Abusing .arpa, the TLD that isn’t supposed to host anything

16 points by ysun

dzwdz

Given the reserved nature of the .arpa TLD, we wouldn’t expect it to be as easy as entering the domain in a web form. When we evaluated a few DNS providers to check if they were vulnerable, this was the point in the process that was ultimately the determining factor. If the provider prevented us from claiming ownership of a .arpa domain, either by explicitly denying the request or by the request failing, we considered the DNS provider not vulnerable.

...so, why would you ever call that a vulnerability in the DNS provider? Why shouldn't I be able to host my reverse DNS zone on a "normal" DNS provider? And if I want to add an A record there... why do you care? How does that affcet you?

The abuse of the .arpa TLD is novel in that it weaponizes infrastructure that is implicitly trusted and essential for network operations.

I also don't really get how it's "implicitly trusted". If you have some weird security system that implicitly trusts .arpa domains... good job, I guess?

This would also be really easy to deal with. The odds of a legitimate website (that's of interest to non-tech people) being hosted on .arpa are around 0, so if you're concerned about phishing you could mark all of them as suspicious or something. But why break DNS providers?

ysun

So this apparently affected me in a little bit.

I used in-addr.arpa and ip6.arpa zones to host mirrors of my personal site just for fun because it looks cool (serving http on my side and use Cloudflare ACM to get SSL.com certs for the .arpa zones, then proxy traffic thru Cloudflare). But it stopped working since (maybe) a week ago. I tried manually provision the certs but they are all stuck in validation stage.

Not sure why CAs like Let's Encrypt are treating .arpa certs so differently, they are just another TLD... (I think) These kind of phishing attack is common for other TLDs as well and they can most be mitigated by enforcing DNSSEC.

sknebel

Not sure why CAs like Let's Encrypt are treating .arpa certs so differently, they are just another TLD

They have to, because it was recently decided to enforce that they are not just another TLD: https://cabforum.org/2025/11/10/ballot-sc-086v3-sunset-the-inclusion-of-ip-reverse-address-domain-names/
- ysun
  
  So bunch of industry giants just decide to do so huh... They know how to take all the fun away for sure
  
  pp.134 https://cabforum.org/2025/11/10/ballot-sc-086v3-sunset-the-inclusion-of-ip-reverse-address-domain-names/BR-SC086.pdf
  
  Effective 2026-03-15, the entry MUST NOT contain a Domain Name that ends in an IP Address Reverse Zone Suffix.
  - danielrheath
    
    Look, I love me some whimsy in tech... but cmon, not in a Certificate Authority. Those should be as boring as possible.
- fanf
  
  These kind of phishing attack is common for other TLDs as well and they can most be mitigated by enforcing DNSSEC.
  
  No, DNSSEC just protects DNS data from being corrupted. It doesn’t do anything to prevent someone with control over a domain name from doing bad things with it. (Much like TLS doesn’t prevent a webserver from hosting a phishing site.)
  
  This article is a bit annoying because it’s mixing up the use of .arpa as a way to obfuscate the domain name of a phishing site, with dangling CNAMES and subdomain takeovers, which are two almost completely different kinds of attack. Well, they both involve DNS and phishing, but their purposes, techniques, and goals are widely divergent.