Generic TLDs Threaten Name Collisions and Information Leakage 115
CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed."
Another way to look at it: why were they using invalid domains in the first place?
Whats worse.. (Score:4, Insightful)
I used to work for a company where some uncommon but in use domain names where being used on the intranet, and where overriding the internet ones.. A real pain in the ass.
That's why I have been giving my internal (Score:5, Insightful)
That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
Re:That's why I have been giving my internal (Score:5, Insightful)
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.
Re:That's why I have been giving my internal (Score:5, Insightful)
oh, like .local ? >_>
Re:That's why I have been giving my internal (Score:4, Insightful)
http://tools.ietf.org/html/rfc2606 [ietf.org] .test, .example, .localhost and .invalid.
You can use
The use of these TLD's is somewhat defined and not quite similar to the "intranet"-type use you describe, but atleast they're available for private use and nobody will bother you if you use, for example, ".invalid" for your internal domains.
On the other hand, why not simply use subdomains of an actual domainname you own?
If you own example.com, you could use intranet.example.com or perhaps privateserver.internal.example.com
It would be nice if something like ".intranet" could be a reserved TLD.
Unknown lamer unknowledgeable and lame, news at 11 (Score:4, Insightful)
why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.
Why open that can of worms at all? (Score:4, Insightful)
Seriously, the internet has reached a level of growth where ANY major change like that WILL invariably break something that grew along with it. And we didn't even reach the point yet where this alone is obviously a serious business advantage or drawback, depending on who gets certain TLDs. Who gets to have .mail? Who gets .web? Who is the lucky dog who gets that license to print money? And, worse, to keep certain people from using it at all, preferably those that would present a competitor to them?
Who gets to use .$well_known_name? .exchange? .office? Or how about .gates? .jackson?
If this does anything, it just opens up a new round of domain name turf wars and domain squatting. Only this time, there is no escape from the squatter. There is no $name.$land when $name.com is held for ransom.
Re:Why not use real domains instead? (Score:4, Insightful)
Have you ever worked for IBM or any other big corporation? You will have to go through 7 levels of approval, impact analysis, cost analysis, get about 50 people involved etc. and wait several months, Nah ;-)
Note that, of course, I always create subdomains when I have control of the domain or when it is easy to get in touch with the person who does. Read: smaller companies.
Re:That's why I have been giving my internal (Score:5, Insightful)
I actually tried to get a TLD reserved for "RFC1918" style use about 12+ years ago: http://tools.ietf.org/html/draft-yeoh-tldhere-01 [ietf.org]
I also tried the ICANN but they weren't interested either. And when they approved stuff like .biz, .info. I got the impression they weren't really interested in improving the Internet from a technical aspect but more interested in $$$$. Did the creation of .biz etc really help the Internet that much?
Maybe others may have more success trying it now?
And more importantly... (Score:5, Insightful)
Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...
Re:Sooo... (Score:5, Insightful)
The internet is critical infrastructure now.
Would you suggest changing the mains voltage for the US power grid? "Evolving" to 220v would reduce substation transformer requirements and reduce copper usage in residential construction. Or perhaps people don't know how to use electricity properly, so screw them when nothing works.
Re:That's why I have been giving my internal (Score:5, Insightful)
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.
I've always advocated using your own FQDN for internal networks. If you own example.com, then put your internal stuff on internal.example.com - dead easy, job done. This gets even easier with Bind's RPZ functionality - you don't even need the "internal" subdomain; you can just add/replace RRs in your main domain, which is rather useful where you want different servers to handle your internal and external access (e.g. mail.example.com can point at an internal mail server when inside your LAN, and an external mail server for anyone on the internet).
However, a lot of people decide to use random TLDs for this instead - in particular I've got a number of customers, who under the advice of supposidly qualified network engineers set up their networks to operate on the .local TLD. This, of course, now becomes a problem since .local is normally used by mDNS, so we end up with conflicting names and all sorts of problems.
I would guess you're relatively safe using .localnet (since traditionally localhost is localhost.localnet) if you really must use a non-globally-unique domain name, but IMHO it solves a lot of problems in the long run if you just use a proper FQDN for everything (not least because you don't end up with naming conflicts if you merge LANs together at a later date).
Another thing to consider is: if you're basing your security on reverse DNS lookups then you're an idiot, since the attacker can trivially set their reverse DNS to anything, valid or not.