Phishing gangs weaponise .arpa DNS to evade defences

Infoblox Threat Intel has identified phishing campaigns that abuse the .arpa domain namespace, which is reserved for internet infrastructure and is not typically monitored for web content.

The research describes attackers using IPv6 tunnels and .arpa reverse DNS records to deliver brand-impersonation lures via spam. The approach exploits parts of the Domain Name System that many security controls treat as low risk or ignore entirely.

How .arpa Works

The .arpa top-level domain differs from consumer-facing domains such as .com and .net. It is used mainly for reverse DNS, which maps IP addresses back to domain names. Network operators rely on reverse DNS for administration and troubleshooting, not for hosting websites.

The campaigns also take advantage of a record-management feature at some DNS providers that allows users to add IP address records for .arpa domains. Attackers then place phishing content behind that infrastructure.

The same campaigns use IPv6 tunnels, which provide IPv6 connectivity over networks that still rely on older IPv4 equipment. Attackers use free IPv6 tunnel services to obtain large numbers of IP addresses for phishing operations.

Reverse DNS records are not intended to function as a hosting layer. Security tools often focus on domain reputation signals, known malicious hosting providers, or familiar URL patterns. Infoblox's findings suggest this infrastructure mix gives attackers a way around those checks.

Dr. Renée Burton, VP of Infoblox Threat Intel, described the activity as a shift in attacker focus toward core naming infrastructure.

"When we see attackers abusing .arpa, they're weaponizing the very core of the internet," said Burton. "Reverse DNS space was never designed to host web content, so most defenses don't even look at it as a potential threat surface. By turning .arpa into a delivery mechanism for phishing, these actors effectively step around traditional controls that depend on domain reputation or URL structure. Defenders need to start treating DNS infrastructure itself as high value real estate for attackers, and they need the visibility to see abuse in any type of location."

Phishing Flow

The phishing emails impersonate major brands and promise "free gifts" or prizes. Each message consists of a single image containing an embedded hyperlink.

Victims who click are redirected through traffic distribution systems before landing on fraudulent pages. These systems can route users through multiple steps, complicating analysis and takedown efforts.

The link shown to recipients does not reveal the underlying .arpa-based reverse DNS strings used in the infrastructure chain. This matters for detection because many security controls rely on what is visible in the URL or on reputation scoring that assumes a conventional domain structure.

Using .arpa may also change how defenders approach monitoring and policy. Reverse DNS zones sit in a different part of the DNS ecosystem than typical hosted domains and are often treated as administrative records tied to IP address allocations, not as spaces where malicious web content might be delivered.

Infoblox described the technique as a previously unreported method for bypassing controls and positioned it as an anomaly compared with more common phishing infrastructure, which typically relies on newly registered domains, compromised websites, or public file-hosting services.

The findings also highlight how widely available internet services can be repurposed. IPv6 tunnelling is a legitimate technology, particularly in mixed IPv4 and IPv6 environments, and reverse DNS management is standard practice for operators and hosting providers. The campaigns emerged from combining these elements with gaps in security monitoring.

Infoblox Threat Intel is publishing detailed research on the activity and releasing indicators to help defenders track the infrastructure behind the campaigns.