Lot's of FP through catch-all resolving of various TLD's

[beamzer]

First, thanks voor the great software!
Yesterday I found out that apparently a lot of TLD registrars (or probably one registrar which manages a lot of TLD's) now resolve anything which hasn't been registered to a catch-all website. This is probably to drive sales. It would be great if there was an option to filter those out, since they are no security risk. Best cause of action would probably be to repeat the query with a long random string to the same TLD and see if it responds with the same IP-address?

best regards,
Ewald.

[DavidCruciani]

HI @beamzer,

I tried on my side but I didn't have results like you said.
Can you paste a domain that give you that kind of result ?

Regards.

[beamzer]

Sure, here is a link for surffiets.nl to the CIRCL website which uses ail-typo-squatting:
https://typosquatting-finder.circl.lu/7406bc36-38d4-4066-aad8-3ca2643da652
the catch-all resolving queries are in the wrongTLD and addTLD. For instance with the .ph .kids .ws .nl.ac TLD's.
It is of course possible to not use those checks, but then there is the risk of missing registered domains which could pose a threat.

[DavidCruciani]

Hi @beamzer,

For the moment the algorithm work with some misp warning list (parking-domain-ip, parking-domain-ns).

I create a PR on the repo with the IPs found with your request. There's a lot of parking domain with the adding dynamic dns algorithm.

Hope this will help you for the moment.
I'll keep this issue open until we made a decision on keep using warning list or trying an other solutions.