Domain Name
A human-readable address like example.com that maps to an IP address, making it easier to remember website locations.
Short Definition
A domain is the readable name of a website, like google.com or github.com. Instead of typing 172.217.164.78, you type google.com. DNS translates domain names to IP addresses computers actually use.
Full Definition
A domain name is a human-readable identifier for a location on the internet. It's part of a hierarchical system that makes the web usable.
Structure:
1subdomain.example.com2│ │ │3│ │ └─ TLD (Top-Level Domain)4│ └─ Second-level domain5└─ Subdomain (optional)67Full examples:8www.example.com9api.example.com10blog.subdomain.example.com
Levels:
- TLD: .com, .org, .io, .gov
- Second-level: example (in example.com)
- Subdomain: www, api, mail
How it works:
- User types domain in browser
- DNS lookup translates to IP
- Browser connects to that IP
- Server responds
Why It Matters
- Domains are how users find websites
- Trust associated with domain names
- Certificates tied to domains (HTTPS)
- Domains used in security policies (CORS, CSP)
- Domain ownership = control
How Attackers Use It
Attack techniques:
1. Typosquatting:
1google.com ← Legitimate2gooogle.com ← Fake (extra 'o')3g00gle.com ← Fake (zeros instead of 'o')
2. Subdomain Takeover:
1# Company creates subdomain2old-app.company.com → points to AWS S334# Company deletes S3 bucket but forgets DNS5# Attacker creates bucket with same name6old-app.company.com → now controlled by attacker
3. DNS Rebinding (SSRF):
11. attacker.com → 1.2.3.4 (attacker's server)22. Validation sees: 1.2.3.4 ✓33. attacker.com → 169.254.169.254 (DNS changed)44. Actual request goes to: 169.254.169.254
4. Homograph Attacks:
1аpple.com ← Uses Cyrillic 'а', not Latin 'a'2apple.com ← Real domain
Look identical but different domains.
5. Cookie Stealing via Subdomain:
1# Cookie set on .example.com2# Attacker compromises: evil.example.com3# Can steal cookies for all subdomains
How to Detect or Prevent It
Prevention:
For organizations:
- Register common typos
- Monitor for similar domains
- Use HTTPS with HSTS
- Implement CAA DNS records
- Monitor certificate transparency logs
- Remove dangling DNS records
- Use domain monitoring services
For applications:
- Validate domain against whitelist
- Check resolved IP address
- Use pinned domains for critical requests
- Implement CORS properly
- Set specific cookie domains
Example validation:
1from urllib.parse import urlparse23ALLOWED_DOMAINS = ['example.com', 'api.example.com']45def is_safe_domain(url):6 parsed = urlparse(url)7 domain = parsed.hostname89 # Exact match10 if domain in ALLOWED_DOMAINS:11 return True1213 # Check if subdomain of allowed14 for allowed in ALLOWED_DOMAINS:15 if domain.endswith('.' + allowed):16 return True1718 return False
Detection:
- Monitor DNS requests for unusual domains
- Check certificate transparency logs
- Use domain reputation services
- Alert on newly registered similar domains
- Track subdomain enumeration attempts
Common Misconceptions
- "Subdomain = separate ownership" - Same owner controls all
- "HTTPS = legitimate domain" - Attackers get certificates too
- ".com more secure than .io" - TLD doesn't determine security
- "Domain in URL is clear" - Homograph attacks exist
- "Can't fake domain" - Typosquatting and homographs work
Real-World Example
Steam Login Typosquatting
Fake domains:
1steamcommunity.com ← Real2steamcommunitу.com ← Fake (Cyrillic у)3steamcommunity.co ← Fake (.co instead of .com)4steam-community.com ← Fake (hyphen)
Result: Thousands of stolen credentials
GitHub Subdomain Takeover (Multiple)
- Company creates:
docs.company.com→ GitHub Pages - Company deletes GitHub repo
- DNS record remains:
docs.company.com→ old GitHub URL - Attacker creates repo with same name
- Attacker now controls
docs.company.com
Real cases: Uber, Shopify, Tesla, others
PayPal Homograph Attack
1paypal.com ← Real (Latin characters)2pаypаl.com ← Fake (Cyrillic 'а')
Browser may show fake as real in address bar.
Related Terms
DNS, URL, Subdomain, IP Address, Certificate