A threat actor has been exploiting the .arpa top-level domain and IPv6-to-IPv4 tunneling to host phishing content on domains that bypass standard security defenses. By abusing a DNS record management feature at providers like Hurricane Electric and Cloudflare, attackers create forward DNS (A) records within .arpa space instead of the expected reverse PTR records, pointing victims to malicious sites. Because .arpa domains carry implicit trust and lack registration data, reputation-based and blocklist security tools fail to flag them. Infoblox, which discovered the technique, reports it has been used for consumer-targeted scam phishing (fake brand surveys, subscription renewal fraud). Recommended mitigations include DNS monitoring for anomalous A/AAAA queries under .arpa, firewall rules targeting ip6.arpa traffic, and auditing by IPv6 tunnel and DNS providers.
Sort: