Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC Stormcast For Wednesday, May 25th 2016

Stop Using "internal" Top Level Domain Names

Published: 2016-05-25
Last Updated: 2016-05-25 02:40:01 UTC
by Johannes Ullrich (Version: 1)
4 comment(s) this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new "generic top level domain" (gTLD). Currently, there are about 1200 approved gTLDs , and the number will only increase even though the initial "gold rush" seems to have leveled off somewhat [1] 

US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not officially assigned TLD is all for sudden used on the public internet, then requests may got to a host within that official TLD, instead of your internal TLD. This is in particular a problem for mobile devices that leave your network.

US Cert points out a couple of options, most importantly the use of an actual assigned domain, which should be the preferred solution to this problem. On the other hand, this can be difficult to roll out in a larger network where the internal TLD is used for various purposes. In this case, make sure that at least internally, all queries to this internal TLD are directed to your internal name server.

Regarding gTLDs in general, you may also want to consider blocking some from resolving anyway:

- .zip : This gTLD appears to be assigned to Google, and is currently not used. It could lead to the leaking of .zip file names if mail software and the like interprets the file name as a URL and adds a hyperlink to it.
- .top : From my own experience, this TLD is exclusively used for spam. Let me know if you find  legitimate use of this gTLD


Johannes B. Ullrich, Ph.D.

4 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Technical Report about the RUAG attack
1 day ago by Rick (4 comments)

The strange case of WinZip MRU Registry key
3 days ago by Pasquale Stirparo (2 comments)

Python Malware - Part 2
3 days ago by DidierStevens (0 comments)

EITest campaign still going strong
5 days ago by Brad (1 comment)

TeslaCrypt closes down...Releases master decryption key
5 days ago by Rick (3 comments)

Resources: Windows Auditing & Monitoring, Linux 2FA
6 days ago by Russ McRee (1 comment)

View All Diaries →

Latest Discussions

Google serving up malicious websites in Ads
created 18 hours ago by Anonymous (0 replies)

HTTP(S) from DMZ to internal network
created 1 week ago by Anonymous (0 replies)

ERP software security issues
created 2 weeks ago by AMAS (0 replies)

infocon.txt issue
created 2 weeks ago by Nelson (2 replies)

Issue wit RSS Feed?
created 1 month ago by Matt M. (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
3 months ago by Dr. J. (24 comments)

Microsoft Patch Tuesday Summary for May 2016
2 weeks ago by Alex Stanford (5 comments)

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo
3 months ago by Dr. J. (9 comments)

Neutrino exploit kit sends Cerber ransomware
3 weeks ago by Brad (5 comments)

March 2016 Microsoft Patch Tuesday
2 months ago by Alex Stanford (22 comments)