[dns-operations] DNS namespace collisions and "controlled interruption"

Ray Bellis Ray.Bellis at nominet.org.uk
Fri Jan 10 12:26:50 UTC 2014


On 10 Jan 2014, at 11:28, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> I suspect that, in many cases, the leak comes from systems which are
> not under the direct control of the system administrator.
> 
> 1) Jane Sysadmin, who works for Acme Corp, decides (wrongly) to use
> .HOME for the local pseudo-TLD of Acme
> 
> 2) Employees of Acme Corp stores bookmarks in their Web browser, some
> bookmarks include ".home/", for instance http://corpinfo.home/
> 
> 3) Joe Employee goes back home with his laptop or pad and selects the
> wrong bookmark. Bang! A DNS request for corpinfo.home is done (and
> elicits a 127.0.53.53 response to the poor Joe). But Jane Sysadmin
> will never see it or heard about it. Even the NSA, monitoring the root
> name servers, will not know that it is related to Acme.

That's exactly my theory for many of the bad queries to the root, too.

The other source isn't just bookmarks but links exchanged by email with references to internal URLs.  It happens here, where we often see links with local (unqualified) hostnames instead of FQDNs.

Ray




More information about the dns-operations mailing list