At the dawn of what we know today as the Internet, the ARPA (US Defense Advanced Research Project Agency) was the sole top-level domain – used to help transition from ARPANET to the new domain name system. Today, the remnants of this still exist as .arpa, used for reverse DNS lookups (converting IP addresses to domain names).
Next, five top-level domains were introduced: .com, .edu, .gov, .mil, and .org. As the Internet grew and expanded beyond the United States’ borders, this was accompanied by the country-level top-level domains, roughly following the ISO 3166-1 standard, and with each country free to sub-delegate under its own top-level country code.
At this point, things were already starting to get complex. Should a company in, say Hong Kong, register under .hk, .com.hk, or .com? To protect its trademarks, perhaps it should be registered under all three? Then what about the hundreds of other country-level domains for countries the company did business in or hoped to do so in the future?
At this point, each country was permitted to set the rules for its own domains, such as residency or business registration conditions, resulting in the popularity of the .com domain. Nowadays, there more than 137 million sub-domains under .com. There were further complexities when people realized that they could sub-assign sub-domains, and hence was born domain registrars such as .hk.com.
In the late 1990s, ICANN (Internet Corporation for Assigned Names and Numbers) was created to manage these top-level domains, and within a few years, many more new top-level domains started to appear: .aero, .biz, .coop, .info, .museum, .name, .pro, and others.
ICANN also started to accept sponsored top-level domains (.asia, .cat, .jobs, .mobi, .tel, .travel were the first). Controversially, in 2011 the .xxx top-level domain was approved (and quickly categorized as Adult/Sexually Explicit by Network Box). The introduction and adoption of the Punycode standard paved the way for non-roman characters in domain names.
Under the stewardship of ICANN, the number of top-level domains has exploded in the past 10-20 years. Today, the root name servers serve 1,509 top-level domains – each with its own sub-assigned registrars, registration mechanisms, name servers, whois servers, and support infrastructure. And that is just for the top-level domains; below them are tens of thousands more secondary-level domains.
So what is the problem?
Where is the security threat in all this? To some extent, this made things easier for security companies. Domains under .biz were most likely business sites, .xxx adult/sexually explicit, and categorization was similarly trivial for .arts, .shop, .museum, etc (so long as the domain registrars did their job correctly).
But a more sinister problem started to appear. With the proliferation of available top-level domain names, and the hundreds of top-level registrars, costs came down, and the level of abuse went up. Some registrars were less diligent in their approach to security than others, and the spammers, phishers, and hackers took advantage.
Throwaway domains started to be created, be used in spam campaigns for a matter of hours, and then disappear, to “live” only for a few days. Credit-card fraud was often used to purchase these throwaway domains. Brand-name protection became impossible for all but the largest of companies with teams of lawyers on staff.
Phishing also became a problem, as a company’s brand name would appear under a top-level domain of some faraway country’s ISO 3166-1 code that doesn’t look like a country to typical users. Domains like .to (Tonga), .ly (Libya), .jo (Jordan), .io (British Indian Ocean Territory), etc are often used for other than their intended purpose.
Is there a solution?
Probably not. Pandora’s box has been opened, and it would be hard to close it. It seems that as quickly as abused registrars tighten down to bring things under control, new vulnerable top-level domains and their registrars pop up.
ICANN could try to impose strict regulations on how registrars conduct business. With hundreds of countries, all with their own legal and privacy protection systems in place, that is unlikely to happen.
Step No 1 would be for ICANN to stop issuing new top-level domains for a while to allow those that are already live to improve their systems.