Open up the TLDs
A plan to populate the internet with hundreds or thousands of new top-level domains has security researchers pondering some of the unintended consequences that could be exploited by online criminals. Some of the scenarios aren't pretty. Consider the mayhem that might result from addresses that end in “exchange,” “mailserver,” “ …
Seriously, there's no reason why there has to be just one. Start your own, get a few ISPs on board, offer plebs instructions on how to start using it, and bob's your uncle. Now you can define your own TLD policy, and peer with the 'mainstream' DNS whenever you wish. Or, make client software which uses its own resolver implementation.
I'm kind-of surprised that Google, Apple, and Microsoft haven't already done this. A tick-box in the browser config to say 'use Google-DNS' is all that it would take to divert most users' queries most of the time. There's no reason why ICANN has to be a monopoly provider for name resolution.
Is the point just to try to get as much money as possible or what?
A fee of $185'000 is NOTHING. There are thousands of companies that can easily shell out the money. If this goes through, you can expect a land grab of epic proportions, bringing domain squatting to a new level. What is the point?
It's a daft idea, but an inequitable one.
One internet for the rich, with any name you choose, and another for us plebs. It favours the big companies over small ones, the haves over the have nots. It also reaches into the future and sticks its fingers up at nations not yet in existence, because what's going to be left for them as their national TLDs?
That is what you get when you put registrars in charge of DNS infrastructure. First internationalised domain names, now this.
The more domains companies like Coca Cola have to register to protect their brands and trademarks the merrier. For them.
And security be damned. In fact it was damned long ago:
Is this: НSВС ???
F*** No, it is Cyrillic N, S, Cyrillic V, Cyrillic S.
Did anyone care? No. This is from the same songbook. Will anyone besides security geeks care? No. It will be railroaded through as it means more money for the domain names scam.
F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”
IIRC you can't register a domain name with just digits you have to have at least one non numeric character in the name.
I've seen localhost and localdomain on practically every Linux box I've had but If only I could think of where it was I saw .local being used as a domain. Was it myPhone or Mac's Book? Bah, it'll come to me sooner or later, probably along with a thunk to the side of the head.
Seriously, given this is set up as the playground for the wealthy it would behoove the likes of Apple, Microsoft, Red Hat (or a Linux consortium) and others to do something sensible like be first on the list for the domains they use as defaults. That way at least folks will know who is reading their mail... and zeroconfing a peak at all the questionably legal material going about your home network.
If ICANN were able to dictate the design of DNS resolvers, presumably they could impose resolution of single label DNS queries such as http://nike/ or sales@nike into MX, A or AAAA records. But that isn't how it works. Designers of DNS software, and operating system library designers are very likely to choose to be less obliging for the security reasons described in the otherwise fine article. Tough luck on any marketing droid who reckons a $185K application fee will get them single label names if the software is changed to block resolution of these.
So how long would it take me to edit and recompile gethostbyname() to something which blocks external resolution of single label names if I don't want to let rich single label name marketing wet dreams to compromise my LAN ?
Another approach might be to have the root zone compiled by a more responsible party than ICANN. This zone is a very small file which doesn't change very often, and it doesn't take much effort to write a shell script making use of dig to enumerate the current version. All that would take would be for the relatively few engineers who develop and distribute DNS client and resolver software to agree on a better root zone provider.
OK, deleting might be an overreaction (I suspect this might not even be possible for some of the default Windows fonts); but, if you care about having unambiguous information in your browser's address bar (or anywhere else), then make sure to use a suitable font.
Trebuchet seems to be an acceptable compromise, it's not too serif-y, but at least the l isn't just a vertical line.
If you don't manually put the http:// or ftp:// etc before a raw IP address, IE 7 and 8 appears to try to do a DNS lookup on it.
So yes, some browsers really do appear to be that stupid.
You might argue that you should also specify the protocol, but did you *really* type "http://www.theregister.co.uk" to get here? Or did you do let your browsers autocorrect figure much or part of that out, like eveybody else.
The problem with IE placing domains into the intranet zone is a real issue. IE will automatically attempt NTLM for any sites in that zone and the zone is simply any site without a dot in the domain name.
When computers are on your internal network they should be using search domains so any lookup for a single word is actually looked up with your domain suffix. Since we're all using domains we own or ones that end in something.local there shouldn't be an issue. Your computer will try appending the search domain first before falling back to looking up just the single word.
whether it's "single label" or ".TLD" ?
IOW, using the example, whether it's "@nike" vs "@.nike" or "http://nike" vs "http://www.nike" or having to have some subdomain in the address like all other TLDs ?
really ? .. just don't allow single label to resolve .. all other TLDs require "." , I could care less that it might be required to be @sales.nike or www.nike or shoes.nike to resolve
also .. there are critical .com file extensions in Windows .. how come there isn't a big security problem with that ( other than fools that open an email attachment with .com thinking it's a websile link ;-0)
This expansion of TLDs is a reallly terrible idea.
It seems like a cash cow for milking the same kind of idiots that get off on personalized number plates who somehow think it is cool to advertise their shallowness...
Single word domains will be difficult to recognize as part of netspace without protocol designations.
As for validation, it is already difficult enough to fully validate email addresses, which rely on having at least 1 dot embedded in the domain part, as well as a regexp to make seasoned unix programmers cry.
http://company.com or co.uk, eu, etc do the job perfectly well, are recognizeable and give some clue as to a domains category. For instance, *.info, *.biz, *.tv are just most likely spam sites that can be safely ignored.
Leaking single word domains onto the net is a bad idea - at least a dot gives some kind of defence.
I run a ligitimate business and when we started up we registered a .info ( we now have the full deck)
Emails bounced, not delivered, unable to use websites because of asshats like you making that assumption. So please take your assumption somewhere else a place it where the sun shineth not.
In all serious enough its a big enough problem with people doing things like that plus a number of high profile websites didnt/do not accept .info as a valid TLD. This is just going to turn into a complete total and utter nightmare. As it is we deprciated the .info for the .ca .co.uk and .com domains we have as they work as they should.
but I would not recommend anyone to start a business with a .info domain and be expected to be taken as seriously as with a reasonable sounding .com domain.
Any new tld provides a land-grabbing opportunity for criminals to get respectable sounding domains, because all the respectable-sounding .coms went years ago, by likely respectable companies.
Blame the spam/trojan/bot industry for sullying and infecting .info et al domains with dangerous shite... My "assumption" is based on the facts as I have seen them - analysis of the hundreds of thousands of spam messages trying (and failing) to get through my systems for the last 15 years.
For corporate network, just like you explicitly allow outbound connection to IP's and ports, I would implement a DNS security proxy that will block DNS requests to TLD's that are questionable.
For personal/home users, I'm sure security products will provide some functionality to block DNS that would otherwise be assumed local which in fact direct users outside the current network scope.
Maybe ICANN won't sell these types of sensitive TLD's or most likely any hacker won't have the $100,000 dollars to buy these TLD's, and those that do and subsequently expose users then ICANN or governments will have the power to get that domain blocked.
This isn't half as stupid as the peer to peer DNS idea that was proposed some time ago
I happen to think that the new TLDs are a dreadful idea, but anyone who had bothered to read the relevant parts of the ICANN draft applicant's guidebook would know that there is no possibility whatsoever of TLDs like the ones discussed in this article being assigned. On page 2-8 it explicitly lists LOCAL and LOCALHOST in a table of reserved names, and on pages 2-9 and 2-10 it describes the DNS Stability Review that is exactly about funky names like these.
So thanks for providing this handy list of people who spout nonsense about DNS "security" without doing even a little bit of reading to see if they know what they're talking about.
“It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”
Says it all.
Its not just the obvious domains like wpad or localhost.
I've seen companies internally use TLDs such as:
private dhcp boot ftp
Which could all be considered obvious, but how about
beech wilson mint
Which used the names of the buildings the computers where located in as the TLD
Internally, some companies have used pretty much any naming scheme you can think of as the TLD for their internal servers. These will all be at risk.
who have used .starfleet?
NCC-1701-D.starfleet should resolve to the server and not to some subdomain at a new TLD.
Admittedly, shouldn't have set it up that way but given that originally there was never any possibility of .starfleet becoming a TLD the geek inside me just couldn't resist!
The browser and OS makers need to distinguish between a local host and a TLD and put in appropriate checks.
Trusting an endpoint just because it doesn't have a domain is a bit risky anyway. If someone connects to a random access point, it can easily have a DNS that resolves mailhost or whatever.
I'd also think that spending over $100k on a TLD would create a paper trail back to any perps - it's a bit like trying to buy a house undetectably.
It's a real dumbass idea (in my opinion) to offer up all these TLDs, and expecting known names to pony up good cash to "protect" their name is tantamount to extortion.
However... Surely if you owned the domain .1 and had people pointed to 127.0.0.1, any decent DNS client would interpret that as a numeric IP and not even bother trying to look it up?
There's no reason for it to exist any more.
Why bother registering playboy.xxx when you could just own .playboy ???
I personally think they should have gone the other direction; that is remove all of the non country-specific TLDs (.com .net .edu .gov .mobi .biz, etc) and force them into countrycode TLDs: .com.us .net.us, etc.
I might be as daft as the icon, but what the eff?
"Suppose you owned '1'. Now you can set up 127.0.0.1 ..." I'm pretty sure that my network won't let anything like that go to the outside world. Pretty damn sure. Absolutely certain actually. And I doubt that *any* corporate network would let that go through. If there is one, the sysadmin needs to be put out of misery (pink-slip-grade, not cap-in-the-back-of-the-head-grade. Although....). Of course that would be assuming that someone managed to connect a machine so badly configured that it would send DNS requests for 127.0.0.1 to the network in the first place. Let me tell you, that would be met with severe retaliation. Permaban on the MAC, for starters, until the machine can be examined. And as some geeks have just enough sense to bork their machine *and* clone a MAC when they find out theirs is blocked, but are not smart enough to actually configure it correctly, a one-on-one talk about how more severe LARTs are about to be deployed.
Same thing if a laptop is connected to a corporate WiFi and a request for "*.invalid", "mailserver", etc actually reaches an external DNS server: some sysadmin just doesn't deserve his salary.
As for the statistics, I do use addies in .invalid, mostly for Usenet posting. I'm sure I'm not alone and I suppose that a big portion of the ".invalid" requests logged by the DNS servers are actually spambots trying to send spam to adresses collected via Yahoo! Groups or some other Usenet-to-web bridge. If someone was to register the ".invalid" domain for phishing purpose they would just receive gazillions ads for generic viagra and the occasionnal death threat from some Usenet troll-n00bz. Please let it be so!
Actually I'm not sure, what is supposed to be new here? Surely everyone in charge of a network that accepts random machines already has routing filters for this kind of braindeadery, no? I know I do, but feel free to scare me with your horror stories!
“Every little admin who hardcoded a short host name in some script somewhere is going to risk collision with a global top level domain unless that capability is somehow disabled entirely, which would imply that you can't actually serve anything from these global top level domains.”
Yup. "bros before hoes". If a local domain name exists with that name, that's where you're going. If someone registers a "global" domain name that is the same, bad luck, too bad for them, not my problem. Most sysadmins stick to "The Rules" when it comes to domain names, any attempt to register "mail", "smtp", "localhost" etc as "global" names *must* be considered a phishing attempt. And thwarted. I really don't see the problem. "you can't actually serve anything from these global top level domains.” Damn right. It's a security feature, not a flaw.
The article points out the high volume of single-word internal names that leak out of corporate LANs and onto the internet every day.
A significant part of the problem (not explicitly mentioned in the article) will be corporate laptops, because a lot of software isn't set up to check whether it's on your WAN or not before attempting to do anything -- it just fires off a request to the server and sees if it gets a response.
While the most common examples won't be sold, that doesn't prevent more targetted attacks.
Imagine you're in a major crime syndicate and you find out that a major global bank uses the name "piggybank" for its main accounts server. What do you do next? You set up a dummy financial services company called "PiggyBank Global Services" and just harvest all the data you can, then pass it on to your black hat IT department who start transferring funds out. And you just so happen to have a financial services company set up and ready to launder that cash. A defaulted loan here, an insurance payout there et voilà, you're several million better off.
This might help just a little.
Applying for a TLD should involve signing something like the following. "I have read the <rulebook>. I declare that this application is not in breach of the mandatory security requirements <reference>. I agree that my application fee will be forfeit, if this declaration is untrue".
Nice little earner for the registrar, pocketing $18K or whatever, whenever another phisherman with big ideas (and big pockets) comes along.
Not sure what one can do about insane use of arbitrary TLDs but applications for .localhost .lan etc. should be in breach of the security requirements (rule 1, list of illegal TLD names). They're also clearly in breach of the spirit of TLDs, which require the applicant to have a good claim to that TLD. localhost etc., are in the public domain courtesy of many years of widespread (ab)use.
Personally I'll be surprised if many companies actually bother. It might annoy or antagonise more customers than it could possibly attract. Doesn't everyone and his dog use the Google (or Bing) search bar if they want to find, say, "Nike"?
On the one hand, I doubt ICANN is going to approve anything likely to cause this sort of trouble. On the other hand, WTF? Individual organizations do not need TLDs. It's a $200k vanity domain.
TLDs for a purpose (e.g. .mail) make more sense, though of course the name-choosing issue still exists. The existing TLDs work reasonably well in this manner. (and I note that com, net, org, and a few other obvious ones do not resolve to anything on their own) I'm in favor of closing the hole in the manner described towards the end of the article.
Yes, it means single-name addresses won't work, but so what? I can't think of any purpose for them that's useful to the user, as opposed to the corporate marketing boys at the sort of places that can afford a $200k application.
I know the internet is a "free market". It's capitalism working and making people tons of money, and there's nothing wrong with that. But it's really sucks when all the top level companies out there will be able to control every word they want to online because they are the only people that can afford 185,000 dollars price tag to register. I can't imagine this will help the internet at all. It will just allow a big name bank to get the name "bank" and be even more powerful.
Just another thought.
In the google browser, you do searches by typing into the url field. If what you type has a .com, or .net, etc.. you'll be taken to the site. If what you put in doesn't have a .com, or .net, etc.. if will take you to a google search. So what if someone just types in "banks". Where will google take you to if this new system takes effect? What about the competition.
I just can't see how this will help the internet do anything. It's just a way for ICANN to make millions.
The use of invalid TLDs for internal networks was always a broken concept. Architects and network engineers would just create anew one when it suited them, ignoring the hierarchical nature of domains and sub-domains, ignoring the maximum number of domains in search paths, adding pointless layers of complexity, and pretending it added security because 'this will never be a valid external TLD'.
It's a hack created by people who simply shouldn't have had the power to create it.
We've been down this road already, what with Microsoft hiding the extension part of filenames from users, such that the user cannot tell what the function of the file is.
Compromised PC sends attachment 'youvewon.txt.exe' user sees 'youvewon.txt' assumes it to be safe and double-clicks it. Bingo, computer owned.
Agree. BAD idea.
Also interesting to note that the bulk of DNS errors are due to Microsoft's Active Directory. Though, not surprising really.
"Windows.....accepts *any* name without dots in it as the more-trusted 'local intranet zone,'”
There's certainly no fixing that at ICANN, although someone in Redmond needs a swift education with the clue stick. No, not that one, the large one with the nails sticking out of it.
As for having your mail server known on your internal DNS as "exchange" rather than "exchange.<corp>.<TLD>", well if you've done that and it's going to be a problem you should look in the bloody mirror for the root cause of it. As ICANN don't retrofit common sense to the clueless, they can't fix that one either.
I dunno how it is everywhere else, but if we backed out of doing something every time it was shown to break some clueless pillock's crappy workaround, we'd never get anything done.
I love this (no sarcasm whatsoever), just for the comedy that may ensue.
For example, why register a .xxx domain when sooner or later someone will be offering .fuck ones?
Or, imagine the Corn Farmers Association of <Wherever> decide to register .corn (squint at it, and imagine what happens when you start to need glasses).
Really, it makes little difference whether a website is called www.<something>.com or www.<something> or www.<something>.com.earth It's only a name - that's all - just a name - nothing else.
If there are security issues, it's because of a Y2K-style shortsightedness on the part of name/lookup configurations and maybe (just possibly) a little slackness in some of the rules. That can easily be fixed.
It seems to me that the people who are raising objections have some sort of investment in the status quo (maybe they bought all their singles?) and are simply resistant to change. Fine: don't change and just wave the internet goodbye as it rolls off into the future, leaving you behind.
It's not a name, it's an identifier, and that distinction is more important than it may sound.
The initial plan was for a descriptive identifier -- jones.co.uk = UK Company called Jones.
In China, there's a problem because too many people have the same name. There aren't enough names in the world to go round, so we need identifiers (eg National Insurance number) for official purposes.
Lots and lots of companies have the same "name", so treating URLs as names causes a massive problem.
"Right now, there are fewer than 300 TLDs"
Ok so their are going to be a lot of contires (this says 248); then there is .com .biz .net .org .gov .edu .info ummm.... help me out here people.
If we are not using what we have why do we need any more?
Oh an infallible source en.wikipedia.rog/wiki/List_of_Internet_top-level_domians
.aero ... the air industry gets it's own one but I bet Bowing does not use it in fact most of the specilised ones here dont get used, I have never even seen them! I guess this can go two wayes, everyone will have their own www.taft or everyone will just keep using www.taft.com and a lot of redirects.
www.dub.aero and www.snn.aero point to the websites for Dublin Airport (DUB) and Shannon Airport (SNN).
SITA should have set up redirections for all registered airports if it wanted the .aero TLD to have any value.
By the way - http://www.airbus.aero/ points to Melbourne IT - exactly the same as http://ac/
- IPv6 is enforced and IPv4 is shutdown...
- IANA Black-hole servers won't be necessary because everybody's DNS set-up is working accordingly...
- Everybody on the planet adopts the "don't be evil' motto from Google.
- All the 419 scammers are cornered and jailed.
- All the virii stop working spoof or DNS hack methods in any mean, shape, or form.
The concern here is very simply worded:
What happens when that corporate PC is outside the corporate network?
Inside, your sysadmin probably does all kinds of cool tricks to keep your 'internal' connections safely internalised, and that's great.
However, when your salesman goes out to sell stuff, he'll be connecting his laptop to the internet from the airport/hotel/coffeehouse, and so all those nice corporate network protections vanish.
I can guarantee that if you do put clever restrictions in that laptop, they'll get removed pretty rapidly because they'll interfere with the high-flying salesmen's vital work.
It is actually very difficult for an application to tell whether a given machine is currently running inside the 'safe' corporate network, or out in the scary world. So pretty much no application does so, it just tries to resolve it's corporate-network URL, and if that fails, it either tries to resolve the not-corporate network URL or shuts down if it's not supposed to run in the scary world.
As part of your $185,000, Icann sets up your new TLD for itself and monitors for 1 month what traffic accidentially comes its way.
If the traffic is from less than N software applications or M organisations, notify them and give them 3 months to fix. If more than these thresholds, refuse the TLD.
This will mitigate any unintended consequences.
I would've thought that domains like natwest.bank or citi.bank and stuff like that would have been a severe problem. Whitehouse.gov and whitehouse.com are two completely different things, but how many folk confuse them? (Check them if you dont believe me!) I received an email purporting to be from Lloyds TSB, but examining it further (a few basic HTML lines) would have sent me to lloydstsV.co.uk. This makes me wonder if they let co.uk domains like that out already... Obviously the law will need to catch up.
...if in the beginning when they were making rules about what kind of names could be paired with those fancy 12 digit, 4 periods telephone numbers, they had done it the other way round, so that the TLD came first?
We wouldn't have had ads whinily singing "dot com-m-m-m", and the public might have been made even more aware that there were more than one TLDs, and could tell that com.whitehouse wasn't gov.whitehouse or us.gov.whitehouse or gov.us.whitehouse, and been on their guard.
Biting the hand that feeds IT © 1998–2019