[Gnso-newgtld-wg-wt4] Ongoing name collision incident

Rubens Kuhl rubensk at nic.br
Thu Sep 28 12:41:52 UTC 2017

Nothing like real life experience to base policy discussions: there is an ongoing name collision incident in a legacy gTLD.

D-Link routers have a default parameter given to local networks the suffix domain.name ; so, names without a full domain name get appended domain.name for its queries.

Microsoft operating systems query for the string "wpad" to determine local proxy servers of an organisation.

.name is a registry where a domain is required to be first.last.name , with two labels.

So... someone registered wpad.domain.name and is now taking over browsing traffic for the affected users, which can be in the order of millions but are least in the thousands.

For live view of the redirection process:
https://gwhois.org/wpad.domain.name+dns <https://gwhois.org/wpad.domain.name+dns>

http://wpad.domain.name/wpad.dat <http://wpad.domain.name/wpad.dat> will return the list of proxy servers under attacker control.

(It currently returns this:
function FindProxyForURL(url, host) {
	return 'PROXY; DIRECT';

Policy question for the item "name collisions in legacy gTLDs" is whether contracted parties should be obliged to act in a certain way under similar circumstances.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-newgtld-wg-wt4/attachments/20170928/d17a32ee/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/gnso-newgtld-wg-wt4/attachments/20170928/d17a32ee/signature.asc>

More information about the Gnso-newgtld-wg-wt4 mailing list