Mobile app version of vmapp.org
Login or Join
Alves908

: What prevents an organization from creating and owning any unused, specific domain, i.e. .edu We recently received an email at work from an .edu site that seemed to be phishing. However, I

@Alves908

Posted in: #DomainRegistrar #Domains #Icann

We recently received an email at work from an .edu site that seemed to be phishing. However, I didn't want to ignore a possible legitimate email from a customer without due diligence. I started thinking of possible ways that this could be a false email in order to determine whether to ignore the email or attempt to contact the organization associated with the email in some other way. This eventually led down a rabbit hole to a question that I could not find an exact answer for:

What prevents a very well-funded organization from creating any unused site domain they choose (i.e. something.edu) and having it searchable/usable on the World Wide Web without going through an organization like IANA

After reading around Google and Wikipedia, I have a very basic understanding that there are organizations that house databases of namespaces and domains (I believe ICANN), and there are regulatory authorities that authorize who can get what domains (i.e. IANA, part of ICANN) that are accredited by a gTLD. However, I have not found specifically how the domains are regulated, and what forces organizations to get domains from these organizations. It would also be interesting to know how the deep web fits/doesn't fit into all of this.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Alves908

2 Comments

Sorted by latest first Latest Oldest Best

 

@YK1175434

In short, nothing forbids anyone to creating new TLDs. It happened a lot in the past, with what was called "alternate roots". Because creating TLD is not the problem, the problem is accessing them. You have either them registered in the one global root managed by ICANN (see www.icann.org/resources/pages/unique-authoritative-root-2012-02-25-en ) or you find a way to entice people to switch to your alternate root.

The problem with the latest option is that currently it means having to change configuration of each and every computer that may wish to access this alternate TLDs. These endeavours never succeeded in the past for various technical and non technical reasons. Other attempts were using for example an "Internet Explorer plugin", for people thinking that Internet is only the web.

But the question could be: why everyone is using the same root, and why that one particularly. It is partially historical, and just it works. There is no real credible alternative today, at least on the DNS level. There are other experiments of doing resolutions in other ways, such as using a blockchain or other mechanisms. They currently did not get enough traction to replace the current DNS system, again for both technical and non technical reasons.

There is no external definite force behind this, it is more a common agreement by all parties at some point in the past that the system works like that. You find the same kind of arrangements for example for BGP, that could work completely otherwise if all operators decide to do things differently.

10% popularity Vote Up Vote Down


 

@Shelton105

What prevents a very well-funded organization from creating any unused site domain they choose (i.e. something.edu) and having it searchable/usable on the World Wide Web without going through an organization like IANA?


The answer you are looking for is the Internet Domain Name System (DNS) itself.

IP Addresses and Domain Names

Basic DNS is a generic method of mapping IP addresses given to a computer by a network owner (e.g an ISP) to a more human-friendly name.

With the Internet DNS system, we can (currently) type 216.58.216.174 into a browser and be taken to www.google.com.

But how do we go from 216.58.216.174 to google.com?

Simple. We use a DNS record (a small text file) that has an entry (something like) the following:

google.com. IN A 216.58.216.174


This file is what matches Google's IP to it's Internet domain name and is what eventually tells a browser which computer to contact for google.com.

Breaking Down Domain Names

The next part of the puzzle is "how do we get this record?"

To start, one way to think about DNS and Internet domains names is like a multi-part information service:


We want to contact long lost Aunt Delores in Tulsa, OK. But we don't have her phone number.
We call Central Information and ask politely what her number is.
Central Information doesn't know so they put us in touch with Oklahoma Information.
Oklahoma Information doesn't know so they put us in touch with Tulsa Information.
Tulsa Information has Aunt Delores' number and they give it to us.
We finally hang up and call Aunt Delores directly with her phone number.


To apply the above example to an Internet domain name, take our previous record for google.com:

google.com. IN A 216.58.216.174


Note the period at the end of google.com. This is significant but isn't typically shown in the browser.

To break down a request for google.com in similar terms to our Aunt Delores example:


We attempt to ask for the IP of google.com. Domain names are actually parsed in reverse (right to left not left to right). This means that google.com becomes .com.google.
Our request is sent to the Root Servers run by IANA (Central Information). These root servers are denoted by a "." (period a.k.a empty string) in the Internet DNS system.
Next, we are sent to the servers housing the correct Top Level Domain (TLD). In this case, the TLD is .com. These servers are run by different organizations known as Domain Name Registries. In our example, one of these would be Oklahoma Information.
We are then directed to the servers that house the actual file containing our example Internet DNS record listed above (equivalent to Tulsa Information).
Once we obtain this DNS record matching 216.58.216.174 to google.com, our computer can now directly use this information to contact that website using it's IP address behind the scenes (we still see google.com in the browser).


In Step 4, "Tulsa Information" is the nameserver system people typically think of when they talk about "setting up DNS" for a domain (e.g. ns1.domain.tld, ns2.domain.tld).

While this system can be run by anyone (including registrars as an added service, 3rd-party "DNS" providers, or even the domain name owners), the records held by these servers are not useful until requests are directed to them (e.g. by Steps 2 and 3).

What About Domain Registrars?

In this hierarchy for Internet DNS, which is controlled by IANA and the TLD registries, only Domain Registrars are allowed to update information directly in a central registry. Domain Registrars can be a separate entity (e.g. GoDaddy), the Domain Name Registry itself or use a mixed system.

In any case, this means you must go through them to get e.g example.com since they are the only ones trusted with adding this information to the correct databases (those controlled by the Domain Name Registries in step 3 above).

3rd-party registrars are often seen with Generic TLDs such as .com, .net, .org, etc. These are the companies most people are accustomed to dealing with.

There are also Country Code TLDs which are two-letter country specific domains (e.g. .de for Germany) where the authorized registry is frequently the registrar (but not always--some take a mixed approach).


[W]hat is to stop another organization from housing a database with top level domains, such as .edu, and having other users connect to it?


When an initial request is made by a browser, the systems passing along this request typically use files provided by IANA which contain information on how to proceed with these requests.

While it is possible to alter these file and potentially setup some sort of system to high jack domains on a wide scale, it would likely be extremely expensive to do so and extremely difficult to spread any alternative versions of these files wide enough to have a significant number of people visiting these illegitimate domains.

In addition, it would likely break the ability to access existing domains meaning people would probably be unwilling to use it anyway.

That said, this general type of thing is sometimes done on a much smaller scale by hackers who don't care about the attack being widespread.


Why do we even need to go through [some other organization] to create top level domains?


Technically, you don't. Any DNS system can hypothetically create any "TLD" it wishes. But you run into the "distribution" issue above. TLDs are only useful to systems that are setup to recognize them.

For instance, I can set up a system at home where I can use DNS to access my local computers as e.g domain1.pop, domain2.pop, domain3.pop, etc. But because no other DNS service is setup to recognize my fictional .pop domain, it is basically useless when trying to establish a connection with another computer outside my local network.

What about the deep web?

The deep web is basically anything not available to the public. What you are probably thinking of is more accurately called the Dark Web.

This consists of things like Tor and I2P, networks that use IP addresses (as they have to) but generally bypass any form of DNS to connect (including the Internet DNS system).

In short, they are simply using an alternative method (such as Distributed Hash Tables) to connect to one another and can make up any rules they wish on how to map IPs to their own custom (non-DNS based) domain names.




[...] I have not found specifically how the domains are regulated.


ICANN and IANA


ICANN oversees Generic Top-Level Domains (gTLDs) and associated entities. This includes general Domain Name Registries and ICANN-accredited Domain Registrars.
IANA delegates Country Code Top-Level Domains (ccTLDs) to national Domain Name Registries.
Sponsored Top-Level Domains (sTLDs) generally fall under the purview of either ICAAN or IANA.


IANA is also responsible for some special things in the Internet DNS system
such as the .arpa zone and other critical zones (e.g. root-servers.net).

Domain Name Registries


Domain Name Registries run individual TLDs and are responsible for day-to-day operations. They are also responsible for compliance with any ICANN, IANA or other agency guidelines that may apply to them.
For gTLDs, Domain Name Registries are usually private companies (either for-profit or non-profit) and are accountable to ICANN.
For ccTLDs, Domain Name Registries are national registries such as DENIC in Germany and Nominet in the United Kingdom. Regarding oversight, the agencies involved vary widely.
For sTLDs, Domain Name Registries and accountability are mixed. For instance, IANA operates the .int registry for intergovernmental organizations.


Regarding ICANN specifically, in theory anyone can potentially apply to ICANN to become a registry overseen by them and run a new gTLD. But it is a long, expensive process and ICANN might not accept the application (indeed, they are currently not accepting applications at this time).

Domain Registrars


Domain Registrars are entities authorized to interact with Domain Name Registries to manage Internet domain names (e.g example.com). As noted previously, this can be a 3rd-party or the registry itself.
Domain Registrars for gTLDs are generally accountable to ICANN.
Domain Registrars for ccTLDs are likely accountable to the national registries themselves but, as already noted, the agencies involved in ccTLD management vary widely.
Domain Registrars for sTLDs are likely to be accountable to one or more of the agencies above.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme