Widespread adoption of DoH would limit ISPs’ ability to both monitor and modify customer queries. It wouldn’t necessarily eliminate this ability, since ISPs could still use these techniques for customers who use the ISP’s own DNS servers. But if customers switched to third-party DNS servers—either from Google or one of its various competitors—then ISPs would no longer have an easy way to tell which sites customers were accessing.
Google’s website is at the fore of an expected boom in websites taking advantage of a 2-year-old change in internet rules that lifted the limits for these suffixes, called top-level domains. That’s brought .paris, .movie and .xyz to websites and email addresses.
You may not be able to keep pace with every new DNS exploitation but you can be proactive by using firewalls, network IDS, or name resolvers to report certain indicators of suspicious DNS activity.
Using the Turk Telekom looking glass we can see that AS9121 (Turk Telekom) has specific /32 routes for these IP addresses. Since this is the most specific route possible for an IPv4 address, this route will always be selected and the result is that traffic for this IP address is sent to this new bogus route.
BGP traffic hijacking is on the rise, according to internet performance metrics analyst firm Renesys, which last year noted that over a period of two months, around 1500 IP address blocks were rerouted. Several were in Australia.
For this “controlled interruption” JAS recommends returning an address within the 127/8 loopback range: “Responding with an address inside 127/8 will likely interrupt any application depending on an NXDOMAIN or some other response, but importantly also prevents traffic from leaving the requestor’s network and blocks a malicious actor’s ability to intercede.”
Instead of the familiar 127.0.0.1 loopback address for localhost, the report suggests “127.0.53.53”. Because the result is so unusual, it’s likely to be flagged in logs and sysadmins who aren’t aware of a name collision issue are likely to search online for information about the address problems.
Sky regularly pull IP addresses listed on our DNS servers and adds them to their block list. This block list is then used by an advanced proxy system that redirects any requests to the blacklisted IP addresses to a webserver that the ISP owns which returns a blocked page message,” YIFY explains.
Therefore, when YIFY began using CloudFlare servers in Australia, Sky pulled these IP addresses and blocked them in the mistaken belief that they were YIFY’s. Since Imgur uses the same IP addresses, Sky’s automated blocking took the site offline, to the huge disappointment of countless customers.
There is one group of people that can stop this madness before it’s too late – the domain name registrars themselves. In the middle of October, Mark Jeftovic, CEO of the Canadian hosting company EasyDNS, vocally refused to comply with a request from PIPCU. Has he suffered the wrath of the British authorities? Nope. Was EasyDNS’s accreditation revoked? No. Is the company still in business? Oh yes.
The four new gTLDs all use non-Latin scripts: شبكة (Arabic “web “), онлайн (“online” in Cyrillic), сайт (“sale” in Cyrillic) and 游戏 (“game” in Chinese). In total, the gTLD process will result in expansion of top-level domains from 22 to up to 1400.
More domains will be added to the root progressively. “ICANN’s New gTLD Program was designed to facilitate a measured rollout of new domains so as not to disrupt the Domain Name System,” ICANN said in a statement.
“You don’t have to have access to any emails, passwords, or any other credentials. You simply grab the information from the WHOIS, write a letter with an attached photo-shopped ID with the same name, send it from a random email address, and the domain will be handed to you fairly quickly.”