Generic TLDs Threaten Name Collisions and Information Leakage

CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed." Another way to look at it: why were they using invalid domains in the first place?

Whats worse..

[sjwt]

I used to work for a company where some uncommon but in use domain names where being used on the intranet, and where overriding the internet ones.. A real pain in the ass.

Re:Whats worse..

[Jeremiah+Cornelius]

Q: "Why were they using invalid domains in the first place?"

A:Two words: "Active Directory". .corp .labs .legal

Planning a non-Internet accessible directory infrastructure with AD's Internet namespace rooting has commonly resulted in the deliberate planning for alternative, corporate designated roots, by IT departments. I'm not saying it is right or wrong, but I ran across this frequently in years consulting and doing pen/vuln.

That's why I have been giving my internal

[ls671]

That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...

It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

Re:That's why I have been giving my internal

[Chrisq]

It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.

Re:That's why I have been giving my internal

oh, like .local ? >_>

Re:That's why I have been giving my internal

[mwvdlee]

http://tools.ietf.org/html/rfc2606
You can use .test, .example, .localhost and .invalid.
The use of these TLD's is somewhat defined and not quite similar to the "intranet"-type use you describe, but atleast they're available for private use and nobody will bother you if you use, for example, ".invalid" for your internal domains.

On the other hand, why not simply use subdomains of an actual domainname you own?
If you own example.com, you could use intranet.example.com or perhaps privateserver.internal.example.com

It would be nice if something like ".intranet" could be a reserved TLD.

Re:That's why I have been giving my internal

[TheLink]

No. .local is for different usage:
http://tools.ietf.org/html/rfc6762
Sure took them a long while to reserve that too.

I proposed reserving a "RFC1918" like TLD about 12+ years ago, but there was not enough interest: http://tools.ietf.org/html/draft-yeoh-tldhere-01

I did try via the ICANN (emailed them to ask them to reserve it). But the ICANN were more interested in "yet another dotcom tld" like .biz .info.
And I didn't have a spare USD100k lying around to apply for the TLD through ICANN, and give it to the world if I even succeeded in getting it.

Re:That's why I have been giving my internal

[TheLink]

I actually tried to get a TLD reserved for "RFC1918" style use about 12+ years ago: http://tools.ietf.org/html/draft-yeoh-tldhere-01

I also tried the ICANN but they weren't interested either. And when they approved stuff like .biz, .info. I got the impression they weren't really interested in improving the Internet from a technical aspect but more interested in $$$$. Did the creation of .biz etc really help the Internet that much?

Maybe others may have more success trying it now?

Re:That's why I have been giving my internal

[jawtheshark]

On the other hand, why not simply use subdomains of an actual domainname you own?

I do realize it's inconceivable, but some people do not own domain names. Well, I do, but they don't really match my internal naming scheme. So, my internal domain is something that wasn't valid until they came up with the stupid gTLD concept: shark species as hostname, domain "sharks" on my network and in a similar vein Kiplings Jungle Book characters as hostnames and "jungle" as domain for my parents network. This works fine, looks pretty and works.

Now of course, I could use jawtheshark.com for my internal network. As a direct consequence, I'd have to either slave my LAN DNS to a public DNS and expose my internal IP numbering to the world, or keep my LAN DNS manually synchronized with my global DNS. You see, all kind of problems I didn't have because my internal domain was completely not used on the Internet. For my parents network, I don't even have a domain name that would match the naming scheme. My dad has our surname.lu, but that hardly will match the jungle naming scheme. Well, I could just buy yet another domain name and use it only internally, but that's added cost I didn't use to have.

The gTLD stuff is just stupid. That's my opinion.

Re:That's why I have been giving my internal

[TheLink]

You can use .test, .example, .localhost and .invalid. ...and nobody will bother you if you use, for example, ".invalid" for your internal domains.

Some CEOs and PHBs might ;).

Re:That's why I have been giving my internal

[dissy]

I wonder which three letter organization icann will be giving .onion to :/

Re:That's why I have been giving my internal

[FireFury03]

It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.

I've always advocated using your own FQDN for internal networks. If you own example.com, then put your internal stuff on internal.example.com - dead easy, job done. This gets even easier with Bind's RPZ functionality - you don't even need the "internal" subdomain; you can just add/replace RRs in your main domain, which is rather useful where you want different servers to handle your internal and external access (e.g. mail.example.com can point at an internal mail server when inside your LAN, and an external mail server for anyone on the internet).

However, a lot of people decide to use random TLDs for this instead - in particular I've got a number of customers, who under the advice of supposidly qualified network engineers set up their networks to operate on the .local TLD. This, of course, now becomes a problem since .local is normally used by mDNS, so we end up with conflicting names and all sorts of problems.

I would guess you're relatively safe using .localnet (since traditionally localhost is localhost.localnet) if you really must use a non-globally-unique domain name, but IMHO it solves a lot of problems in the long run if you just use a proper FQDN for everything (not least because you don't end up with naming conflicts if you merge LANs together at a later date).

Another thing to consider is: if you're basing your security on reverse DNS lookups then you're an idiot, since the attacker can trivially set their reverse DNS to anything, valid or not.

Re:That's why I have been giving my internal

[intermodal]

I think .biz was helpful, in that I don't trust any domain name that ends in .biz.

Why not use real domains instead?

[Keruo]

Why use some random .local when you can use intra.company.com subdomain for the internal lan.
It's much better to use a real domain which you actually own and will remember to renew.

Re:Why not use real domains instead?

[ls671]

Have you ever worked for IBM or any other big corporation? You will have to go through 7 levels of approval, impact analysis, cost analysis, get about 50 people involved etc. and wait several months, Nah ;-)

Note that, of course, I always create subdomains when I have control of the domain or when it is easy to get in touch with the person who does. Read: smaller companies.

I don't like numbers without context . . .

[Mitchell314]

Currently, 25 percent of queries to the domain name system are for devices and computers that do not exist, suggesting the companies are already leaking information to the Internet

And how many of those are due to actual people as opposed to confused webcrawlers looking up dead links?

"Oh hai, a new webpage. Lookie, a link. hddp://mywobsite.youspace.com/forum/?post=1. Oh, there's nothing there.
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=2. Oh, there's nothing there
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=3. Oh, there's nothing there"

...

Re:I don't like numbers without context . . .

[DriedClexler]

True. At the same time, though, I remember that for a while my favorite site was donotreply.com, where the owner would post emails he got as a result of organizations listing email addresses in the @donotreply.com domain. Apparently, even major security firms made it easy to accidentally reply confidential information to whoever happened to own donotreply.com.

Unknown lamer unknowledgeable and lame, news at 11

why were they using invalid domains in the first place?

Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.

Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.

Why open that can of worms at all?

[Opportunist]

Seriously, the internet has reached a level of growth where ANY major change like that WILL invariably break something that grew along with it. And we didn't even reach the point yet where this alone is obviously a serious business advantage or drawback, depending on who gets certain TLDs. Who gets to have .mail? Who gets .web? Who is the lucky dog who gets that license to print money? And, worse, to keep certain people from using it at all, preferably those that would present a competitor to them?

Who gets to use .$well_known_name? .exchange? .office? Or how about .gates? .jackson?

If this does anything, it just opens up a new round of domain name turf wars and domain squatting. Only this time, there is no escape from the squatter. There is no $name.$land when $name.com is held for ransom.

This is a BS article and masks the real issue

[tlambert]

This is a BS article.

The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.

The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.

As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".

So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M

Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.

And more importantly...

[ArsenneLupin]

... why are certification agencies issuing certificates for such fake domains? Even if the domains remain non-existant, it's asking for trouble!

Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...

Re:Sooo...

[Overzeetop]

The internet is critical infrastructure now.

Would you suggest changing the mains voltage for the US power grid? "Evolving" to 220v would reduce substation transformer requirements and reduce copper usage in residential construction. Or perhaps people don't know how to use electricity properly, so screw them when nothing works.

why were they using invalid domains in the first..

[tverbeek]

"why were they using invalid domains in the first place?"

Because they could. Because it was an easy solution. Because no one could imagine that ICANN would someday be so broken that .local or .office or .internal could ever possibly be a valid TLD.

Re:Unknown lamer unknowledgeable and lame, news at

[FireFury03]

why were they using invalid domains in the first place?

Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.

The answer is "because there are a lot of idiots passing themselves off as network engineers who actually don't have a clue". It's *never* been sane to pick arbitrary unreserved addresses in any network address space and assume they won't ever be used. And frankly I've seen this time and time again, including such crazyness as people picking arbitrary unallocated IPv4 networks to use internally instead of RFC1918 networks, and then being surprised when things start breaking after those networks have been allocated out to a third party.