I fail to comprehend the rational behind Google/ICANN’s decision to introduce two new top-level domains (TLDs), namely .zip and .mov, which correspond to file extensions. However, despite my confusion, it is evident that this move has stirred significant controversy within the information security (infosec) community.

Considering the situation at hand and the strong possibility that these TLDs will be exploited for phishing and malware distribution, I would like to present a pair of Suricata rules that can be employed to universally restrict access to these TLDs.

.Zip Rule

drop http any any -> any any (msg:"Blocked access to .zip domain"; flow:to_server,established; pcre:"/Host:\s*[^\\r\\n]*\.zip\r\n/i";sid:1000001; rev:1;)

.Mov Rule

drop http any any -> any any (msg:"Block access to .mov TLDs"; flow:to_server,established; content:".mov"; http_header; nocase; pcre:"/Host:\s+[^.]+\.(mov)(?=\s|$)/i"; sid:1000002; rev:2;)

Further Information

Here is a good wrtie up https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5 with examples of why these TLDs are bad, this write up focuses on .zip domains but, I do not see why this would not work with .mov domains as well.