Abusing .arpa: The TLD That Isn’t Supposed to Host Anything

Key Takeaways

• Threat actors are abusing the implicitly trusted .arpa TLD and IPv6 tunnels to host phishing content, bypassing traditional reputation-based security controls.
• Attackers create A records for reverse DNS names (e.g., ip6.arpa) instead of the expected PTR records, leveraging providers like Hurricane Electric and Cloudflare.
• Phishing campaigns utilize Traffic Distribution Systems (TDS) to fingerprint victims, specifically targeting mobile devices and residential IP addresses.
• The same threat actors are also heavily utilizing dangling CNAME hijacking and subdomain shadowing to abuse the reputation of well-known organizations.
• Phishing lures impersonate major brands (e.g., Lowe's, Norton, Kroger, Macy's) and hide malicious .arpa links behind images.

Affected Systems

• Email Gateways
• DNS Resolvers
• End-user devices (specifically mobile devices on residential networks)

Attack Chain

The threat actor acquires a free IPv6 tunnel to gain administrative control over an IPv6 address block. They register the corresponding .arpa reverse DNS domain and configure it with A records pointing to hidden malicious hosting, rather than the expected PTR records. Phishing emails impersonating major brands are distributed, containing hyperlinked images that point to uniquely generated DGA subdomains under the .arpa domain. When a victim clicks the link, they are routed through a Traffic Distribution System (TDS) that fingerprints their device and IP, redirecting mobile and residential users to the final fraudulent landing page.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide explicit detection rules, but outlines the behavioral logic required to detect the abuse of .arpa domains via DNS query monitoring.

Detection Engineering Assessment

EDR Visibility: Low — This technique primarily abuses DNS infrastructure and email delivery, which occurs at the network and gateway levels rather than executing malicious payloads directly on the endpoint. Network Visibility: High — DNS queries for A records associated with .arpa domains are highly anomalous and visible in network traffic and DNS resolver logs. Detection Difficulty: Moderate — While the behavior (A records for .arpa) is highly anomalous, standard security tools and blocklists implicitly trust the .arpa TLD, requiring custom detection logic to be implemented in SIEM or DNS monitoring tools.

Required Log Sources

• DNS Query Logs
• Email Gateway Logs
• Web Proxy Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Threat actors are using .arpa domains to host malicious content by configuring A records instead of PTR records.	DNS Query Logs	Delivery	Low
Attackers are generating high volumes of unique DGA subdomains under a single ip6.arpa reverse DNS block for phishing links.	DNS Query Logs	Delivery	Low

Control Gaps

• Domain Reputation Filters
• Standard DNS Blocklists
• Implicit Trust Policies for Infrastructure TLDs

Key Behavioral Indicators

• DNS Type A queries targeting the .arpa TLD (specifically ip6.arpa).
• Emails containing hidden image links pointing to long, randomly generated .arpa subdomains.
• Redirection chains involving known TDS domains after an initial .arpa domain click.

False Positive Assessment

• Low, because the .arpa TLD is strictly reserved for internet infrastructure purposes (like reverse DNS PTR records). Legitimate applications should not be querying or hosting A records on .arpa domains.

Recommendations

Immediate Mitigation

• Implement custom DNS monitoring and blocking rules for Type A record queries resolving to .arpa domains, as these should strictly be used for PTR lookups.
• Update email gateway content filters to flag or quarantine inbound emails containing hyperlinks to .arpa domains.

Infrastructure Hardening

• Audit external DNS configurations for dangling CNAME records to prevent subdomain hijacking.
• Ensure DNS resolvers strictly enforce RFC compliance for reverse DNS zones where possible.

User Protection

• Deploy Mobile Threat Defense (MTD) solutions, as the TDS specifically targets mobile devices for redirection to the final payload.
• Implement phishing-resistant MFA to protect against credential harvesting on fraudulent landing pages.

Security Awareness

• Educate employees on the risks of clicking image-based links in unsolicited emails offering free gifts, surveys, or claiming service interruptions.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1583.008 - Acquire Infrastructure: Malicious DNS
• T1584.001 - Compromise Infrastructure: Domains
• T1090.003 - Proxy: Multi-hop Proxy

Additional IOCs

• Ips:
  • 104[.]21[.]3[.]194 - Cloudflare edge IP address resolving the malicious .arpa FQDN (observed in DNS resolution chain image).
  • 172[.]67[.]131[.]33 - Cloudflare edge IP address resolving the malicious .arpa FQDN (observed in DNS resolution chain image).
• Domains:
  • actinismoleil[.]sbs - Malicious phishing domain.
  • cablecomparison[.]shop - Malicious phishing domain.
  • cheapperfume[.]shop - Malicious phishing domain.
  • drumsticks[.]store - Malicious phishing domain.
  • fightingckmelic[.]makeup - Malicious phishing domain.
  • dulcetoj[.]com - Traffic Distribution System (TDS) domain.
  • golandof[.]com - Traffic Distribution System (TDS) domain.
  • politeche[.]com - Traffic Distribution System (TDS) domain.
  • taktwo[.]com - Traffic Distribution System (TDS) domain.
  • toindom[.]com - Traffic Distribution System (TDS) domain.
  • publicnoticessites[.]com - Domain with a subdomain acting as a hijacked CNAME.
  • hobsonsms[.]com - Domain with a subdomain serving as a hijacked CNAME.
  • hyfnrsx1[.]com - Domain with a subdomain acting as a hijacked CNAME.