Generic TLDs Threaten Name Collisions and Information Leakage 115
CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed."
Another way to look at it: why were they using invalid domains in the first place?
Whats worse.. (Score:4, Insightful)
I used to work for a company where some uncommon but in use domain names where being used on the intranet, and where overriding the internet ones.. A real pain in the ass.
Re: (Score:1)
An external site (with a TLD not hidden by one of your internal TLDs) may link to domains in the external TLD which are hidden by your internal TLD. If you browse that site from your intranet, for you that link will point to the internal domain instead. Which means any interactions from the web page meant to go to the external site will instead go to the internal site.
Re: (Score:3)
Likewise, if your users are set up to use the internal domain but are external to the network, it is an easy MITM attack.
Re:Whats worse.. (Score:4, Informative)
Q: "Why were they using invalid domains in the first place?"
A:Two words: "Active Directory". .corp .labs .legal
Planning a non-Internet accessible directory infrastructure with AD's Internet namespace rooting has commonly resulted in the deliberate planning for alternative, corporate designated roots, by IT departments. I'm not saying it is right or wrong, but I ran across this frequently in years consulting and doing pen/vuln.
Re: (Score:1)
Nice rant about not being able to print through the VPN but I bet there are several reasons for this.
1) Some MBA decided to cut costs by cutting printing down
2) It's a management decision for what ever reason - handed down to IT
3) It's due to an idiot that doesn't know how to configure a VPN to allow printing - happens all the time
4) Company may have a requirement that all docs are PDF for review/storage reasons instead of hardcopy
Instead of Ranting on /. about it, ask the IT dept why. You may be suprised a
Obviously the other IT dept has been asked. (Score:2)
Not being able to print is the tip of the iceberg. That was one example of a local resource being blocked by stupid VPN dogmatism. There are many more! Here's one: You have an end user who needs to VPN-connect from a business partner site to use a single app. You've forced all the traffic from the end user through the VPN tunnel (as advocated in the post inspiring the rant) so now the end user cannot re
Re: (Score:2)
Salesman uses laptop to connect to internal domain over company wifi in the office. Goes to Starbucks later and connects to the very same domain name on the very same laptop and application, but since it's the Starbucks wifi it goes to the wrong place.
Re: (Score:3)
Did you deliberately completely ignore what I wrote, or are you *that* stupid?
Improve the world, slit your wrists.
That said, you said nothing about locked down laptops and in general, BYOD is the new black. You asked why namespace separation fails and I told you. Alas, you just wanted to thump your chest and blow out massive fart clouds. Please make that intent more clear next time so you can get your troll mod and move on.
Re: (Score:3)
I heard of a place were youtube.com redirected to a feed of the office CCTV cameras and a message stating "this event has been logged".
That's why I have been giving my internal (Score:5, Insightful)
That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
Re:That's why I have been giving my internal (Score:5, Insightful)
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.
Re:That's why I have been giving my internal (Score:5, Insightful)
I actually tried to get a TLD reserved for "RFC1918" style use about 12+ years ago: http://tools.ietf.org/html/draft-yeoh-tldhere-01 [ietf.org]
I also tried the ICANN but they weren't interested either. And when they approved stuff like .biz, .info. I got the impression they weren't really interested in improving the Internet from a technical aspect but more interested in $$$$. Did the creation of .biz etc really help the Internet that much?
Maybe others may have more success trying it now?
Re:That's why I have been giving my internal (Score:4, Interesting)
I think .biz was helpful, in that I don't trust any domain name that ends in .biz.
Re: (Score:3)
[offtopic] scary that with just your one post, I now know your name and address as they are posted at the bottom of your draft RFC [/offtopic]
Re:That's why I have been giving my internal (Score:5, Interesting)
I wonder which three letter organization icann will be giving .onion to :/
Re: (Score:1)
I wonder which three letter organization icann will be giving .onion to :/
Clearly it will be: T.H.E. because what other use would there be on the internet besides the.onion ;-)
Re: (Score:2)
I would suspect NRL [wikipedia.org], since they're the ones who sponsored the TOR project in the first place.
Re:That's why I have been giving my internal (Score:5, Insightful)
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
That's a really insightful comment. Reserve .private, .internal, .reserved and a few others for internal use. Even better ban them as prefixes so .private-kellogs and .private-audi, etc can never be registered on the internet.
I've always advocated using your own FQDN for internal networks. If you own example.com, then put your internal stuff on internal.example.com - dead easy, job done. This gets even easier with Bind's RPZ functionality - you don't even need the "internal" subdomain; you can just add/replace RRs in your main domain, which is rather useful where you want different servers to handle your internal and external access (e.g. mail.example.com can point at an internal mail server when inside your LAN, and an external mail server for anyone on the internet).
However, a lot of people decide to use random TLDs for this instead - in particular I've got a number of customers, who under the advice of supposidly qualified network engineers set up their networks to operate on the .local TLD. This, of course, now becomes a problem since .local is normally used by mDNS, so we end up with conflicting names and all sorts of problems.
I would guess you're relatively safe using .localnet (since traditionally localhost is localhost.localnet) if you really must use a non-globally-unique domain name, but IMHO it solves a lot of problems in the long run if you just use a proper FQDN for everything (not least because you don't end up with naming conflicts if you merge LANs together at a later date).
Another thing to consider is: if you're basing your security on reverse DNS lookups then you're an idiot, since the attacker can trivially set their reverse DNS to anything, valid or not.
Re: (Score:3)
I.E. We may see sales.example.com/wiki and think of it as a very logical place to put a Wiki site for colaboration for the sales department of our organization. However, your average person who is of the intelligence level of sales is
Re: (Score:3)
I.E. We may see sales.example.com/wiki and think of it as a very logical place to put a Wiki site for colaboration for the sales department of our organization. However, your average person who is of the intelligence level of sales is going to see asdfgqwerty.example.com/zxcvbnm and think where do we keep the sales notes. If you set it up at http://notes.sales/ [notes.sales] they may actually have a chance to remember that.
I'd hope that the average employee would know who their employer is. i.e. if you're emplyed by Example Ltd. you might expect everything to be under example.com... In any case, all this would usually be linked from a company-wide intranet. Your example of sticking things under http://notes.sales/ [notes.sales] increases the complexity, because now your users are going to have to understand that they need to use "notes.sales" when they're inside the company's network and "notes.sales.example.com" when they're outside th
Re: (Score:3)
It (.local) was actually official MS advice for a long time http://en.wikipedia.org/wiki/.local#Microsoft_recommendations [wikipedia.org]
I tend to think Apple made a poor choice given the pre-existence of lots of .local domains in use (default on Small Business Server 2000 from memory, and supported by http://support.microsoft.com/kb/296250 [microsoft.com])
I'm more familiar with .localdomain than .localnet, but it wasn't in wide use until long after .local became popular (though to be fair I can find at least one reference to it as far ba
Re: (Score:2)
It (.local) was actually official MS advice for a long time http://en.wikipedia.org/wiki/.local#Microsoft_recommendations [wikipedia.org]
I tend to think Apple made a poor choice given the pre-existence of lots of .local domains in use (default on Small Business Server 2000 from memory, and supported by http://support.microsoft.com/kb/296250 [microsoft.com])
I think that both of them made a terrible choice.
Microsoft advised using a domain that (by their own admission) "At the present time, the .local domain name is not registered on the Internet." Not sure how that could ever have struck them as a bright idea. I guess MS was arrogant enough to think the rest of the world would bend to accomodate their de-facto standards rather than bothering to get them properly ratified.
Apple then went along and chose a name that they knew was already widely in use, per offi
Re: (Score:2)
Agreed. To be fair, I was just defending the "supposidly qualified network engineers" [sic].
I just find Apple's move a little more douchy given .local would have been discovered by a google at that time, probably.
Re:That's why I have been giving my internal (Score:5, Insightful)
oh, like .local ? >_>
Re: (Score:3)
.local is used in mDNS (also known as Zeroconf or Bonjour).
.localhost, however, is reserved in RFC 2606 [ietf.org].
Re: (Score:1)
The ".localhost" TLD has traditionally been statically defined in
host DNS implementations as having an A record pointing to the
loop back IP address and is reserved for such use. Any other use
would conflict with widely deployed code which assumes this use.
Seems like that won't do either.
Re:That's why I have been giving my internal (Score:5, Interesting)
No. .local is for different usage:
http://tools.ietf.org/html/rfc6762 [ietf.org]
Sure took them a long while to reserve that too.
I proposed reserving a "RFC1918" like TLD about 12+ years ago, but there was not enough interest: http://tools.ietf.org/html/draft-yeoh-tldhere-01 [ietf.org]
I did try via the ICANN (emailed them to ask them to reserve it). But the ICANN were more interested in "yet another dotcom tld" like .biz .info.
And I didn't have a spare USD100k lying around to apply for the TLD through ICANN, and give it to the world if I even succeeded in getting it.
Re:That's why I have been giving my internal (Score:4, Insightful)
http://tools.ietf.org/html/rfc2606 [ietf.org] .test, .example, .localhost and .invalid.
You can use
The use of these TLD's is somewhat defined and not quite similar to the "intranet"-type use you describe, but atleast they're available for private use and nobody will bother you if you use, for example, ".invalid" for your internal domains.
On the other hand, why not simply use subdomains of an actual domainname you own?
If you own example.com, you could use intranet.example.com or perhaps privateserver.internal.example.com
It would be nice if something like ".intranet" could be a reserved TLD.
Re: (Score:2)
http://tech.slashdot.org/comments.pl?sid=3977203&op=Reply&threshold=0&commentsort=0&mode=thread&pid=44293647 [slashdot.org]
Re: (Score:3)
Oh also, that rfc dates back a little. Things change and I wouldn't be surprised if they created a .example top domain at some point for something like teaching purposes.
Back then, a domain couldn't start with a number and nowadays we have 2600.org.
I think we need a new RFC with some reserved prefix like .intern
So .internmyproject1 .internmail .internnews .internanything would be guaranteed never to be used.
Re: (Score:3)
AFAIK, it still holds. .com domains, so maybe example.com was also a victim of that.
A while back some idiots thought it would be smart to redirect all failed
But this was quickly reverted after public outcry.
Re: (Score:2)
Oh also, that rfc dates back a little. Things change and I wouldn't be surprised if they created a .example top domain at some point for something like teaching purposes.
example.com and example.org are explicitly registered for this purpose.
Re: (Score:3, Interesting)
I do realize it's inconceivable, but some people do not own domain names. Well, I do, but they don't really match my internal naming scheme. So, my internal domain is something that wasn't valid until they came up with the stupid gTLD concept: shark species as hostname, domain "sharks" on my network and in a similar vein Kiplings Jungle Book characters as hostnames and "jungle" as domain for my parents network. This works f
Re:That's why I have been giving my internal (Score:4, Funny)
You can use .test, .example, .localhost and .invalid. ...and nobody will bother you if you use, for example, ".invalid" for your internal domains.
Some CEOs and PHBs might ;).
Re: (Score:3)
Some CEOs and PHBs might ;).
Indeed. The proper usage these days is .challenged.
Invalids and GIMP haters (Score:2)
Re: (Score:2)
How about: Because I don't own any... and I shouldn't need to for private use!
Re: (Score:3)
That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...
zyxprivnet sounds like a cool gTLD to register... i'll get right on it.
On the other hand... .LOCAL and .LAN are unlikely to be allowed as a TLD; since .LOCAL has prior use by Apple
for Bonjour/Multicast DNS.
Also, .INVALID and .LOCALDOMAIN are reserved private TLDs.
Why not use real domains instead? (Score:4, Informative)
It's much better to use a real domain which you actually own and will remember to renew.
Re: (Score:3)
Sometimes you work on small experimental projects where it is too bothersome to ask your big brother for a subdomain name. Example: mysmallproject.ibm.com.
You just come up with a domain name to make things more simple for people working on your LAN. example: .zyx1999prj
You can't forget to renew them because there is no renewing authority. You just made the tld up yourself!
Re:Why not use real domains instead? (Score:4, Insightful)
Have you ever worked for IBM or any other big corporation? You will have to go through 7 levels of approval, impact analysis, cost analysis, get about 50 people involved etc. and wait several months, Nah ;-)
Note that, of course, I always create subdomains when I have control of the domain or when it is easy to get in touch with the person who does. Read: smaller companies.
Re: (Score:2)
Re: (Score:2)
> Have you ever worked for IBM or any other big corporation? You will have to go through 7 levels of approval, impact analysis, cost analysis, get about 50 people involved etc. and wait several months
I can't understand why big organizations can't delegate responsibility for subdomains so that this isn't a problem. Once an internal unit of Example Corp (example.com) is goes through the internal hoops to get foo.example.com subdomain, they ought to handle the process when someone wants bar.foo.example.com.
Re: (Score:2)
In that case, simply edit your hosts file and add your own entry for project123.ibm.com. Your first DNS server is your computer... unless you've changed the default host.conf
Re: (Score:2)
If you choose to go the /etc/hosts file route, then you do not need a domain name at all. Host names will suffice.
On the hand, I prefer DNS and I do not know any other way than using a zone file to cause hostnames to resolve to IP addresses. I might use the hosts file for something with at most 5 machines that need to know each other
You need DNS and DHCP anyway for people with laptops that move around and that are not always on your network and who sometimes don't even have admin rights on their laptop.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I don't like numbers without context . . . (Score:5, Interesting)
Currently, 25 percent of queries to the domain name system are for devices and computers that do not exist, suggesting the companies are already leaking information to the Internet
And how many of those are due to actual people as opposed to confused webcrawlers looking up dead links?
"Oh hai, a new webpage. Lookie, a link. hddp://mywobsite.youspace.com/forum/?post=1. Oh, there's nothing there.
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=2. Oh, there's nothing there
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=3. Oh, there's nothing there"
Re:I don't like numbers without context . . . (Score:5, Interesting)
True. At the same time, though, I remember that for a while my favorite site was donotreply.com, where the owner would post emails he got as a result of organizations listing email addresses in the @donotreply.com domain. Apparently, even major security firms made it easy to accidentally reply confidential information to whoever happened to own donotreply.com.
Re: (Score:1)
And on that point, Google actually have a silly number of spiders crawling deepnet links these days such as queried pages, pages needing logins and so on.
Not sure which year they started that, but it was a good while ago now. (maybe 5+ years ago)
It could easily just be Google crawlers brute-forcing things that might have existed, or may still possibly exist, or might just be down. (due to Google)
Unknown lamer unknowledgeable and lame, news at 11 (Score:4, Insightful)
why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.
Re:Unknown lamer unknowledgeable and lame, news at (Score:4)
why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
The answer is "because there are a lot of idiots passing themselves off as network engineers who actually don't have a clue". It's *never* been sane to pick arbitrary unreserved addresses in any network address space and assume they won't ever be used. And frankly I've seen this time and time again, including such crazyness as people picking arbitrary unallocated IPv4 networks to use internally instead of RFC1918 networks, and then being surprised when things start breaking after those networks have been allocated out to a third party.
Why open that can of worms at all? (Score:4, Insightful)
Seriously, the internet has reached a level of growth where ANY major change like that WILL invariably break something that grew along with it. And we didn't even reach the point yet where this alone is obviously a serious business advantage or drawback, depending on who gets certain TLDs. Who gets to have .mail? Who gets .web? Who is the lucky dog who gets that license to print money? And, worse, to keep certain people from using it at all, preferably those that would present a competitor to them?
Who gets to use .$well_known_name? .exchange? .office? Or how about .gates? .jackson?
If this does anything, it just opens up a new round of domain name turf wars and domain squatting. Only this time, there is no escape from the squatter. There is no $name.$land when $name.com is held for ransom.
Re: (Score:2)
What ever you pick, how ever much it cost you, someone will use their trademarks and copyrights to sue you for it, plus damages.
Re: (Score:2)
Ferrero might disagree [internatio...office.com].
But rest easy, of course they made certain to get the ".kinder" domain before ANYONE could DARE to snatch it from them.
And let's not go for funny little tidbits like Apple Computers vs. Apple Records. It's not so unlikely that people register the same trademark if it is a common name. And don't tell me there aren't many trademarked names that actually come from either normal words (where the trademark consists to a good deal of a picture, which is pretty moot when it comes to domain n
Re: (Score:2)
Just noticed the link wants a login now. Odd. But essentially it's about Ferrero losing the lawsuit for the "kinder.at" domain name to a charity organization. Use the search engine of your choice to find out details if interested.
Re: (Score:2)
Re: (Score:3)
"Who gets to have -?"
The highest bidder, of course.
Re: (Score:2)
they're opening the can of worms because for them it's actually a can of cash and can of need-to-be for otherwise useless guys.
Re: (Score:2)
Then why do WE agree to partake in the can-of-worms-opening?
Do I need a new TLD? For all I care they can keep it.
Sooo... (Score:2)
The Internet ought not evolve, because some network admins at companies don't know how to use it properly? Is that the argument? I'd say that's a rather bad argument.
Re:Sooo... (Score:5, Insightful)
The internet is critical infrastructure now.
Would you suggest changing the mains voltage for the US power grid? "Evolving" to 220v would reduce substation transformer requirements and reduce copper usage in residential construction. Or perhaps people don't know how to use electricity properly, so screw them when nothing works.
Re: (Score:2)
In my opinion, adding the TLD .assholes and reserving it strictly for business cannot do harm.
Re: (Score:3)
I think we're saying the internet ought not evolve bug mandibles and a third arm growing out of its forehead. Arbitrary TLDs are just bad design.
Re: (Score:2)
It wasn't removed...there just aren't any more seeders.
This is a BS article and masks the real issue (Score:5, Informative)
This is a BS article.
The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.
The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.
As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".
So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M
Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.
Re: (Score:2)
Indeed, this needs to be an exception to trademark law as the namespace doesn't actively distinguish between similarly named companies in different lines of work. The UDRP -- warts and all -- does work for disputes if one comes up. That should be a sufficient starting place for encroachment if someone is attempting to mimic you.
Every company in America should not have to license 800000000000000000000 domain names "because TM".
-l
Re: (Score:2)
This is a BS article.
The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't.
I think this is untrue - I'm pretty sure you could use Bind's RPZ functionality to do this. Although why you would is anyone's guess.
However, that doesn't seem to be what the article is talking about. The article is talking about your DNS server being nonauthoritative (and forwarding) at the . level, but authoritative for (for example) "exchange.", "corp.", etc. which is, of course, fully supported in any DNS server because thats how DNS works.
In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.
What browsers complete to .com by default? Firefox, at least,
And more importantly... (Score:5, Insightful)
Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...
Re: (Score:2)
Count me in.
It's the current DNS system that's flawed, no matter what TLD's there are or not. It is time to abolish the old system.
DNS management must be decentralized, everyone who connects to the Internet should be automatically in charge of it (by running a p2p DNS search node), domain names ought to be arbitrary, free and strictly distirbuted on a first come, first served basis. There are plenty of working models that would prevent abuse and contrary to what some people claim security is NOT an issue (a
why were they using invalid domains in the first.. (Score:4, Informative)
Because they could. Because it was an easy solution. Because no one could imagine that ICANN would someday be so broken that
FUD (Score:2)
This is mostly FUD.
Regarding external certificates, most certification agencies (at least those that are members of the https://www.cabforum.org/ [cabforum.org] have stopped issuing certificates for invalid domain names for any date posterior to November 1st 2015. They put this policy in place on Nov 1st 2012. Any such certificates that might be marked as valid beyond that date will be revoked on October 1st 2016.
Now, there may be a concern with internal certificates for such domains, but that is for the internal policy o
Another way to look at it (Score:2)
Another way to look at it: why were they using invalid domains in the first place?
Another way to look at it: why are they being dependent on an external TLD structure for their security mechanism?
Nothing new (Score:1)
I'm sure major entities [wikipedia.org] already re-route [wikipedia.org] things like .com, .net, and .org to "internal" sites on an as-needed basis.
Let the Balkanization of the Internet begin^H^H^H^H^Hcontinue.
It broke itself (Score:2)
If you have internal systems facing the internet where just using the right domain name would unveil what is inside to all the world, the one that "broke it" is you, either by designing "security" that way or choosing vendors that force you to work that way. Depending in the ignorance of the remote side is a bad security measure (or better, is a good insecurity measure).
In fact, probably is good that something makes evident that you have an open insecure system in internet. The bad guys (including NSA and
.local issues (Score:2)
Old news. This has been an issue for YEARS.
Microsoft used to use and even advocate .local in many of its articles and educational documentation even after it became used by Multicast DNS / mDNS and other systems (http://en.wikipedia.org/wiki/.local)
It was only recently that they stopped when the SSL registrars will no longer accept .local for certificates.
I have also seen several networks using .int for internal domains even though those were used for international organizations for a LONG time. Same as wit
Reserverd TLD's (Score:2)