"IDN Homograph Attacks Protection" breaking Norwegian domains

r_l
2 yrs ago
4replies

We use æøå in addition to a-z here, generally best practice for most sites is picking up both the real and "substituted" version and redirecting one to the other. However, NextDNS wants to block stuff like "lovløs.no/lovlos.no", which seems like a bit of an oversight at best. I've just turned the protection off, but considering it offers absolutely zero protection except kinda breaking for an entire country in these cases, it would be nice if it can be fixed.

- NextDNs
- 2 yrs ago
- Reported - view
We only block if the IDN version points to a different target than the non IDN version. For some reason, this website is using different IPs which triggers the protection.
- r_l
  
  2 yrs ago
  
  Reported - view
  NextDNS I'd have to dig around for examples, but this has absolutely come up several times before too. If someone uses a redirect service of some kind (Very common, people just set the redirect in their registrar admin panel and let them handle it.), it probably shouldn't just hard block that? This is a very common use case here :).
  
  Really, I'd argue o/ø and a/å should just be excluded under .no, considering there is nothing homograph-y about those here. (Probably also .dk)
- NextDNs
  
  2 yrs ago
  
  Reported - view
  r l squatting is often done by using legitimate spelling with alternate alphabet. Allowing these would create a hole in the protection. When you have examples of false positives like that, please report them here so we can study them and improve our solution.
- r_l
  
  2 yrs ago
  
  Reported - view
  NextDNS Just from looking at my logs:
  rødt.no (Political party, fwiw. Redirects to main "roedt.no" domain)
  lovløs.no
  daufødt.no
  felleskjøpet.no
  
  It's pretty much standard/best practice here ( _under .no, of course_ )

Content aside

1 Likes
2 yrs agoLast active
4Replies
82Views
3 Following

"IDN Homograph Attacks Protection" breaking Norwegian domains

4 replies

Content aside

Home

Tags