{"id":15925,"date":"2026-03-10T02:16:04","date_gmt":"2026-03-10T02:16:04","guid":{"rendered":"https:\/\/newestek.com\/?p=15925"},"modified":"2026-03-10T02:16:04","modified_gmt":"2026-03-10T02:16:04","slug":"hacker-abusing-arpa-domain-to-evade-phishing-detection-says-infoblox","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15925","title":{"rendered":"Hacker abusing .arpa domain to evade phishing detection, says Infoblox"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A threat actor has found a new way to evade phishing detection defenses: Manipulate the .arpa top-level domain (TLD) and IPv6-to-IPv4 tunneling\u00a0to host phishing content on domains that shouldn\u2019t resolve to an IP address.\u00a0<\/p>\n

For the uninitiated, the .arpa domain is an\u00a0Address and Routing Parameter Area domain meant to be used exclusively for internet infrastructure purposes. Primarily this is for mapping IP addresses to domains, providing reverse records.<\/p>\n

However, according to a report from Infoblox<\/a>, a threat actor discovered a feature in the DNS record management control of at least one provider that allows them to, instead of adding the expected PTR records, create A records for the reverse DNS names.<\/p>\n

\u201cFrom there,\u201d says Infoblox, \u201cthey can do whatever they like at the hosting provider. It\u2019s a pretty clever trick.\u201d<\/p>\n

Infoblox first discovered that trick when it was being used against a US-based DNS provider called Hurricane Electric and content delivery provider CloudFlare. It also confirmed that some other providers have been abused, and that it has notified them of the issue..<\/p>\n

The tactic \u201ccan definitely bypass a significant number of security platforms,\u201d Dave Mitchell<\/a>, senior director of threat research at Infoblox, said in an interview. \u201cI think it\u2019s definitely a risk.\u201d<\/p>\n

So far, Infoblox has seen two types of consumer-oriented spam: One group pretends to be from major brands of department, supermarket and hardware chains, offering a gift for completing a survey.\u00a0Other lures claim the victim\u2019s online service or antimalware subscription has been interrupted, or that their cloud storage quota has been exceeded, and they must pay to restore service. But Mitchell said there\u2019s no reason why the tactic couldn\u2019t be used for spear phishing attacks against businesses.<\/p>\n

In the examples Infoblox has seen, when the victim clicks on the lure image \u2014 which hides an embedded hyperlink \u2014 a series of redirects sends them to a malicious landing page where the victim is asked to enter their credit card number, which is captured by the hacker, to supposedly pay for shipping of the gift.<\/p>\n

\u201cThe abuse of the .arpa TLD is novel in that it weaponizes infrastructure that is implicitly trusted and essential for network operations,\u201d says the Infoblox report. \u201cBy using IPv6 reverse DNS domains as malicious links, the threat actor has discovered a delivery mechanism that bypasses security tools.<\/p>\n

\u201cThe impact is immediate and cannot be overstated,\u201d the report adds. \u201cSecurity that depends on detecting suspicious domains using things like reputation, registration information, and policy blocklists is ineffective for these domains. These domains have an implicitly clean reputation, no registration information, and aren\u2019t usually blocked by policy.\u201d<\/p>\n

[Related content: Poor DNS hygiene is leading to domain hijacking<\/a><\/strong>]<\/p>\n

In the examples found by Infoblox, the attacker got addresses for IPV6 to IPV4 tunneling from Hurricane Electric as part of a free service offered by the provider. Customers of the service are allowed to designate the DNS in the allocated space to a DNS provider. What\u2019s supposed to happen then is that an IT department or individual uses that space build a DNS zone to map IP addresses to names \u2013 jones.com, smith.org, and so forth. But in these attacks, the hacker turned to CloudFlare name servers, added the IPV6 .arpa allocations, and instead of only creating reverse DNS records, they created forward DNS records that went to malicious websites.<\/p>\n

This tactic won\u2019t necessarily work with all providers because of the way they have their systems set up, Mitchell said. For example, when testing the tactic on a number of other providers, Infoblox found that some prevented its researchers from claiming ownership of a .arpa domain, either by explicitly denying the request or by the request failing.\u00a0<\/p>\n

Advice for CSOs and admins<\/h2>\n

All DNS and IPV6 providers need to ensure their services aren\u2019t abused this way, Mitchell said.<\/p>\n

IPV6 tunnel providers should make sure they are auditing customers asking for the service, determining what the addresses they get are being used for \u2013 which Mitchell admits may not be easy. DNS providers should make sure they only allow a DNS record to be created for proper purposes.<\/p>\n

CSOs and domain and network admins need to know that even if they have protective DNS or next gen firewalls, the .arpa domain is always set to be trusted. They need to understand whether their current security controls will identify abuse. A firewall rule saying \u201cShow me any DNS traffic that goes to \u2018IP6.arpa\u2019\u201d will help, as will tracing where web traffic goes from that link. And admins should check if the organization\u2019s email security vendors are flagging these streams within email messages.<\/p>\n

Gateway providers should look for and quarantine long strings that end in .ip6.arpa that are embedded in images or HTTP links, Mitchell added.<\/p>\n

Enterprise networks should already be deploying DNS monitoring as a primary network detection and defense resource, said Johannes Ullrich<\/a>, dean of research at the SANS Institute. This should make it easy to alert on and possibly block suspicious records, he said.<\/p>\n

He pointed out that \u201c.arpa\u201d queries are typically pointer (PTR) queries for reverse lookups. In the malicious queries, normal address (A or AAAA) queries will be used. The hostname will also be atypical. A normal in-addr.arpa hostname has a very specific format, with an IP address followed by the in-addr.arpa suffix. Anything else with that suffix should be blocked, or at least alerted on, he said.<\/p>\n

\u201cIt\u2019s a brilliant, old school move to find vulnerabilities in the complexity of the evolution of the internet,\u201d said David Shipley<\/a>, head of Canadian security awareness training provider Beauceron Security. \u201cTo figure out how to combine the newest part of the web, IPV6, with the oldest, Arpanet, may qualify as one of the most interest hacks so far this year.\u00a0<\/p>\n

\u201cThe fact these were used for fairly basic scam-type phishes is likely the result of someone learning this trick recently, but my gut says it\u2019s been abused a lot longer, by far more sophisticated groups for more targeted attacks.\u00a0Clever hacks like this are great evidence to keep in mind the next time a vendor says they stop 99.9% of phishing,\u201d he added.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A threat actor has found a new way to evade phishing detection defenses: Manipulate the .arpa top-level domain (TLD) and IPv6-to-IPv4 tunneling\u00a0to host phishing content on domains that shouldn\u2019t resolve to an IP address.\u00a0 For the uninitiated, the .arpa domain is an\u00a0Address and Routing Parameter Area domain meant to be used exclusively for internet infrastructure purposes. Primarily this is for mapping IP addresses to domains,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15925","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15925","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15925"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15925\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}