Netskope Global Technical Success (GTS)
Safeguarding Against Risks from Punycode Domains
Netskope Cloud Version - 123
Objective
Safeguarding the organisation against Risks from Punycode Domains
Prerequisite
Netskope SWG license is required
Context
Cybercriminals exploit Punycode domains for phishing and spoofing attacks. Learn how Netskope Secure Web Gateway (SWG) protects users from these risks by detecting and blocking malicious internationalized domains (IDN).
Do You Know?
- Many languages use characters beyond the standard Latin alphabet (A-Z, 0-9, and "-"). The Domain Name System (DNS) only supports ASCII characters. Punycode converts non-ASCII domain names into ASCII-compatible encoding (ACE) so they can be processed by DNS.
- The prefix "xn--" is always added to indicate Punycode encoding. Example: The domain "münchen.de" (with "ü") is converted to "xn--mnchen-3ya.de" in Punycode.
- You can test encoding or decoding of a domain name using a Punycode converter like this one.
- Netskope enables the categorization of Internationalized Domain Names (IDNs), ensuring that newly registered IDN domains are classified as Newly Observed Domains. This allows organizations to enforce security policies, such as blocking or isolating them using Netskope's Remote Browser Isolation (RBI) feature. Learn more about Netskope RBI: Link
Configuration
By using a custom regular expression to match the 'xn--' prefix, Netskope SWG enables customers to block all IDN domains at the policy level. The following steps guide you through setting up this restriction.
Step 1 - Create a custom URL category and setup a Regex match like the one below:
Path: Netskope Tenant UI >>> Policies >>> Profile - - - URL Lists
Add this URL to a custom category, you can also match the custom category with other categories like Newly Observed Domain, Newly Registered Domain or Uncategorized to make it more flexible in case you have seen legitimate use of Punycode domains in your organization.
Path: Netskope Tenant UI >>> Policies >>> Profile - - - Custom Categories
Step 2 - Realtime protection policy
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy
Optional Step - Create a new user notification template like below as an example to coach users on the risks presented by Punycode (IDN) URLs.
Path: Netskope Tenant UI >>> Policies >>> Templates - - - User Notification
Verification
Access any Punycode URL, Ref. - café.com
Note - Kindly copy and paste the reference website when testing
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
