How and Why you should disable Internationalized Domains

How well could you spot the difference between apple.com and аpple.com?

They look identical, but to a computer they’re completely different strings of bits, and not equivalent at all. The second domain contains a Cyrillic ‘a’ character, as demonstrated here:

>>> 'a' == 'а'
False

Support for the worlds beautiful diverse languages in modern technology is an absolutely fantastic thing for providing access for people from every corner of the globe to the wealth of information the internet provides.

Unless you only speak english, in which case it’s a security nightmare. A recent harmless prank by a colleague showed that even a room full of security-minded individuals can be pretty quick to deem a site safe when a basic bit of pretexting, an internationalized domain (IDN), and a freshly minted letsencrypt cert are in play.

So, what to do about it? one option is to disallow your system from ever resolving IDNs.

Enter dnscrypt. dnscrypt is a tool that aims to solve one key challenge of name resolution; the fact that your local resolver will often feed you invalid or manipulated results. If you’re using a US-based ISP and have ever mistyped a URL, you’ll possibly know what I’m talking about. Instead of the expected DNS lookup failure, you’re served a horrifically ugly page full of ads and recommendations from you ISP. dnscrypt helps prevent that by signing request/response data between yourself and some resolver out on the internet that you trust more than your local ISP/hotel/cafe network.

Caveat: I have not looked over the dnscrypt code. I think it’s a worthwhile project and do intend to.

dnscrypt comes with a number of nice plugins and features, and the one that’s of particular interest when talking IDNs is the ability to block and log domains specified with wildcards. Even though an IDN may display as عم.عمان in the browser, an underlying algorithm (specified in RFC 3940) converts it back to regular ASCII text in order to do the name resolution. What you end up with after conversion, is a punycode URL such as xn--wkd-8cdx9d7hbd, always prefixed with “xn--” which we can block and log.

Implementing this is really simple:

  1. Follow the regular dnscrypt-proxy installation instructions; on MacOS you can fetch it from homebrew.
  2. Edit /usr/local/etc/dnscrypt-proxy.conf and uncomment the following lines
    • QueryLogFile /tmp/dns-queries.log

    • BlackList domains:“/etc/dnscrypt-blacklist-domains.txt” logfile:“/var/log/dnscrypt-blocked.log”

  3. $ sudo echo “*xn--*” > /etc/dnscrypt-blacklist-domains.txt

Test it out. Tail the /tmp/dnsqueries.log file while browsing the web, and watch DNS queries go out. Then tail /var/log/dnscrypt-blocked.log while hitting an IDN domain, such as

You should see those domains being blocked and will fail to resolve. Most of the sites that use IDN’s will have a regular non-punycode ASCII domain as well, so don’t worry about not being able to get to all of the internets best international cat pictures.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s