Government Denies FOIA Request For .gov Domain List

Information Week Article

I was sure that the concept of “security through obscurity” had been thoroughly debunked by now, evidently not.

A recent Freedom of Information Act request for a list of .gov domain names was denied by the GSA.  You should know this about me: I am all for state secrets – I think that, realistically, a government must have secrets.  This is perhaps an argument for another day.

Given the nature of DNS, cached DNS, etc. how long do you think before some of these “hidden” domains show up anyway?

Let’s be clear:  I really don’t think this is a huge deal, but it can be a source of mental fun for the rest of us.  So here is a “wake up it is hump day” mental exercise for you (This WILL be graded, you WILL need to know this for the test!):

What would be a more effective “security through obscurity model” for the government to use, while still listing the required domains?

I will start the ball on this (and therefore open myself up to immediate criticism!):

  • Register the domains as normal, but do not use obviously descriptive names: Instead of “trackingPrivateCitizens.gov” you might use “TPCProject.gov”, you may even consider using a completely sanitized CRC32 version: 13201934.gov  (Free Vidoc Razor T-shirt if you can figure that one out).
  • Keep an internal, classified document that maps out the “sanitized domains” with their true descriptions.

How would you set out to discover these “hidden” domains?

  • We will assume zone transfer is not available (Could be a big assumption).
  • Build a database of known domain names.
  • What next?

Feel free to post any ideas – or chide me for wasting your time and making you read this cruft!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: