The .arpa trap: so the attackers take advantage of the reverse DNS for phishing

In recent weeks security researchers have detected a phishing campaign that takes over an unusual corner of the Internet to hide their traps: the special domain .harpa, used historically for network infrastructure and inverse DNS searches. Far from being a common website, .harpa is not designed to accommodate user-visible content but to allow an IP address to be translated back to a host name; however, attackers have found creative ways to exploit that functionality to avoid controls and go unnoticed.

To understand why this is problematic enough to remember how reverse search works: while a regular query resolves a domain name to an IP, reverse search - through areas likein-addr.arpafor IPv4 andip6.arpafor IPv6 - transforms an IP address into a chain of labels that points to a PTR that normally indicates the associated host name. Official documentation on the purpose of .arpa space is available on IANA, which describes its role in the Internet infrastructure: https: / / www.iana.org / domains / arpa. In addition, content providers and DNS operators explain how reverse searches work in practical terms, for example in the Cloudflare guide on inverse DNS: https: / / www.cloud.

The trap observed by researchers such as Infoblox is to supply IPv6 address blocks - often through tuning services like Hurricane Electric Tunnelbroker- and then take control of the inverse DNS area for that portion of space. Once the malicious actor manages that area, some DNS management panels allow to create different types of record than the classic PTR; attackers use precisely that permissiveness to define records They point to phishing infrastructure.

The practical effect is disturbing: instead of a domain registered in a public register with WHOIS, antiquity and metrics that the antiphishing walkways usually analyze, the link embedded in a mail can point to a name derived from the IPv6 address within theip6.arpa. When the URL is hidden in an image or in a visual element of the mail, many victims do not see the full address; by clicking, the browser resolves the name in the reverse zone controlled by the attacker and redirects through a traffic distribution platform (TDS). If the visitor meets certain criteria - for example, type of device, country or reference - he is sent to the phishing site; if not, he is referred to legitimate content or errors, which further complicates forensic monitoring and detection.

The attackers have also used well-known suppliers to house the authoritarian areas, which gives them an extra layer of legitimacy against automated systems that rely on the reputation of the supplier. Infoblox documented cases where services were used by respected operators such as Hurricane Electric or even Cloudflare to publish authoritative records that ended up solving intermediate infrastructure and hiding the real location of the backend.

Another piece of the puzzle is the short life of malicious links: they are usually active only a few days before falling or redirecting to safe sites. This behaviour reduces observation windows and makes it difficult for researchers and blocking tools to build effective signatures. In parallel, the attackers have combined this technique with other known ones, such as the abduction of forgotten CNAME - what Infoblox has described in previous investigations - and the phenomenon known as subdomain Shadowing, which allows to push malicious content into subdomains linked to legitimate organizations.

From the perspective of defenders, there are two reasons that make this abuse particularly worrying. First, the domains within .arpa do not contain the usual log metadata (WHOIS, seniority or contacts), so the mail walkways that base part of their assessment in that information have less identification levers. Second, the reverse delegation mechanics itself and the rules of some DNS panels allow for the publication of unexpected types of records within infrastructure areas, something that malicious actors exploit.

Not everything is lost: there are measures at both user and operational levels that reduce risk. For individuals, the basic rule remains valid and urgent: do not click unexpected links in emails and, when it is necessary to access a service, type the official URL or use favorites and official applications. For security teams and administrators, it is appropriate to review the DNS reverse delegations in the blocks they control, to require tunnel and DNS suppliers to restrict the types of records allowed in reverse areas and to monitor unusual resolution patterns to .arpa. areas. It is also recommended that filtering solutions and mail walkways include specific controls to detect and analyse low-link links.ip6.arpaand coordination with DNS providers when abuse is observed.

The security community has already begun to alert and report findings to suppliers and operators to close operational gaps. Infoblox's articles on this abuse and its previous research on hanging CNAmes are a good starting point for anyone who wants to deepen: Abusing .arpa (Infoblox) and Cloudy with a chance of hijacking (Infoblox). To understand related risks such as subdomain shadowing, the analysis of Proofpoint is enlightening: The Shadow Knows (Proofpoint).

In the end, the lesson is clear: the most technical pieces of the Internet - which have historically been taken for granted - can become attack vectors when visibility and operating rules are not adequate. The attackers are looking for the "still" spaces on the network where the rules of trust work for them. and defence requires both digital hygiene practices on the part of users and more sophisticated policy and surveillance on the part of operators and suppliers.