Slashdot Mirror

← Back to Stories (view on slashdot.org)

Generic TLDs Threaten Name Collisions and Information Leakage

Posted by Unknown on from the turns-out-bad-practices-bite-you dept.

CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed." Another way to look at it: why were they using invalid domains in the first place?

14 of 115 comments (clear)

  1. That's why I have been giving my internal by ls671 · · Score: 5, Insightful

    That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...

    It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

    --
    Everything I write is lies, read between the lines.
    1. Re:That's why I have been giving my internal by Chrisq · · Score: 4, Insightful

      It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

      That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.

    2. Re:That's why I have been giving my internal by Anonymous Coward · · Score: 5, Insightful

      oh, like .local ? >_>

    3. Re:That's why I have been giving my internal by TheLink · · Score: 4, Interesting

      No. .local is for different usage:
      http://tools.ietf.org/html/rfc6762
      Sure took them a long while to reserve that too.

      I proposed reserving a "RFC1918" like TLD about 12+ years ago, but there was not enough interest: http://tools.ietf.org/html/draft-yeoh-tldhere-01

      I did try via the ICANN (emailed them to ask them to reserve it). But the ICANN were more interested in "yet another dotcom tld" like .biz .info.
      And I didn't have a spare USD100k lying around to apply for the TLD through ICANN, and give it to the world if I even succeeded in getting it.

      --
    4. Re:That's why I have been giving my internal by TheLink · · Score: 5, Insightful

      I actually tried to get a TLD reserved for "RFC1918" style use about 12+ years ago: http://tools.ietf.org/html/draft-yeoh-tldhere-01

      I also tried the ICANN but they weren't interested either. And when they approved stuff like .biz, .info. I got the impression they weren't really interested in improving the Internet from a technical aspect but more interested in $$$$. Did the creation of .biz etc really help the Internet that much?

      Maybe others may have more success trying it now?

      --
    5. Re:That's why I have been giving my internal by dissy · · Score: 4, Interesting

      I wonder which three letter organization icann will be giving .onion to :/

    6. Re:That's why I have been giving my internal by FireFury03 · · Score: 4, Insightful

      It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

      That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.

      I've always advocated using your own FQDN for internal networks. If you own example.com, then put your internal stuff on internal.example.com - dead easy, job done. This gets even easier with Bind's RPZ functionality - you don't even need the "internal" subdomain; you can just add/replace RRs in your main domain, which is rather useful where you want different servers to handle your internal and external access (e.g. mail.example.com can point at an internal mail server when inside your LAN, and an external mail server for anyone on the internet).

      However, a lot of people decide to use random TLDs for this instead - in particular I've got a number of customers, who under the advice of supposidly qualified network engineers set up their networks to operate on the .local TLD. This, of course, now becomes a problem since .local is normally used by mDNS, so we end up with conflicting names and all sorts of problems.

      I would guess you're relatively safe using .localnet (since traditionally localhost is localhost.localnet) if you really must use a non-globally-unique domain name, but IMHO it solves a lot of problems in the long run if you just use a proper FQDN for everything (not least because you don't end up with naming conflicts if you merge LANs together at a later date).

      Another thing to consider is: if you're basing your security on reverse DNS lookups then you're an idiot, since the attacker can trivially set their reverse DNS to anything, valid or not.

      --
      http://blog.nexusuk.org
    7. Re:That's why I have been giving my internal by intermodal · · Score: 4, Interesting

      I think .biz was helpful, in that I don't trust any domain name that ends in .biz.

      --
      In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
  2. I don't like numbers without context . . . by Mitchell314 · · Score: 4, Interesting

    Currently, 25 percent of queries to the domain name system are for devices and computers that do not exist, suggesting the companies are already leaking information to the Internet

    And how many of those are due to actual people as opposed to confused webcrawlers looking up dead links?

    "Oh hai, a new webpage. Lookie, a link. hddp://mywobsite.youspace.com/forum/?post=1. Oh, there's nothing there.
    Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=2. Oh, there's nothing there
    Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=3. Oh, there's nothing there"

    ...

    --
    I read TFA and all I got was this lousy cookie
    1. Re:I don't like numbers without context . . . by DriedClexler · · Score: 5, Interesting

      True. At the same time, though, I remember that for a while my favorite site was donotreply.com, where the owner would post emails he got as a result of organizations listing email addresses in the @donotreply.com domain. Apparently, even major security firms made it easy to accidentally reply confidential information to whoever happened to own donotreply.com.

      --
      Information theory is life. The rest is just the KL divergence.
  3. Unknown lamer unknowledgeable and lame, news at 11 by Anonymous Coward · · Score: 4, Insightful

    why were they using invalid domains in the first place?

    Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.

    Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.

  4. This is a BS article and masks the real issue by tlambert · · Score: 5, Informative

    This is a BS article.

    The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.

    The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.

    As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".

    So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M

    Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.

  5. And more importantly... by ArsenneLupin · · Score: 4, Insightful
    ... why are certification agencies issuing certificates for such fake domains? Even if the domains remain non-existant, it's asking for trouble!

    Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...

  6. Re:Sooo... by Overzeetop · · Score: 4, Insightful

    The internet is critical infrastructure now.

    Would you suggest changing the mains voltage for the US power grid? "Evolving" to 220v would reduce substation transformer requirements and reduce copper usage in residential construction. Or perhaps people don't know how to use electricity properly, so screw them when nothing works.

    --
    Is it just my observation, or are there way too many stupid people in the world?