back to article Top level domain explosion could wreak MAYHEM on NET

A plan to populate the internet with hundreds or thousands of new top-level domains has security researchers pondering some of the unintended consequences that could be exploited by online criminals. Some of the scenarios aren't pretty. Consider the mayhem that might result from addresses that end in “exchange,” “mailserver,” “ …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    Such drama

    Open up the TLDs

    1. Anonymous Coward
      Anonymous Coward

      Open up the DNS

      Seriously, there's no reason why there has to be just one. Start your own, get a few ISPs on board, offer plebs instructions on how to start using it, and bob's your uncle. Now you can define your own TLD policy, and peer with the 'mainstream' DNS whenever you wish. Or, make client software which uses its own resolver implementation.

      I'm kind-of surprised that Google, Apple, and Microsoft haven't already done this. A tick-box in the browser config to say 'use Google-DNS' is all that it would take to divert most users' queries most of the time. There's no reason why ICANN has to be a monopoly provider for name resolution.

      1. wag
        Coat

        re Open up the DNS

        So what you're suggesting is, if ICANN can, I can too. So I can can ICANN. Uncanny.

  2. ratfox
    WTF?

    What the heck?

    Is the point just to try to get as much money as possible or what?

    A fee of $185'000 is NOTHING. There are thousands of companies that can easily shell out the money. If this goes through, you can expect a land grab of epic proportions, bringing domain squatting to a new level. What is the point?

    1. unitron

      What is the point?

      $185,000 times thousands of companies times several to many different applications, perhaps?

  3. jacobbe
    Thumb Down

    ICAAN- Daft as a brush

    Daft Idea.

    There is no need or much demand for this any way. And I mean the only organisation that i have ever notice use ".eu " is the european union itself.

    1. The Indomitable Gall

      Not a "daft" idea...

      It's a daft idea, but an inequitable one.

      One internet for the rich, with any name you choose, and another for us plebs. It favours the big companies over small ones, the haves over the have nots. It also reaches into the future and sticks its fingers up at nations not yet in existence, because what's going to be left for them as their national TLDs?

    2. Stu_The_Jock
      FAIL

      .eu IS in use

      Everytime I need to amend my expenses claims or book holiday at work I have to use out HR systems suppliers site that is <ourcompany>.<theircompany>.EU

      Actually I use quite a few services on EU domains.

  4. Anonymous Coward
    Devil

    You get whatever Xmas you deserve

    That is what you get when you put registrars in charge of DNS infrastructure. First internationalised domain names, now this.

    The more domains companies like Coca Cola have to register to protect their brands and trademarks the merrier. For them.

    And security be damned. In fact it was damned long ago:

    Is this: НSВС ???

    F*** No, it is Cyrillic N, S, Cyrillic V, Cyrillic S.

    Did anyone care? No. This is from the same songbook. Will anyone besides security geeks care? No. It will be railroaded through as it means more money for the domain names scam.

  5. John G Imrie

    F-Secure talking Bollocks?

    F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”

    IIRC you can't register a domain name with just digits you have to have at least one non numeric character in the name.

    1. Anonymous Coward
      Anonymous Coward

      You mean

      like 192.com for example?

    2. Ian Yates

      Resolve

      Why would any browser or OS use a DNS lookup for something that fits the pattern of an IP? I can't believe any browser out there doesn't attempt to go direct to IP addresses, so his example is a fail - but it does highlight the kind of attacks that people will be thinking about,

      1. Richard 12 Silver badge
        Devil

        Internet Explorer seems to

        If you don't manually put the http:// or ftp:// etc before a raw IP address, IE 7 and 8 appears to try to do a DNS lookup on it.

        So yes, some browsers really do appear to be that stupid.

        You might argue that you should also specify the protocol, but did you *really* type "http://www.theregister.co.uk" to get here? Or did you do let your browsers autocorrect figure much or part of that out, like eveybody else.

  6. Captain Scarlet Silver badge
    Paris Hilton

    Ian?

    How many people or companies have something named Ian (Apart from Ian)?

    Am I missing something that I probably should have Googled before looking stupid?

    1. lIsRT

      No, you're not stupid, but many MANY font designers are.

      If:

      Ian

      and:

      lan

      look the same on your system, delete whichever font you're currently using.

      Sometimes serifs are there for a reason.

      1. Liam Thom
        Boffin

        What, all of them?

        You want him to delete all the sans-serif fonts?

        1. lIsRT

          I suppose not.

          OK, deleting might be an overreaction (I suspect this might not even be possible for some of the default Windows fonts); but, if you care about having unambiguous information in your browser's address bar (or anywhere else), then make sure to use a suitable font.

          Trebuchet seems to be an acceptable compromise, it's not too serif-y, but at least the l isn't just a vertical line.

    2. wag

      LAN not IAN

      as in "local area network"

  7. Danny 4
    Devil

    Russian Roulette

    Humm. Those three sites work just fine for me with Konqueror on Debian. I'm not sure whether to be scared or pleased...

  8. J. Cook Silver badge
    Pirate

    I see someone's called the WHAmbulance...

    It's the same group of people that's been crowing about the imminent death of IPv4 for the past... 10 (10? 15? something like that) years.

    Give it six months and something will get worked out.

  9. Eddy Ito
    Facepalm

    Bonjour!

    I've seen localhost and localdomain on practically every Linux box I've had but If only I could think of where it was I saw .local being used as a domain. Was it myPhone or Mac's Book? Bah, it'll come to me sooner or later, probably along with a thunk to the side of the head.

    Seriously, given this is set up as the playground for the wealthy it would behoove the likes of Apple, Microsoft, Red Hat (or a Linux consortium) and others to do something sensible like be first on the list for the domains they use as defaults. That way at least folks will know who is reading their mail... and zeroconfing a peak at all the questionably legal material going about your home network.

  10. copsewood
    Boffin

    So whose DNS is it anyway ?

    If ICANN were able to dictate the design of DNS resolvers, presumably they could impose resolution of single label DNS queries such as http://nike/ or sales@nike into MX, A or AAAA records. But that isn't how it works. Designers of DNS software, and operating system library designers are very likely to choose to be less obliging for the security reasons described in the otherwise fine article. Tough luck on any marketing droid who reckons a $185K application fee will get them single label names if the software is changed to block resolution of these.

    So how long would it take me to edit and recompile gethostbyname() to something which blocks external resolution of single label names if I don't want to let rich single label name marketing wet dreams to compromise my LAN ?

    Another approach might be to have the root zone compiled by a more responsible party than ICANN. This zone is a very small file which doesn't change very often, and it doesn't take much effort to write a shell script making use of dig to enumerate the current version. All that would take would be for the relatively few engineers who develop and distribute DNS client and resolver software to agree on a better root zone provider.

    1. Anonymous Coward
      Anonymous Coward

      Might actually do the same!

      Of course means I won't be able to type 'nike' in and go to nike, but then I don't think I've ever even typed nike into the address bar before anyway

  11. Anonymous Coward
    Flame

    Who cares?

    The security risk comes a long way down the list of why this is a buck stupid idea entirely designed to make stacks of cash for ICANN.

    Why exactly are these morons being given the Internet as their personal cash-cow anyway?

  12. UBfusion
    Facepalm

    XP is passé

    "Using a Windows XP SP3 computer, The Register was unable to reach any of the three sites above."

    I am proud to report that my super modern OS, Windows 7 SP1 x64 is very happily resolving http://ac/

    The older the OS is, the more secure it seems. Any one tried Windows 3.11 yet?

  13. Fuzz

    potential for problems here

    The problem with IE placing domains into the intranet zone is a real issue. IE will automatically attempt NTLM for any sites in that zone and the zone is simply any site without a dot in the domain name.

    When computers are on your internal network they should be using search domains so any lookup for a single word is actually looked up with your domain suffix. Since we're all using domains we own or ones that end in something.local there shouldn't be an issue. Your computer will try appending the search domain first before falling back to looking up just the single word.

  14. Flybert
    WTF?

    so this is over ..

    whether it's "single label" or ".TLD" ?

    IOW, using the example, whether it's "@nike" vs "@.nike" or "http://nike" vs "http://www.nike" or having to have some subdomain in the address like all other TLDs ?

    really ? .. just don't allow single label to resolve .. all other TLDs require "." , I could care less that it might be required to be @sales.nike or www.nike or shoes.nike to resolve

    also .. there are critical .com file extensions in Windows .. how come there isn't a big security problem with that ( other than fools that open an email attachment with .com thinking it's a websile link ;-0)

    1. Anonymous Coward
      Facepalm

      keh

      Critical .com file extensions in Windows.... how com there isn't a big security problem with that....

      Words.....fail.....me

    2. DRendar
      Headmaster

      @ flybert

      " I could care less that it mightbe requiredtobe @sales.nikeorwww.nike or shoes.nike to resolve"

      You mean you COULDN'T care less.

      What you said means the opposite of what you mean.

      1. CD001

        Unless

        Unless you expand it to the full "I could care less... but not by very much" ;)

      2. Flybert
        Headmaster

        meh ( grammar that )

        of course I could care less, and would not have posted about the subject |;-0

  15. mark l 2 Silver badge

    ac, io and tm

    ac, io and tm all work with just the tld under firefox 5 running on Windows 7 as well as on Mac and Ubuntu

    1. Havin_it

      Not my finding on Win7/FF5

      All typed in full (eg http://ac/), none resolved - instead got ac.com and so on. Can't ping any of them either (host not found).

      Wonder what's different?

  16. Anonymous Coward
    Stop

    The price of vanity?

    This expansion of TLDs is a reallly terrible idea.

    It seems like a cash cow for milking the same kind of idiots that get off on personalized number plates who somehow think it is cool to advertise their shallowness...

    Single word domains will be difficult to recognize as part of netspace without protocol designations.

    As for validation, it is already difficult enough to fully validate email addresses, which rely on having at least 1 dot embedded in the domain part, as well as a regexp to make seasoned unix programmers cry.

    http://company.com or co.uk, eu, etc do the job perfectly well, are recognizeable and give some clue as to a domains category. For instance, *.info, *.biz, *.tv are just most likely spam sites that can be safely ignored.

    Leaking single word domains onto the net is a bad idea - at least a dot gives some kind of defence.

    1. Anonymous Coward
      Anonymous Coward

      You gotta love it

      One of the reasons given for .xxx is that it would make it easier to block porn as you'd just block the TLD.

      Next thing we know, could be giving them the ability to resolve if you just type tits into the address bar?

      Actually, changed my mind I'm all for it!

    2. Anonymous Coward
      FAIL

      Ahh so youre one of *those* halfwits

      I run a ligitimate business and when we started up we registered a .info ( we now have the full deck)

      Emails bounced, not delivered, unable to use websites because of asshats like you making that assumption. So please take your assumption somewhere else a place it where the sun shineth not.

      In all serious enough its a big enough problem with people doing things like that plus a number of high profile websites didnt/do not accept .info as a valid TLD. This is just going to turn into a complete total and utter nightmare. As it is we deprciated the .info for the .ca .co.uk and .com domains we have as they work as they should.

      1. Anonymous Coward
        Anonymous Coward

        congratulations on your success!

        but I would not recommend anyone to start a business with a .info domain and be expected to be taken as seriously as with a reasonable sounding .com domain.

        Any new tld provides a land-grabbing opportunity for criminals to get respectable sounding domains, because all the respectable-sounding .coms went years ago, by likely respectable companies.

        Blame the spam/trojan/bot industry for sullying and infecting .info et al domains with dangerous shite... My "assumption" is based on the facts as I have seen them - analysis of the hundreds of thousands of spam messages trying (and failing) to get through my systems for the last 15 years.

  17. Anonymous Coward
    Anonymous Coward

    Test

    I just tried the three 2 letter examples that were given and connected without problems using firefox on OS/2

  18. Sandy106

    Title

    Why not just prohibit the senistive words from new domains? Or even better, stop ****ing with the internet altogether?

  19. Tomato42
    Stop

    TLDs

    Leave the top domains alone.

    If someone can't be bothered to add 4 to 6 letters to address, he certainly won't be bothered to check if security is right.

  20. Andy 36
    Boffin

    Security devie

    For corporate network, just like you explicitly allow outbound connection to IP's and ports, I would implement a DNS security proxy that will block DNS requests to TLD's that are questionable.

    For personal/home users, I'm sure security products will provide some functionality to block DNS that would otherwise be assumed local which in fact direct users outside the current network scope.

    Maybe ICANN won't sell these types of sensitive TLD's or most likely any hacker won't have the $100,000 dollars to buy these TLD's, and those that do and subsequently expose users then ICANN or governments will have the power to get that domain blocked.

    This isn't half as stupid as the peer to peer DNS idea that was proposed some time ago

  21. ysth

    Already too late?

    Aren't any of these "security issue" TLDs already an issue with a poisoned DNS server?

    1. Anonymous Coward
      Anonymous Coward

      Re: Already too late?

      The issue there is the poisoned DNS server, not the TLD.

      The TLD might exacerbate the problem but it isn't the real issue.

  22. John L
    Thumb Down

    Thanks for all the anti-recommendations

    I happen to think that the new TLDs are a dreadful idea, but anyone who had bothered to read the relevant parts of the ICANN draft applicant's guidebook would know that there is no possibility whatsoever of TLDs like the ones discussed in this article being assigned. On page 2-8 it explicitly lists LOCAL and LOCALHOST in a table of reserved names, and on pages 2-9 and 2-10 it describes the DNS Stability Review that is exactly about funky names like these.

    So thanks for providing this handy list of people who spout nonsense about DNS "security" without doing even a little bit of reading to see if they know what they're talking about.

  23. wwwhatsup
    FAIL

    Says it all.

    “It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”

    Says it all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Says it all

      Its not just the obvious domains like wpad or localhost.

      I've seen companies internally use TLDs such as:

      private dhcp boot ftp

      Which could all be considered obvious, but how about

      beech wilson mint

      Which used the names of the buildings the computers where located in as the TLD

      Internally, some companies have used pretty much any naming scheme you can think of as the TLD for their internal servers. These will all be at risk.

      1. Anonymous Coward
        Anonymous Coward

        And what about those of us

        who have used .starfleet?

        NCC-1701-D.starfleet should resolve to the server and not to some subdomain at a new TLD.

        Admittedly, shouldn't have set it up that way but given that originally there was never any possibility of .starfleet becoming a TLD the geek inside me just couldn't resist!

  24. Rich 3

    Down to the browser & OS, surely?

    The browser and OS makers need to distinguish between a local host and a TLD and put in appropriate checks.

    Trusting an endpoint just because it doesn't have a domain is a bit risky anyway. If someone connects to a random access point, it can easily have a DNS that resolves mailhost or whatever.

    I'd also think that spending over $100k on a TLD would create a paper trail back to any perps - it's a bit like trying to buy a house undetectably.

  25. heyrick Silver badge
    Stop

    Flaw

    It's a real dumbass idea (in my opinion) to offer up all these TLDs, and expecting known names to pony up good cash to "protect" their name is tantamount to extortion.

    However... Surely if you owned the domain .1 and had people pointed to 127.0.0.1, any decent DNS client would interpret that as a numeric IP and not even bother trying to look it up?

  26. Anonymous Coward
    Anonymous Coward

    poor .xxx

    There's no reason for it to exist any more.

    Why bother registering playboy.xxx when you could just own .playboy ???

    I personally think they should have gone the other direction; that is remove all of the non country-specific TLDs (.com .net .edu .gov .mobi .biz, etc) and force them into countrycode TLDs: .com.us .net.us, etc.

Page:

This topic is closed for new posts.

Other stories you might like