Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur.

When clicking on a name that ends in “.zip” are people intending to open an archive file or an internet URL? The confusion that arises between the ZIP file extension and the ZIP TLD is called a “name collision” — and is not a new phenomenon.

According to ICANN, a name collision occurs “when a user unknowingly accesses a name that has been delegated in the public DNS when the user's intent is to access a resource identified by the same name in a private network.” Name collisions have been an issue dating back years. Back in 2013 when ICANN introduced several new TLDs they also introduced a Name Collision Occurrence Management Framework to deal with the problem.

Users and programs alike depend on DNS to navigate the internet. In the worst case, confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.

Controlled interruption

To alert network administrators to potential name collisions in DNS, the Name Collision Occurrence Management Framework prescribes a “controlled interruption.” In this approach, a TLD publishes special DNS records — instructions that provide information about a domain — at the root level. Some examples include mail exchange (MX), service location (SRV), text (TXT), and address (A) records. Networks whose internal names collide with the TLD receive DNS replies containing the name “your-dns-needs-immediate-attention.<TLD>” and IP address 127.0.53.53. Presumably, seeing this in the logs would allow administrators to address the problem.

The .kids TLD is not alright

One TLD that appears to publish controlled interruption DNS records is .kids. For example, querying DNS for the MX or SRV record for the .kids TLD yields the ‘your-dns-needs-immediate.attention.kids’ name in response. For some reason, however, contrary to the framework from ICANN, the .kids TLD publishes no A record at the root level. The .kids TLD formerly did have the 127.0.53.53 A record, per the controlled interruption policy from ICANN, but for whatever reason .kids stopped offering the A record IP address back in January of 2023. This suggests that after the controlled interruption policy was implemented it was either changed or never fully removed.

Hostname lookups on various DNS record types in the .kids TLD.

One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name:

    your-dns-needs-immediate-attention.kids

Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.”

SCCM requests are issued from various endpoints using a name in .kids.

System Center Configuration Manager is a tool used by administrators to remotely manage computer systems across a network. According to Microsoft:

“Configuration Manager helps you deliver more effective IT services by enabling:

  • Secure and scalable deployment of applications, software updates, and operating systems.
  • Real-time actions on managed devices.
  • Cloud-powered analytics and management for on-premises and internet-based devices.
  • Compliance settings management.
  • Comprehensive management of servers, desktops, and laptops.”

Because Talos registered the domain name "your-dns-needs-immediate-attention.kids", we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.

Systems attempting to relay email through Talos to various email addresses @kids.

Cisco Talos reached out to the administrators of the .kids TLD informing them of the problem. The TXT, MX and SRV DNS records at the .kids TLD DNS server were subsequently removed.

Zombified DNS names

Name collisions aren’t the only situations that can cause a TLD to act strangely. Some do not respond properly when presented with names that have expired or never existed. In these TLDs, unregistered and expired domain names still resolve to IP addresses. Some of these TLDs even publish MX records and collect emails for the names in question.

Typically, when a domain name is not actively registered, a DNS query for that name will generate the response,‘NXDOMAIN’ which tells the user that a particular name does not exist. NXDOMAIN DNS responses are useful for a number of reasons. Email list managers, for example, might use NXDOMAIN responses from DNS to help prune invalid recipients and recipients that cannot receive mail from their mailing lists.

.ws ccTLD — Western Samoa

The .ws country-level TLD (ccTLD) was created for Western Samoa and marketed as a global TLD that could stand for “website.” When a domain name at the .ws TLD expires (or if it is a new name that was never registered), DNS servers will never return an `NXDOMAIN` response. Rather, the .ws TLD continues to hand out an IP address and MX server:

The mail.hope-mail.com server accepts mail for any unregistered domain name at the .ws ccTLD.

.vg ccTLD — The Virgin Islands

The .vg country-level TLD belongs to the British Virgin Islands and, like the .ws ccTLD, when a name at .vg expires (or if it is a new name that was never registered), DNS servers will respond with an IP address. However, unlike the .ws TLD, .vg doesn’t provide an MX server for the domain name.

On the surface, this would seem like a good thing that no MX record is provided. However, according to RFC 5321, when a domain name associated with an email address has no MX records, “the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.” In other words, SMTP servers will assume that mail should be delivered to the IP address associated with the A record for a domain.

In fact, the IP address handed out by the .vg TLD does listen on port 25 and accepts connections for non-existent domain names. Fortunately, attempts to deliver mail to a non-existent domain will fail with a 550 error message:

Unsuccessfully attempting to send mail to the implicit MX offered by .vg.

.ph ccTLD — The Philippines

The .ph ccTLD belongs to the Philippines, and instead of the expected NXDOMAIN response, DNS requests for expired or non-existent names at .ph will return the IP address 45[.]79[.]222[.]138.

Unlike the .vg ccTLD, there is no mail server listening on the IP address provided by the .ph TLD. Attempts to deliver mail to an expired .ph domain name will fail, but the domain name itself will still resolve, which can still be problematic in some situations.

Second-level “TLDs”

Besides the official list of TLDs sanctioned by ICANN, there are also quite a few second-level registrations that people have turned into their own “TLDs,” that also do not respond properly to zombified DNS names. For example, sites such as “com.de” are technically second-level registrations at the .de TLD, but they offer registrations at the third level, billing themselves as “Germany’s newest domain extension.”

Queries for expired/non-existent domains at com.de return both an IP address and a mail server.

Fortunately, the mail server mail.cash9.com will not accept mail for non-existent domain names.

Unsuccessfully attempting to send mail to the MX offered by .com.de.

A similar situation exists at the “TLD” us.org, which markets itself as “a new domain extension for organizations, projects, websites and people with a higher standard of social responsibility and ethical behavior.”

When a DNS query is issued to us.org for a name that has expired or does not exist, an IP address is returned along with several MX servers:

MX records for the .us.org domain.

The DNS records at us.org are set up in an interesting way. Although they return MX records for our non-existent domain name, if you look carefully at the MX records returned by the DNS we can see that the lowest preference MX is simply a dot [.]. This is a NULL MX setting and it means that there are no mail servers for the domain. Well-behaved mail servers will recognize the NULL MX preference and cease attempting to deliver mail to that address. Poorly behaved mail servers, on the other hand, may latch onto a lower preference MX and connect to googlemail.com to attempt email delivery.