Top level domain explosion could wreak MAYHEM on NET
Suppose you owned '1'. Now you can set up 127.0.0.1 ...
Not your GoDaddy's domain
“It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”
The ICANN approval process Kaminsky was referring to calls for a $185,000 fee to be tacked onto each TLD application. The hefty charge is intended to winnow down the number of requests, so each one can be closely examined by human beings to make sure the proposed names comply with trademark and security criteria.
“This is not like going to GoDaddy and spending $40 for a domain,” Kaminsky added. “You have a $185,000 fee, and ICANN has a board that looks at this stuff.”
ICANN rules at the moment don't prohibit the registration of any specific TLDs, but the organization's Security, Stability and Advisory Committee in November issued a report (PDF) that obliquely hinted at the security threats end users might face if DNS servers stopped responding to certain invalid TLD requests with the standard "NXDOMAIN" error messages.
“Whereas the NXDOMAIN forces the querying application or user into an error resolution condition, the referral response from a root name server could cause recursion to continue (consider again the .lan scenario describe[d] above), with unpredictable results for the user,” the authors wrote.
The brief reference, buried near the end of the 10-page paper, doesn't warn of the huge opportunity a properly chosen TLD represents to a skilled attacker. What's more, it fails to acknowledge the large number of names that could wreak havoc.
TLDs such as “calicense” (PDF here), for example, or “isatap” could be exploited by attackers to breach corporate or government networks, since those strings are widely used to denote local resources by those deploying software from Computer Associates and Microsoft respectively.
“Basically, if you can control the ISATAP root TLD, you can talk to everyone's Windows machine on the planet with [IPv6 setting] 6in4 configured, since the ISATAP 'router' will be used,” Moore, of Rapid7, wrote in an email. If such names resolve at the DNS root level it “will destroy security on the internet as we know it.”
Innocuous domains aren't
Even TLDs containing innocuous-sounding words such as “accounting,” “mail,” and “search” could potentially be exploited, given the huge number of networks that use them to route local traffic.
“They're going to ignore all the small guys,” Ray, the PhoneFactor researcher, said, referring to the ICANN people responsible for vetting TLD applications for security problems. “Every little admin who hardcoded a short host name in some script somewhere is going to risk collision with a global top level domain unless that capability is somehow disabled entirely, which would imply that you can't actually serve anything from these global top level domains.”
F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”
“While I'm at it, I'll also register 'intra', 'smtp', 'local' and 'mail'...maybe also 'con,'” he said in a follow-up tweet.
The longer term solution to problems such as these, Kaminsky and Vixie said, is to revamp DNS servers so that so-called A records never map an IP address to a single-label address.
Their proposal would close the security hole, but as Ray suggests, it would come at considerable cost. One of the presumed reasons a group or corporation would be willing to spend $185,000 for a TLD such as “nike” or “bank” is to have a website or email address that uses that string alone as the domain name (think http://nike/ or marketing@nike, as opposed to http://www.nike.com or [email protected]). If dotless addresses are eliminated from A records, that won't be possible.
There's no indication ICANN or the Internet Engineering Task Force will be able to enact such a sweeping change by January, when ICANN will start accepting applications for the new TLDs.
The means that members vetting the proposed names better act as if the Sword of Damocles is dangling over their heads. The network they destroy could very well be their own. ®