Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Stop Using "internal" Top Level Domain Names - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Stop Using "internal" Top Level Domain Names

Cert.org this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new "generic top level domain" (gTLD). Currently, there are about 1200 approved gTLDs , and the number will only increase even though the initial "gold rush" seems to have leveled off somewhat [1] 

US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not officially assigned TLD is all for sudden used on the public internet, then requests may got to a host within that official TLD, instead of your internal TLD. This is in particular a problem for mobile devices that leave your network.

US Cert points out a couple of options, most importantly the use of an actual assigned domain, which should be the preferred solution to this problem. On the other hand, this can be difficult to roll out in a larger network where the internal TLD is used for various purposes. In this case, make sure that at least internally, all queries to this internal TLD are directed to your internal name server.

Regarding gTLDs in general, you may also want to consider blocking some from resolving anyway:

- .zip : This gTLD appears to be assigned to Google, and is currently not used. It could lead to the leaking of .zip file names if mail software and the like interprets the file name as a URL and adds a hyperlink to it.
- .top : From my own experience, this TLD is exclusively used for spam. Let me know if you find  legitimate use of this gTLD
 

[1] https://newgtlds.icann.org/en/applicants/agb/base-agreement-contracting#stats 
[2] https://www.us-cert.gov/ncas/alerts/TA16-144A

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

2901 Posts
ISC Handler
Are there any concerns with using the TLD .local?
https://en.wikipedia.org/wiki/.local
https://tools.ietf.org/html/rfc6762
B.J.

2 Posts Posts
This sort of happened to .local a while ago when Apple started fighting Microsoft over unofficial use of this TDL.

At that point I started using the "User Assigned" country TLDs .AA,.ZZ,.QM-.QZ,.XA-.XZ.
These will NOT be assigned https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Decoding_table
UnknownNick

7 Posts Posts
My ignorance may shine through here, but wouldn't this be resolved if ICANN reserved the ".internal" namespace (and/or others) for internal use, much like RFC 1918 and RFC 4193 reserve IP space for internal use?
Anonymous

Posts
There should be private / internal only domain names. Just like there are private non-routable IP addresses (10.x.x.x 192.168.x.x or fc00::/7). Real domain names are not a reasonable solution for a private network. Is anyone aware of a reserved private internal only domain name?
CJ

1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!