Forgot your password?
typodupeerror
Networking Security The Internet IT

Generic TLDs Threaten Name Collisions and Information Leakage 115

Posted by Unknown Lamer
from the turns-out-bad-practices-bite-you dept.
CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed." Another way to look at it: why were they using invalid domains in the first place?
This discussion has been archived. No new comments can be posted.

Generic TLDs Threaten Name Collisions and Information Leakage

Comments Filter:
  • Whats worse.. (Score:4, Insightful)

    by sjwt (161428) on Tuesday July 16, 2013 @03:10AM (#44293569)

    I used to work for a company where some uncommon but in use domain names where being used on the intranet, and where overriding the internet ones.. A real pain in the ass.

    • by AmiMoJo (196126) *

      I heard of a place were youtube.com redirected to a feed of the office CCTV cameras and a message stating "this event has been logged".

  • by ls671 (1122017) on Tuesday July 16, 2013 @03:11AM (#44293579) Homepage

    That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...

    It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

    • by Chrisq (894406) on Tuesday July 16, 2013 @03:17AM (#44293597)

      It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

      That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.

      • by TheLink (130905) on Tuesday July 16, 2013 @04:54AM (#44294047) Journal

        I actually tried to get a TLD reserved for "RFC1918" style use about 12+ years ago: http://tools.ietf.org/html/draft-yeoh-tldhere-01 [ietf.org]

        I also tried the ICANN but they weren't interested either. And when they approved stuff like .biz, .info. I got the impression they weren't really interested in improving the Internet from a technical aspect but more interested in $$$$. Did the creation of .biz etc really help the Internet that much?

        Maybe others may have more success trying it now?

      • by dissy (172727) on Tuesday July 16, 2013 @06:41AM (#44294537)

        I wonder which three letter organization icann will be giving .onion to :/

        • by Anonymous Coward

          I wonder which three letter organization icann will be giving .onion to :/

          Clearly it will be: T.H.E. because what other use would there be on the internet besides the.onion ;-)

        • by Eevee (535658)

          I would suspect NRL [wikipedia.org], since they're the ones who sponsored the TOR project in the first place.

      • It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

        That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.

        I've always advocated using your own FQDN for internal networks. If you own example.com, then put your internal stuff on internal.example.com - dead easy, job done. This gets even easier with Bind's RPZ functionality - you don't even need the "internal" subdomain; you can just add/replace RRs in your main domain, which is rather useful where you want different servers to handle your internal and external access (e.g. mail.example.com can point at an internal mail server when inside your LAN, and an external mail server for anyone on the internet).

        However, a lot of people decide to use random TLDs for this instead - in particular I've got a number of customers, who under the advice of supposidly qualified network engineers set up their networks to operate on the .local TLD. This, of course, now becomes a problem since .local is normally used by mDNS, so we end up with conflicting names and all sorts of problems.

        I would guess you're relatively safe using .localnet (since traditionally localhost is localhost.localnet) if you really must use a non-globally-unique domain name, but IMHO it solves a lot of problems in the long run if you just use a proper FQDN for everything (not least because you don't end up with naming conflicts if you merge LANs together at a later date).

        Another thing to consider is: if you're basing your security on reverse DNS lookups then you're an idiot, since the attacker can trivially set their reverse DNS to anything, valid or not.

        • by ICLKennyG (899257)
          One problem with this convention is the simplicity of the domain name. You and I understand how DNS works and that it's just a representation of words, but to most people it works more on the principal of logical naming and their mental association with the words it forms.

          I.E. We may see sales.example.com/wiki and think of it as a very logical place to put a Wiki site for colaboration for the sales department of our organization. However, your average person who is of the intelligence level of sales is
          • I.E. We may see sales.example.com/wiki and think of it as a very logical place to put a Wiki site for colaboration for the sales department of our organization. However, your average person who is of the intelligence level of sales is going to see asdfgqwerty.example.com/zxcvbnm and think where do we keep the sales notes. If you set it up at http://notes.sales/ [notes.sales] they may actually have a chance to remember that.

            I'd hope that the average employee would know who their employer is. i.e. if you're emplyed by Example Ltd. you might expect everything to be under example.com... In any case, all this would usually be linked from a company-wide intranet. Your example of sticking things under http://notes.sales/ [notes.sales] increases the complexity, because now your users are going to have to understand that they need to use "notes.sales" when they're inside the company's network and "notes.sales.example.com" when they're outside th

        • by Zaelath (2588189)

          It (.local) was actually official MS advice for a long time http://en.wikipedia.org/wiki/.local#Microsoft_recommendations [wikipedia.org]

          I tend to think Apple made a poor choice given the pre-existence of lots of .local domains in use (default on Small Business Server 2000 from memory, and supported by http://support.microsoft.com/kb/296250 [microsoft.com])

          I'm more familiar with .localdomain than .localnet, but it wasn't in wide use until long after .local became popular (though to be fair I can find at least one reference to it as far ba

          • It (.local) was actually official MS advice for a long time http://en.wikipedia.org/wiki/.local#Microsoft_recommendations [wikipedia.org]

            I tend to think Apple made a poor choice given the pre-existence of lots of .local domains in use (default on Small Business Server 2000 from memory, and supported by http://support.microsoft.com/kb/296250 [microsoft.com])

            I think that both of them made a terrible choice.

            Microsoft advised using a domain that (by their own admission) "At the present time, the .local domain name is not registered on the Internet." Not sure how that could ever have struck them as a bright idea. I guess MS was arrogant enough to think the rest of the world would bend to accomodate their de-facto standards rather than bothering to get them properly ratified.

            Apple then went along and chose a name that they knew was already widely in use, per offi

            • by Zaelath (2588189)

              Agreed. To be fair, I was just defending the "supposidly qualified network engineers" [sic].

              I just find Apple's move a little more douchy given .local would have been discovered by a google at that time, probably.

    • by Anonymous Coward on Tuesday July 16, 2013 @03:17AM (#44293599)

      oh, like .local ? >_>

    • by mwvdlee (775178) on Tuesday July 16, 2013 @03:22AM (#44293619) Homepage

      http://tools.ietf.org/html/rfc2606 [ietf.org]
      You can use .test, .example, .localhost and .invalid.
      The use of these TLD's is somewhat defined and not quite similar to the "intranet"-type use you describe, but atleast they're available for private use and nobody will bother you if you use, for example, ".invalid" for your internal domains.

      On the other hand, why not simply use subdomains of an actual domainname you own?
      If you own example.com, you could use intranet.example.com or perhaps privateserver.internal.example.com

      It would be nice if something like ".intranet" could be a reserved TLD.

      • by ls671 (1122017)

        Oh also, that rfc dates back a little. Things change and I wouldn't be surprised if they created a .example top domain at some point for something like teaching purposes.

        Back then, a domain couldn't start with a number and nowadays we have 2600.org.

        I think we need a new RFC with some reserved prefix like .intern

        So .internmyproject1 .internmail .internnews .internanything would be guaranteed never to be used.

        • by mwvdlee (775178)

          AFAIK, it still holds.
          A while back some idiots thought it would be smart to redirect all failed .com domains, so maybe example.com was also a victim of that.
          But this was quickly reverted after public outcry.

        • Oh also, that rfc dates back a little. Things change and I wouldn't be surprised if they created a .example top domain at some point for something like teaching purposes.

          example.com and example.org are explicitly registered for this purpose.

      • Re: (Score:3, Interesting)

        by jawtheshark (198669) *

        On the other hand, why not simply use subdomains of an actual domainname you own?

        I do realize it's inconceivable, but some people do not own domain names. Well, I do, but they don't really match my internal naming scheme. So, my internal domain is something that wasn't valid until they came up with the stupid gTLD concept: shark species as hostname, domain "sharks" on my network and in a similar vein Kiplings Jungle Book characters as hostnames and "jungle" as domain for my parents network. This works f

      • by TheLink (130905) on Tuesday July 16, 2013 @05:00AM (#44294069) Journal

        You can use .test, .example, .localhost and .invalid. ...and nobody will bother you if you use, for example, ".invalid" for your internal domains.

        Some CEOs and PHBs might ;).

        • by grcumb (781340)

          ...and nobody will bother you if you use, for example, ".invalid" for your internal domains.

          Some CEOs and PHBs might ;).

          Indeed. The proper usage these days is .challenged.

      • If you have heard them scream and shout and stomp their feet when we talk about GIMP here, wait until you see the reaction to .invalid
      • by gd2shoe (747932)

        On the other hand, why not simply use subdomains of an actual domainname you own?

        How about: Because I don't own any... and I shouldn't need to for private use!

    • by mysidia (191772)

      That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...

      zyxprivnet sounds like a cool gTLD to register... i'll get right on it.

      On the other hand... .LOCAL and .LAN are unlikely to be allowed as a TLD; since .LOCAL has prior use by Apple for Bonjour/Multicast DNS.

      Also, .INVALID and .LOCALDOMAIN are reserved private TLDs.

  • by Keruo (771880) on Tuesday July 16, 2013 @03:15AM (#44293589)
    Why use some random .local when you can use intra.company.com subdomain for the internal lan.
    It's much better to use a real domain which you actually own and will remember to renew.
    • by ls671 (1122017)

      Sometimes you work on small experimental projects where it is too bothersome to ask your big brother for a subdomain name. Example: mysmallproject.ibm.com.

      You just come up with a domain name to make things more simple for people working on your LAN. example: .zyx1999prj

      You can't forget to renew them because there is no renewing authority. You just made the tld up yourself!

      • In that case, simply edit your hosts file and add your own entry for project123.ibm.com. Your first DNS server is your computer... unless you've changed the default host.conf

        • by ls671 (1122017)

          If you choose to go the /etc/hosts file route, then you do not need a domain name at all. Host names will suffice.

          On the hand, I prefer DNS and I do not know any other way than using a zone file to cause hostnames to resolve to IP addresses. I might use the hosts file for something with at most 5 machines that need to know each other

          You need DNS and DHCP anyway for people with laptops that move around and that are not always on your network and who sometimes don't even have admin rights on their laptop.

      • by sapgau (413511)
        Ironic that a tech company "leader" doesn't have a policy for this.
    • Using .local is a bad idea, because it's also the domain used for mDNS. This caused quite a few places problems when they started getting Macs with mDNS support appearing on the network. Now most operating systems support it, so people have had to work around it. For a while, some systems were putting .local in the search domains list, which made things all sorts of fun...
    • by gidoca (2726773)
      Not everyone has a domain - what about my home network? Do I need to reserve a domain specifically for that?
  • by Mitchell314 (1576581) on Tuesday July 16, 2013 @03:28AM (#44293655)

    Currently, 25 percent of queries to the domain name system are for devices and computers that do not exist, suggesting the companies are already leaking information to the Internet

    And how many of those are due to actual people as opposed to confused webcrawlers looking up dead links?

    "Oh hai, a new webpage. Lookie, a link. hddp://mywobsite.youspace.com/forum/?post=1. Oh, there's nothing there.
    Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=2. Oh, there's nothing there
    Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=3. Oh, there's nothing there"

    ...

    • by DriedClexler (814907) on Tuesday July 16, 2013 @05:11AM (#44294135)

      True. At the same time, though, I remember that for a while my favorite site was donotreply.com, where the owner would post emails he got as a result of organizations listing email addresses in the @donotreply.com domain. Apparently, even major security firms made it easy to accidentally reply confidential information to whoever happened to own donotreply.com.

    • by Anonymous Coward

      And on that point, Google actually have a silly number of spiders crawling deepnet links these days such as queried pages, pages needing logins and so on.

      Not sure which year they started that, but it was a good while ago now. (maybe 5+ years ago)

      It could easily just be Google crawlers brute-forcing things that might have existed, or may still possibly exist, or might just be down. (due to Google)

  • by Anonymous Coward on Tuesday July 16, 2013 @03:35AM (#44293677)

    why were they using invalid domains in the first place?

    Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.

    Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.

    • why were they using invalid domains in the first place?

      Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.

      The answer is "because there are a lot of idiots passing themselves off as network engineers who actually don't have a clue". It's *never* been sane to pick arbitrary unreserved addresses in any network address space and assume they won't ever be used. And frankly I've seen this time and time again, including such crazyness as people picking arbitrary unallocated IPv4 networks to use internally instead of RFC1918 networks, and then being surprised when things start breaking after those networks have been allocated out to a third party.

  • by Opportunist (166417) on Tuesday July 16, 2013 @03:49AM (#44293737)

    Seriously, the internet has reached a level of growth where ANY major change like that WILL invariably break something that grew along with it. And we didn't even reach the point yet where this alone is obviously a serious business advantage or drawback, depending on who gets certain TLDs. Who gets to have .mail? Who gets .web? Who is the lucky dog who gets that license to print money? And, worse, to keep certain people from using it at all, preferably those that would present a competitor to them?

    Who gets to use .$well_known_name? .exchange? .office? Or how about .gates? .jackson?

    If this does anything, it just opens up a new round of domain name turf wars and domain squatting. Only this time, there is no escape from the squatter. There is no $name.$land when $name.com is held for ransom.

    • What ever you pick, how ever much it cost you, someone will use their trademarks and copyrights to sue you for it, plus damages.

      • Ferrero might disagree [internatio...office.com].

        But rest easy, of course they made certain to get the ".kinder" domain before ANYONE could DARE to snatch it from them.

        And let's not go for funny little tidbits like Apple Computers vs. Apple Records. It's not so unlikely that people register the same trademark if it is a common name. And don't tell me there aren't many trademarked names that actually come from either normal words (where the trademark consists to a good deal of a picture, which is pretty moot when it comes to domain n

        • Just noticed the link wants a login now. Odd. But essentially it's about Ferrero losing the lawsuit for the "kinder.at" domain name to a charity organization. Use the search engine of your choice to find out details if interested.

      • Trademarks only matter if they are using the same words in the same industry. Or at least thats how it used to be maybe domain names are different somehow. Squatters don't have an industry really.
    • "Who gets to have -?"

      The highest bidder, of course.

    • by gl4ss (559668)

      they're opening the can of worms because for them it's actually a can of cash and can of need-to-be for otherwise useless guys.

      • Then why do WE agree to partake in the can-of-worms-opening?

        Do I need a new TLD? For all I care they can keep it.

  • The Internet ought not evolve, because some network admins at companies don't know how to use it properly? Is that the argument? I'd say that's a rather bad argument.

    • Re:Sooo... (Score:5, Insightful)

      by Overzeetop (214511) on Tuesday July 16, 2013 @06:41AM (#44294541) Journal

      The internet is critical infrastructure now.

      Would you suggest changing the mains voltage for the US power grid? "Evolving" to 220v would reduce substation transformer requirements and reduce copper usage in residential construction. Or perhaps people don't know how to use electricity properly, so screw them when nothing works.

    • I think we're saying the internet ought not evolve bug mandibles and a third arm growing out of its forehead. Arbitrary TLDs are just bad design.

  • by tlambert (566799) on Tuesday July 16, 2013 @04:11AM (#44293847)

    This is a BS article.

    The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.

    The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.

    As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".

    So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M

    Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.

    • This is a BS article.

      The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't.

      I think this is untrue - I'm pretty sure you could use Bind's RPZ functionality to do this. Although why you would is anyone's guess.

      However, that doesn't seem to be what the article is talking about. The article is talking about your DNS server being nonauthoritative (and forwarding) at the . level, but authoritative for (for example) "exchange.", "corp.", etc. which is, of course, fully supported in any DNS server because thats how DNS works.

      In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.

      What browsers complete to .com by default? Firefox, at least,

  • by ArsenneLupin (766289) on Tuesday July 16, 2013 @04:58AM (#44294057)
    ... why are certification agencies issuing certificates for such fake domains? Even if the domains remain non-existant, it's asking for trouble!

    Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...

  • by tverbeek (457094) on Tuesday July 16, 2013 @07:17AM (#44294703) Homepage
    "why were they using invalid domains in the first place?"

    Because they could. Because it was an easy solution. Because no one could imagine that ICANN would someday be so broken that .local or .office or .internal could ever possibly be a valid TLD.
  • This is mostly FUD.

    Regarding external certificates, most certification agencies (at least those that are members of the https://www.cabforum.org/ [cabforum.org] have stopped issuing certificates for invalid domain names for any date posterior to November 1st 2015. They put this policy in place on Nov 1st 2012. Any such certificates that might be marked as valid beyond that date will be revoked on October 1st 2016.

    Now, there may be a concern with internal certificates for such domains, but that is for the internal policy o

  • Another way to look at it: why were they using invalid domains in the first place?

    Another way to look at it: why are they being dependent on an external TLD structure for their security mechanism?

  • I'm sure major entities [wikipedia.org] already re-route [wikipedia.org] things like .com, .net, and .org to "internal" sites on an as-needed basis.

    Let the Balkanization of the Internet begin^H^H^H^H^Hcontinue.

  • If you have internal systems facing the internet where just using the right domain name would unveil what is inside to all the world, the one that "broke it" is you, either by designing "security" that way or choosing vendors that force you to work that way. Depending in the ignorance of the remote side is a bad security measure (or better, is a good insecurity measure).

    In fact, probably is good that something makes evident that you have an open insecure system in internet. The bad guys (including NSA and

  • Old news. This has been an issue for YEARS.

    Microsoft used to use and even advocate .local in many of its articles and educational documentation even after it became used by Multicast DNS / mDNS and other systems (http://en.wikipedia.org/wiki/.local)

    It was only recently that they stopped when the SSL registrars will no longer accept .local for certificates.

    I have also seen several networks using .int for internal domains even though those were used for international organizations for a LONG time. Same as wit

  • It might be worthwhile to define some "reserved" TLDs for private use, as we have 10/8/, 192.168/16, 172.16/18 for IP addresses, so we can ensure that anybody using a reserved TLD does not have to worry about it being allocated in the future.

To do nothing is to be nothing.

Working...