Open up the TLDs
A plan to populate the internet with hundreds or thousands of new top-level domains has security researchers pondering some of the unintended consequences that could be exploited by online criminals. Some of the scenarios aren't pretty. Consider the mayhem that might result from addresses that end in “exchange,” “mailserver,” “ …
Seriously, there's no reason why there has to be just one. Start your own, get a few ISPs on board, offer plebs instructions on how to start using it, and bob's your uncle. Now you can define your own TLD policy, and peer with the 'mainstream' DNS whenever you wish. Or, make client software which uses its own resolver implementation.
I'm kind-of surprised that Google, Apple, and Microsoft haven't already done this. A tick-box in the browser config to say 'use Google-DNS' is all that it would take to divert most users' queries most of the time. There's no reason why ICANN has to be a monopoly provider for name resolution.
Is the point just to try to get as much money as possible or what?
A fee of $185'000 is NOTHING. There are thousands of companies that can easily shell out the money. If this goes through, you can expect a land grab of epic proportions, bringing domain squatting to a new level. What is the point?
It's a daft idea, but an inequitable one.
One internet for the rich, with any name you choose, and another for us plebs. It favours the big companies over small ones, the haves over the have nots. It also reaches into the future and sticks its fingers up at nations not yet in existence, because what's going to be left for them as their national TLDs?
That is what you get when you put registrars in charge of DNS infrastructure. First internationalised domain names, now this.
The more domains companies like Coca Cola have to register to protect their brands and trademarks the merrier. For them.
And security be damned. In fact it was damned long ago:
Is this: НSВС ???
F*** No, it is Cyrillic N, S, Cyrillic V, Cyrillic S.
Did anyone care? No. This is from the same songbook. Will anyone besides security geeks care? No. It will be railroaded through as it means more money for the domain names scam.
F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”
IIRC you can't register a domain name with just digits you have to have at least one non numeric character in the name.
I've seen localhost and localdomain on practically every Linux box I've had but If only I could think of where it was I saw .local being used as a domain. Was it myPhone or Mac's Book? Bah, it'll come to me sooner or later, probably along with a thunk to the side of the head.
Seriously, given this is set up as the playground for the wealthy it would behoove the likes of Apple, Microsoft, Red Hat (or a Linux consortium) and others to do something sensible like be first on the list for the domains they use as defaults. That way at least folks will know who is reading their mail... and zeroconfing a peak at all the questionably legal material going about your home network.
If ICANN were able to dictate the design of DNS resolvers, presumably they could impose resolution of single label DNS queries such as http://nike/ or sales@nike into MX, A or AAAA records. But that isn't how it works. Designers of DNS software, and operating system library designers are very likely to choose to be less obliging for the security reasons described in the otherwise fine article. Tough luck on any marketing droid who reckons a $185K application fee will get them single label names if the software is changed to block resolution of these.
So how long would it take me to edit and recompile gethostbyname() to something which blocks external resolution of single label names if I don't want to let rich single label name marketing wet dreams to compromise my LAN ?
Another approach might be to have the root zone compiled by a more responsible party than ICANN. This zone is a very small file which doesn't change very often, and it doesn't take much effort to write a shell script making use of dig to enumerate the current version. All that would take would be for the relatively few engineers who develop and distribute DNS client and resolver software to agree on a better root zone provider.
OK, deleting might be an overreaction (I suspect this might not even be possible for some of the default Windows fonts); but, if you care about having unambiguous information in your browser's address bar (or anywhere else), then make sure to use a suitable font.
Trebuchet seems to be an acceptable compromise, it's not too serif-y, but at least the l isn't just a vertical line.
If you don't manually put the http:// or ftp:// etc before a raw IP address, IE 7 and 8 appears to try to do a DNS lookup on it.
So yes, some browsers really do appear to be that stupid.
You might argue that you should also specify the protocol, but did you *really* type "http://www.theregister.co.uk" to get here? Or did you do let your browsers autocorrect figure much or part of that out, like eveybody else.
The problem with IE placing domains into the intranet zone is a real issue. IE will automatically attempt NTLM for any sites in that zone and the zone is simply any site without a dot in the domain name.
When computers are on your internal network they should be using search domains so any lookup for a single word is actually looked up with your domain suffix. Since we're all using domains we own or ones that end in something.local there shouldn't be an issue. Your computer will try appending the search domain first before falling back to looking up just the single word.
whether it's "single label" or ".TLD" ?
IOW, using the example, whether it's "@nike" vs "@.nike" or "http://nike" vs "http://www.nike" or having to have some subdomain in the address like all other TLDs ?
really ? .. just don't allow single label to resolve .. all other TLDs require "." , I could care less that it might be required to be @sales.nike or www.nike or shoes.nike to resolve
also .. there are critical .com file extensions in Windows .. how come there isn't a big security problem with that ( other than fools that open an email attachment with .com thinking it's a websile link ;-0)
This expansion of TLDs is a reallly terrible idea.
It seems like a cash cow for milking the same kind of idiots that get off on personalized number plates who somehow think it is cool to advertise their shallowness...
Single word domains will be difficult to recognize as part of netspace without protocol designations.
As for validation, it is already difficult enough to fully validate email addresses, which rely on having at least 1 dot embedded in the domain part, as well as a regexp to make seasoned unix programmers cry.
http://company.com or co.uk, eu, etc do the job perfectly well, are recognizeable and give some clue as to a domains category. For instance, *.info, *.biz, *.tv are just most likely spam sites that can be safely ignored.
Leaking single word domains onto the net is a bad idea - at least a dot gives some kind of defence.
I run a ligitimate business and when we started up we registered a .info ( we now have the full deck)
Emails bounced, not delivered, unable to use websites because of asshats like you making that assumption. So please take your assumption somewhere else a place it where the sun shineth not.
In all serious enough its a big enough problem with people doing things like that plus a number of high profile websites didnt/do not accept .info as a valid TLD. This is just going to turn into a complete total and utter nightmare. As it is we deprciated the .info for the .ca .co.uk and .com domains we have as they work as they should.
but I would not recommend anyone to start a business with a .info domain and be expected to be taken as seriously as with a reasonable sounding .com domain.
Any new tld provides a land-grabbing opportunity for criminals to get respectable sounding domains, because all the respectable-sounding .coms went years ago, by likely respectable companies.
Blame the spam/trojan/bot industry for sullying and infecting .info et al domains with dangerous shite... My "assumption" is based on the facts as I have seen them - analysis of the hundreds of thousands of spam messages trying (and failing) to get through my systems for the last 15 years.
For corporate network, just like you explicitly allow outbound connection to IP's and ports, I would implement a DNS security proxy that will block DNS requests to TLD's that are questionable.
For personal/home users, I'm sure security products will provide some functionality to block DNS that would otherwise be assumed local which in fact direct users outside the current network scope.
Maybe ICANN won't sell these types of sensitive TLD's or most likely any hacker won't have the $100,000 dollars to buy these TLD's, and those that do and subsequently expose users then ICANN or governments will have the power to get that domain blocked.
This isn't half as stupid as the peer to peer DNS idea that was proposed some time ago
I happen to think that the new TLDs are a dreadful idea, but anyone who had bothered to read the relevant parts of the ICANN draft applicant's guidebook would know that there is no possibility whatsoever of TLDs like the ones discussed in this article being assigned. On page 2-8 it explicitly lists LOCAL and LOCALHOST in a table of reserved names, and on pages 2-9 and 2-10 it describes the DNS Stability Review that is exactly about funky names like these.
So thanks for providing this handy list of people who spout nonsense about DNS "security" without doing even a little bit of reading to see if they know what they're talking about.
“It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”
Says it all.
Its not just the obvious domains like wpad or localhost.
I've seen companies internally use TLDs such as:
private dhcp boot ftp
Which could all be considered obvious, but how about
beech wilson mint
Which used the names of the buildings the computers where located in as the TLD
Internally, some companies have used pretty much any naming scheme you can think of as the TLD for their internal servers. These will all be at risk.
who have used .starfleet?
NCC-1701-D.starfleet should resolve to the server and not to some subdomain at a new TLD.
Admittedly, shouldn't have set it up that way but given that originally there was never any possibility of .starfleet becoming a TLD the geek inside me just couldn't resist!
The browser and OS makers need to distinguish between a local host and a TLD and put in appropriate checks.
Trusting an endpoint just because it doesn't have a domain is a bit risky anyway. If someone connects to a random access point, it can easily have a DNS that resolves mailhost or whatever.
I'd also think that spending over $100k on a TLD would create a paper trail back to any perps - it's a bit like trying to buy a house undetectably.
It's a real dumbass idea (in my opinion) to offer up all these TLDs, and expecting known names to pony up good cash to "protect" their name is tantamount to extortion.
However... Surely if you owned the domain .1 and had people pointed to 127.0.0.1, any decent DNS client would interpret that as a numeric IP and not even bother trying to look it up?
There's no reason for it to exist any more.
Why bother registering playboy.xxx when you could just own .playboy ???
I personally think they should have gone the other direction; that is remove all of the non country-specific TLDs (.com .net .edu .gov .mobi .biz, etc) and force them into countrycode TLDs: .com.us .net.us, etc.
Biting the hand that feeds IT © 1998–2019