Blocking TLDs for Fun & Profit
In 2023, Google introduced a number of new top-level domains (TLDs) which created concern: .MOV and .ZIP. These are also extensions for common file types, namely QuickTime video and ZIP archives. TLDs and filename extensions don't have anything to do with each other technically†, but the concern comes from the possibility of tricking users into thinking they have been sent a link to a ZIP file, which actually resolves to a malicious website. Links to malicious wesites or malicious ZIP files are not new, but a link to a malicious ZIP file, for example, will generally trigger a download via the browser which then fetches a file subject to local antivirus scanning. Whereas a website that simply has the address https://file.zip, for example, could implement all sorts of payloads such as phishing or drive-by downloads.
Therefore it can be convenient to block those TLDs in bulk, rather than rely on various types of DNS services which don't resolve known-malicious domains (such as Cloudflare's security/family DNS resolver).
This can be done in Windows using Name Resolution Policies:
- Open an elevated command prompt;
powershell "Add-DnsClientNrptRule -Namespace '.mov' -NameServers '127.0.0.2'"
powershell "Add-DnsClientNrptRule -Namespace '.zip' -NameServers '127.0.0.2'"
This instructs the system to use 127.0.0.2 to resolve domains with matching TLDs. Why 127.0.0.2 and not 127.0.0.1 (localhost)? Because on a server with the DNS Server role, 127.0.0.1 will resolve DNS requests, so it is necessary to use a non-existent resolver.
Note that this technique only works with Windows' default name resolution. Browsers or other processes which use other DNS resolution will continue to fetch the correct value for the domain.
The Add-DnsClientNrptRule cmdlet will always add rules even if they ostensibly exist. So if this command is being scripted and might be run more than once, it would be best to remove all the rules first:
powershell "Get-DnsClientNrptRule | Remove-DnsClientNrptRule -Force"
† After all, the most ubiquitous TLD is .COM which is also the extension of the old binary executable format which was replaced by .EXE. But .COM is still a valid executable type. The explanation is that nobody considered the phishing possibilities of confusing .COM/.COM and it's far too late to do anything about it now (as the saying goes).