and external access (e.g. mail.example.com can point at an internal mail server when inside your LAN, and an external mail server for anyone on the internet).
  However, a lot of people decide to use random TLDs for this instead - in particular I've got a number of customers, who under the advice of supposidly qualified network engineers set up their networks to operate on the .local TLD. This, of course, now becomes a problem since .local is normally used by mDNS, so we end up with conflicting names and all sorts of problems.
  I would guess you're relatively safe using .localnet (since traditionally localhost is localhost.localnet) if you really must use a non-globally-unique domain name, but IMHO it solves a lot of problems in the long run if you just use a proper FQDN for everything (not least because you don't end up with naming conflicts if you merge LANs together at a later date).
  Another thing to consider is: if you're basing your security on reverse DNS lookups then you're an idiot, since the attacker can trivially set their reverse DNS to anything, valid or not.
  
  --
  http://blog.nexusuk.org
Unknown lamer unknowledgeable and lame, news at 11 by Anonymous Coward · 2013-07-15 19:35 · Score: 4, Insightful

why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.
And more importantly... by ArsenneLupin · 2013-07-15 20:58 · Score: 4, Insightful

... why are certification agencies issuing certificates for such fake domains? Even if the domains remain non-existant, it's asking for trouble!
Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...
Re:Sooo... by Overzeetop · 2013-07-15 22:41 · Score: 4, Insightful

The internet is critical infrastructure now.
Would you suggest changing the mains voltage for the US power grid? "Evolving" to 220v would reduce substation transformer requirements and reduce copper usage in residential construction. Or perhaps people don't know how to use electricity properly, so screw them when nothing works.

--
Is it just my observation, or are there way too many stupid people in the world?