Feeds

back to article Top level domain explosion could wreak MAYHEM on NET

A plan to populate the internet with hundreds or thousands of new top-level domains has security researchers pondering some of the unintended consequences that could be exploited by online criminals. Some of the scenarios aren't pretty. Consider the mayhem that might result from addresses that end in “exchange,” “mailserver,” “ …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Such drama

Open up the TLDs

0
3

Open up the DNS

Seriously, there's no reason why there has to be just one. Start your own, get a few ISPs on board, offer plebs instructions on how to start using it, and bob's your uncle. Now you can define your own TLD policy, and peer with the 'mainstream' DNS whenever you wish. Or, make client software which uses its own resolver implementation.

I'm kind-of surprised that Google, Apple, and Microsoft haven't already done this. A tick-box in the browser config to say 'use Google-DNS' is all that it would take to divert most users' queries most of the time. There's no reason why ICANN has to be a monopoly provider for name resolution.

1
4
wag
Coat

re Open up the DNS

So what you're suggesting is, if ICANN can, I can too. So I can can ICANN. Uncanny.

5
0
Silver badge
WTF?

What the heck?

Is the point just to try to get as much money as possible or what?

A fee of $185'000 is NOTHING. There are thousands of companies that can easily shell out the money. If this goes through, you can expect a land grab of epic proportions, bringing domain squatting to a new level. What is the point?

4
0

What is the point?

$185,000 times thousands of companies times several to many different applications, perhaps?

0
0
Thumb Down

ICAAN- Daft as a brush

Daft Idea.

There is no need or much demand for this any way. And I mean the only organisation that i have ever notice use ".eu " is the european union itself.

0
1

Not a "daft" idea...

It's a daft idea, but an inequitable one.

One internet for the rich, with any name you choose, and another for us plebs. It favours the big companies over small ones, the haves over the have nots. It also reaches into the future and sticks its fingers up at nations not yet in existence, because what's going to be left for them as their national TLDs?

1
0
FAIL

.eu IS in use

Everytime I need to amend my expenses claims or book holiday at work I have to use out HR systems suppliers site that is <ourcompany>.<theircompany>.EU

Actually I use quite a few services on EU domains.

0
0
Devil

You get whatever Xmas you deserve

That is what you get when you put registrars in charge of DNS infrastructure. First internationalised domain names, now this.

The more domains companies like Coca Cola have to register to protect their brands and trademarks the merrier. For them.

And security be damned. In fact it was damned long ago:

Is this: НSВС ???

F*** No, it is Cyrillic N, S, Cyrillic V, Cyrillic S.

Did anyone care? No. This is from the same songbook. Will anyone besides security geeks care? No. It will be railroaded through as it means more money for the domain names scam.

4
0
Bronze badge
Paris Hilton

Ian?

How many people or companies have something named Ian (Apart from Ian)?

Am I missing something that I probably should have Googled before looking stupid?

0
0

No, you're not stupid, but many MANY font designers are.

If:

Ian

and:

lan

look the same on your system, delete whichever font you're currently using.

Sometimes serifs are there for a reason.

1
0
Boffin

What, all of them?

You want him to delete all the sans-serif fonts?

1
0
wag

LAN not IAN

as in "local area network"

0
0

I suppose not.

OK, deleting might be an overreaction (I suspect this might not even be possible for some of the default Windows fonts); but, if you care about having unambiguous information in your browser's address bar (or anywhere else), then make sure to use a suitable font.

Trebuchet seems to be an acceptable compromise, it's not too serif-y, but at least the l isn't just a vertical line.

0
0
Devil

Russian Roulette

Humm. Those three sites work just fine for me with Konqueror on Debian. I'm not sure whether to be scared or pleased...

0
1
Silver badge

F-Secure talking Bollocks?

F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”

IIRC you can't register a domain name with just digits you have to have at least one non numeric character in the name.

0
0
Anonymous Coward

You mean

like 192.com for example?

2
0

Resolve

Why would any browser or OS use a DNS lookup for something that fits the pattern of an IP? I can't believe any browser out there doesn't attempt to go direct to IP addresses, so his example is a fail - but it does highlight the kind of attacks that people will be thinking about,

0
0
Silver badge
Devil

Internet Explorer seems to

If you don't manually put the http:// or ftp:// etc before a raw IP address, IE 7 and 8 appears to try to do a DNS lookup on it.

So yes, some browsers really do appear to be that stupid.

You might argue that you should also specify the protocol, but did you *really* type "http://www.theregister.co.uk" to get here? Or did you do let your browsers autocorrect figure much or part of that out, like eveybody else.

0
0
Boffin

So whose DNS is it anyway ?

If ICANN were able to dictate the design of DNS resolvers, presumably they could impose resolution of single label DNS queries such as http://nike/ or sales@nike into MX, A or AAAA records. But that isn't how it works. Designers of DNS software, and operating system library designers are very likely to choose to be less obliging for the security reasons described in the otherwise fine article. Tough luck on any marketing droid who reckons a $185K application fee will get them single label names if the software is changed to block resolution of these.

So how long would it take me to edit and recompile gethostbyname() to something which blocks external resolution of single label names if I don't want to let rich single label name marketing wet dreams to compromise my LAN ?

Another approach might be to have the root zone compiled by a more responsible party than ICANN. This zone is a very small file which doesn't change very often, and it doesn't take much effort to write a shell script making use of dig to enumerate the current version. All that would take would be for the relatively few engineers who develop and distribute DNS client and resolver software to agree on a better root zone provider.

2
0
Anonymous Coward

Might actually do the same!

Of course means I won't be able to type 'nike' in and go to nike, but then I don't think I've ever even typed nike into the address bar before anyway

0
0
Pirate

I see someone's called the WHAmbulance...

It's the same group of people that's been crowing about the imminent death of IPv4 for the past... 10 (10? 15? something like that) years.

Give it six months and something will get worked out.

1
0
Silver badge
Facepalm

Bonjour!

I've seen localhost and localdomain on practically every Linux box I've had but If only I could think of where it was I saw .local being used as a domain. Was it myPhone or Mac's Book? Bah, it'll come to me sooner or later, probably along with a thunk to the side of the head.

Seriously, given this is set up as the playground for the wealthy it would behoove the likes of Apple, Microsoft, Red Hat (or a Linux consortium) and others to do something sensible like be first on the list for the domains they use as defaults. That way at least folks will know who is reading their mail... and zeroconfing a peak at all the questionably legal material going about your home network.

1
0
Silver badge
Flame

Who cares?

The security risk comes a long way down the list of why this is a buck stupid idea entirely designed to make stacks of cash for ICANN.

Why exactly are these morons being given the Internet as their personal cash-cow anyway?

4
0
Bronze badge

potential for problems here

The problem with IE placing domains into the intranet zone is a real issue. IE will automatically attempt NTLM for any sites in that zone and the zone is simply any site without a dot in the domain name.

When computers are on your internal network they should be using search domains so any lookup for a single word is actually looked up with your domain suffix. Since we're all using domains we own or ones that end in something.local there shouldn't be an issue. Your computer will try appending the search domain first before falling back to looking up just the single word.

0
0
Facepalm

XP is passé

"Using a Windows XP SP3 computer, The Register was unable to reach any of the three sites above."

I am proud to report that my super modern OS, Windows 7 SP1 x64 is very happily resolving http://ac/

The older the OS is, the more secure it seems. Any one tried Windows 3.11 yet?

0
0
WTF?

so this is over ..

whether it's "single label" or ".TLD" ?

IOW, using the example, whether it's "@nike" vs "@.nike" or "http://nike" vs "http://www.nike" or having to have some subdomain in the address like all other TLDs ?

really ? .. just don't allow single label to resolve .. all other TLDs require "." , I could care less that it might be required to be @sales.nike or www.nike or shoes.nike to resolve

also .. there are critical .com file extensions in Windows .. how come there isn't a big security problem with that ( other than fools that open an email attachment with .com thinking it's a websile link ;-0)

0
1
Facepalm

keh

Critical .com file extensions in Windows.... how com there isn't a big security problem with that....

Words.....fail.....me

1
0
Headmaster

@ flybert

" I could care less that it mightbe requiredtobe @sales.nikeorwww.nike or shoes.nike to resolve"

You mean you COULDN'T care less.

What you said means the opposite of what you mean.

0
0

Unless

Unless you expand it to the full "I could care less... but not by very much" ;)

2
0
Headmaster

meh ( grammar that )

of course I could care less, and would not have posted about the subject |;-0

1
0
Stop

The price of vanity?

This expansion of TLDs is a reallly terrible idea.

It seems like a cash cow for milking the same kind of idiots that get off on personalized number plates who somehow think it is cool to advertise their shallowness...

Single word domains will be difficult to recognize as part of netspace without protocol designations.

As for validation, it is already difficult enough to fully validate email addresses, which rely on having at least 1 dot embedded in the domain part, as well as a regexp to make seasoned unix programmers cry.

http://company.com or co.uk, eu, etc do the job perfectly well, are recognizeable and give some clue as to a domains category. For instance, *.info, *.biz, *.tv are just most likely spam sites that can be safely ignored.

Leaking single word domains onto the net is a bad idea - at least a dot gives some kind of defence.

2
0
Anonymous Coward

You gotta love it

One of the reasons given for .xxx is that it would make it easier to block porn as you'd just block the TLD.

Next thing we know, could be giving them the ability to resolve if you just type tits into the address bar?

Actually, changed my mind I'm all for it!

0
0
FAIL

Ahh so youre one of *those* halfwits

I run a ligitimate business and when we started up we registered a .info ( we now have the full deck)

Emails bounced, not delivered, unable to use websites because of asshats like you making that assumption. So please take your assumption somewhere else a place it where the sun shineth not.

In all serious enough its a big enough problem with people doing things like that plus a number of high profile websites didnt/do not accept .info as a valid TLD. This is just going to turn into a complete total and utter nightmare. As it is we deprciated the .info for the .ca .co.uk and .com domains we have as they work as they should.

0
0
Anonymous Coward

congratulations on your success!

but I would not recommend anyone to start a business with a .info domain and be expected to be taken as seriously as with a reasonable sounding .com domain.

Any new tld provides a land-grabbing opportunity for criminals to get respectable sounding domains, because all the respectable-sounding .coms went years ago, by likely respectable companies.

Blame the spam/trojan/bot industry for sullying and infecting .info et al domains with dangerous shite... My "assumption" is based on the facts as I have seen them - analysis of the hundreds of thousands of spam messages trying (and failing) to get through my systems for the last 15 years.

0
0

ac, io and tm

ac, io and tm all work with just the tld under firefox 5 running on Windows 7 as well as on Mac and Ubuntu

0
0
Bronze badge

Not my finding on Win7/FF5

All typed in full (eg http://ac/), none resolved - instead got ac.com and so on. Can't ping any of them either (host not found).

Wonder what's different?

0
0
Bronze badge

Test

I just tried the three 2 letter examples that were given and connected without problems using firefox on OS/2

1
0
Stop

TLDs

Leave the top domains alone.

If someone can't be bothered to add 4 to 6 letters to address, he certainly won't be bothered to check if security is right.

0
0

Title

Why not just prohibit the senistive words from new domains? Or even better, stop ****ing with the internet altogether?

1
0

Already too late?

Aren't any of these "security issue" TLDs already an issue with a poisoned DNS server?

0
0
Anonymous Coward

Re: Already too late?

The issue there is the poisoned DNS server, not the TLD.

The TLD might exacerbate the problem but it isn't the real issue.

0
0
Boffin

Security devie

For corporate network, just like you explicitly allow outbound connection to IP's and ports, I would implement a DNS security proxy that will block DNS requests to TLD's that are questionable.

For personal/home users, I'm sure security products will provide some functionality to block DNS that would otherwise be assumed local which in fact direct users outside the current network scope.

Maybe ICANN won't sell these types of sensitive TLD's or most likely any hacker won't have the $100,000 dollars to buy these TLD's, and those that do and subsequently expose users then ICANN or governments will have the power to get that domain blocked.

This isn't half as stupid as the peer to peer DNS idea that was proposed some time ago

0
0
FAIL

Says it all.

“It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”

Says it all.

3
1
Anonymous Coward

Re: Says it all

Its not just the obvious domains like wpad or localhost.

I've seen companies internally use TLDs such as:

private dhcp boot ftp

Which could all be considered obvious, but how about

beech wilson mint

Which used the names of the buildings the computers where located in as the TLD

Internally, some companies have used pretty much any naming scheme you can think of as the TLD for their internal servers. These will all be at risk.

0
0
Anonymous Coward

And what about those of us

who have used .starfleet?

NCC-1701-D.starfleet should resolve to the server and not to some subdomain at a new TLD.

Admittedly, shouldn't have set it up that way but given that originally there was never any possibility of .starfleet becoming a TLD the geek inside me just couldn't resist!

0
0
Thumb Down

Thanks for all the anti-recommendations

I happen to think that the new TLDs are a dreadful idea, but anyone who had bothered to read the relevant parts of the ICANN draft applicant's guidebook would know that there is no possibility whatsoever of TLDs like the ones discussed in this article being assigned. On page 2-8 it explicitly lists LOCAL and LOCALHOST in a table of reserved names, and on pages 2-9 and 2-10 it describes the DNS Stability Review that is exactly about funky names like these.

So thanks for providing this handy list of people who spout nonsense about DNS "security" without doing even a little bit of reading to see if they know what they're talking about.

3
1

Down to the browser & OS, surely?

The browser and OS makers need to distinguish between a local host and a TLD and put in appropriate checks.

Trusting an endpoint just because it doesn't have a domain is a bit risky anyway. If someone connects to a random access point, it can easily have a DNS that resolves mailhost or whatever.

I'd also think that spending over $100k on a TLD would create a paper trail back to any perps - it's a bit like trying to buy a house undetectably.

0
0
Anonymous Coward

poor .xxx

There's no reason for it to exist any more.

Why bother registering playboy.xxx when you could just own .playboy ???

I personally think they should have gone the other direction; that is remove all of the non country-specific TLDs (.com .net .edu .gov .mobi .biz, etc) and force them into countrycode TLDs: .com.us .net.us, etc.

2
0
Silver badge
Stop

Flaw

It's a real dumbass idea (in my opinion) to offer up all these TLDs, and expecting known names to pony up good cash to "protect" their name is tantamount to extortion.

However... Surely if you owned the domain .1 and had people pointed to 127.0.0.1, any decent DNS client would interpret that as a numeric IP and not even bother trying to look it up?

1
0

Page:

This topic is closed for new posts.