Name collisions: when private and public domain names collide
"Name collision" sounds like a scary thing. We think of asteroids smashing into each other sending shards of rock careening dangerously towards Earth's orbit or the familiar sick thud of the back bumper crunching into a parked vehicle and the ensuing insurance mess, but name collision is really not so scary.
Simply put, name collision, at least in the context of domain names, is when two things have the same name on two networks and it is therefore not clear to which is being referred when requesting the thing with that name.
A domain name is really just an established relationship between a name that makes sense to a person and one that makes sense to a machine. It's a way to make things that are easy to find for a computer just as easy for a human to find and things that are easy for a human to remember just as easy for a computer on a network.
So until we reach the technological singularity and human minds merge with computers and we can just think our way to whatever machine on the network we want (or the computer tells us what site we want to go to, it's a two-way street), we'll have to interface by domain names.
In your own pond
This idea is great for the Internet but works just as well on a private network. And why not? If it works to name machines floating in the immense ocean of the internet, why couldn't it work for what's floating in your pond? And while the whole DNS system is necessary—domain registration included—to attribute a name to a machine out in the open waters of the Internet, in your own private pond you can name things whatever you want.
But what happens when you name something on your private network the same name as something on the public network? Let's say you were feeling a bit cheeky and named a page you made on a private network gandi.net. If you tried to load that page in your browser on a computer connected to your private network AND the Internet, what would come up? Would it be our homepage, or would it be the page on your private network?
Then crash, splat, boom! You just had a name collision.
So what happens next? Your computer spontaneously combusts and burns your house down? Maybe that'd be a cool prank but, no. Probably you'll get a page to load. But who's to know which gandi.net you're seeing? And that's where you can get into trouble ...
A Real-life Horror Story
We've been talking about what would happen if you named something on your private network the same as a domain name on the Internet that already exists. But if you don't deliberately do that, it's easy enough to avoid. Just don't name anything with any extensions that exist on the Internet. Call your page gandi.private for example.
So now it's time for a little horror story.
The thing is, we are dealing with the release of a vast amount of new gTLDs that are words many people may never have expected to be real gTLDs. Like .services or .home, to name a couple. With the release of gTLDs like this, name collision can sneak up on you. Maybe you have a page on your private network like secret.journal, where you type all of your unwarranted suspicions about friends and family, your delusions of grandeur, your secret crushes, and otherwise documents of guilt and shame. You know you do. Admit it.
Normally that's locked up in your private network. But say .journal gets released as a new gTLD and you don't know about it. And somebody registers secret.journal. Then there's a name collision. You have no way of knowing it, but when you go to secret.journal you start sending someone all the dirt you have on your best friend's new boyfriend because you think you're going to secret.journal on your private network but really, it's the one on the internet. And then your best friend finds out that you think that about his boyfriend and then there's the tears and the drama and the whole. world. just crumbles but you know what? It all could have been avoided if it weren't for name collision.
Okay. Breathe. It's okay. Sorry things got a little real there for a second.
Mitigate the risk
So obviously the above scenario isn't really a big threat. The real threat is for companies that may use name spaces in the organization of their internal networks. The horror story above could be repeated to target and infiltrate a private network. There are a few things that network administrators in organizations, vulnerable to attacks exploiting domain name collisions, can do to protect themselves.
Here are a few that ICANN recommends:
- Investigate internal name spaces to identify whether they submit invalid TLD queries to the root
- Assess whether queries pose unacceptable risk to organizations
- Determine how they will mitigate the risk
Essentially, it boils down to being sure to monitor your network for requests to the root (that is, to the Internet rather than a private network), seeing whether there's any real vulnerabilities that exist and balancing the potential harm that could be done against the cost of correcting it, and of course mitigate what risk exists, that is to say, just take care of it.
The important thing is awareness, though, and we hope the above novela at least helped on that front. (For more information from ICANN, see their site: Name Collision Resources & Information.)
ICANN previously had blocked the registration of certain domain names considered to be high-risk for name collisions. They have now considered the risk sufficiently mitigated and are releasing them for registration, and the registries of the extensions involved, most notably Donuts, have rolled those out accordingly. See our news post for more information.