Subdomain

Last updated October 28, 2024

In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain.^[1] For example, if a domain offered an online store as part of their website example.com, it might use the subdomain shop.example.com .

Overview

The Domain Name System (DNS) has a tree structure or hierarchy, which includes nodes on the tree being a domain name. A subdomain is a domain that is part of a larger domain. Each label may contain from 0 to 63 octets.^[2] The full domain name may not exceed a total length of 253 ASCII characters in its textual representation.^[3]

Subdomains are defined by editing the DNS zone file pertaining to the parent domain. However, there is an ongoing debate over the use of the term "subdomain" when referring to names which map to the Address record A (host) and various other types of zone records which may map to any public IP address destination and any type of server. Network Operations teams insist that it is inappropriate to use the term "subdomain" to refer to any mapping other than that provided by zone NS (name server) records and any server-destination other than that.

According to RFC 1034, "a domain is a subdomain of another domain if it is contained within that domain". Based on that definition, a host cannot be a subdomain, only a domain can be a subdomain. A subdomain will also have a separate zone file with a SOA record (Start of Authority).

Most domain registries only allocate a two-level domain name. Hosting services typically provide DNS Servers to resolve subdomains within that master domain.

Example of subdomain Subdomain-en.svg — Example of subdomain

A fully qualified domain name consists of multiple parts. For example, take the English Wikipedia domain en.wikipedia.org. The en is a subdomain of wikipedia.org. Although wikipedia.org is usually considered to be the domain name, wikipedia is actually a sub-domain of the org TLD (top level domain). Any fully qualified domain name can be a host or a subdomain.

A domain name that does not include any subdomains is known as an apex domain, root domain, or bare domain.^[4] For example, wikipedia.org is the apex domain of Wikipedia, which redirects to the subdomain www.wikipedia.org.

To discover more subdomains associated with a domain, you can utilize a variety of methods and tools. Automated tools like Amass^[5] and Subfinder ^[6] leverage open-source intelligence and SSL certificate data^[7] to quickly uncover subdomains. Google Dorking, using the "site:" operator, allows for manual searches of indexed subdomains, while brute force techniques systematically query DNS servers with potential names. Passive DNS reconnaissance through APIs from services like SecurityTrails & Subdomain Center^[8] can reveal historical data without direct queries. Additionally, community resources such as GitHub and Pastebin may contain publicly available lists of subdomains. Combining these approaches will enhance your ability to effectively identify hidden or overlooked subdomains for security assessments or research purposes.^[9]

Subdomain usage

Subdomains are often used by internet service providers supplying web services. They allocate one (or more) subdomains to their clients who do not have their own domain name. This allows independent administration by the clients over their subdomain.

Subdomains are also used by organizations that wish to assign a unique name to a particular department, function, or service related to the organization. For example, a university might assign "cs" to the computer science department, such that a number of hosts could be used inside that subdomain, such as www.cs.example.edu.^[10]

There are some widely recognized subdomains such as WWW and FTP. This allows for a structure where the domain contains administrative directories and files including the FTP directories and webpages. The FTP subdomain could contain logs and the web page directories, while the WWW subdomain contains the directories for the webpages. Independent authentication for each domain provides access control over the various levels of the domain.

Uses

United Kingdom

In the United Kingdom, the second-level domain names are standard and branch off from the top-level domain. For example:

.ac.uk: academic (tertiary education, further education colleges and research establishments) and learned societies
.co.uk: general use (usually commercial)
.gov.uk: government (central and local)
.judiciary.uk: courts (to be introduced in the near future)^[11]
.ltd.uk: limited companies
.me.uk: general use (usually personal)
.mod.uk: Ministry of Defence and HM Forces public sites
.net.uk: ISPs and network companies (unlike .net, use is restricted to these users)
.nhs.uk: National Health Service institutions
.nic.uk: network use only (Nominet UK)
.org.uk: general use (usually for non-profit organisations)
.parliament.uk: parliamentary use (only for the UK Parliament and the Scottish Parliament)
.plc.uk: public limited companies
.police.uk: police forces
.sch.uk: Local Education Authorities, schools, primary and secondary education, community education

Vanity domain

A vanity domain is a subdomain of an ISP's domain that is aliased to an individual user account, or a subdomain that expresses the individuality of the person on whose behalf it is registered. ^[12]

Server cluster

Depending on application, a record inside a domain, or subdomain might refer to a hostname, or a service provided by a number of machines in a cluster. Some websites use different subdomains to point to different server clusters. For example, www.example.com points to Server Cluster 1 or Datacentre 1, and www2.example.com points to Server Cluster 2 or Datacentre 2 etc.

Subdomains versus directories

Subdomains are different from directories. Directories are physical folders on an actual computer, while subdomains are a part of the URL that can be routed to any file or folder on the server machine.

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

A wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names. A wildcard DNS record is specified by using a * as the leftmost label (part) of a domain name, e.g. *.example.com. The exact rules for when a wildcard will match are specified in RFC 1034, but the rules are neither intuitive nor clearly specified. This has resulted in incompatible implementations and unexpected results when they are used.

The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

A Service record is a specification of data in the Domain Name System defining the location, i.e., the hostname and port number, of servers for specified services. It is defined in RFC 2782, and its type code is 33. Some Internet protocols such as the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) often require SRV support by network elements.

In computer networking, a hostname is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hostnames may be simple names consisting of a single word or phrase, or they may be structured. Each hostname usually has at least one numeric network address associated with it for routing packets for performance and other reasons.

The computer file hosts is an operating system file that maps hostnames to IP addresses. It is a plain text file. Originally a file named HOSTS.TXT was manually maintained and made available via file sharing by Stanford Research Institute for the ARPANET membership, containing the hostnames and address of hosts as contributed for inclusion by member organizations. The Domain Name System, first described in 1983 and implemented in 1984, automated the publication process and provided instantaneous and dynamic hostname resolution in the rapidly growing network. In modern operating systems, the hosts file remains an alternative name resolution mechanism, configurable often as part of facilities such as the Name Service Switch as either the primary method or as a fallback method.

A Canonical Name (CNAME) record is a type of resource record in the Domain Name System (DNS) that maps one domain name to another.

A fully qualified domain name (FQDN), sometimes also referred to as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. A fully qualified domain name is distinguished by its lack of ambiguity in terms of DNS zone location in the hierarchy of DNS labels: it can be interpreted only in one way.

The domain name arpa is a top-level domain (TLD) in the Domain Name System (DNS) of the Internet. It is used predominantly for the management of technical network infrastructure. Prominent among such functions are the subdomains in-addr.arpa and ip6.arpa, which provide namespaces for reverse DNS lookup of IPv4 and IPv6 addresses, respectively.

In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.

A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which a specific organization or administrator manages. A DNS zone is an administrative space allowing more granular control of the DNS components, such as authoritative nameserver. The DNS is broken up into different zones, distinctly managed areas in the DNS namespace. DNS zones are not necessarily physically separated from one another; however, a DNS zone can contain multiple subdomains, and multiple zones can exist on the same server.

Multicast DNS (mDNS) is a computer networking protocol that resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name System (DNS). It was designed to work as either a stand-alone protocol or compatible with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets and is implemented by the Apple Bonjour and open-source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR). A zone file may be either a DNS master file, authoritatively describing a zone, or it may be used to list the contents of a DNS cache.

The domain name .local is a special-use domain name reserved by the Internet Engineering Task Force (IETF) so that it may not be installed as a top-level domain in the Domain Name System (DNS) of the Internet. As such it is similar to the other special domain names, such as .localhost. However, .local has since been designated for use in link-local networking, in applications of multicast DNS (mDNS) and zero-configuration networking (zeroconf) so that DNS service may be established without local installations of conventional DNS infrastructure on local area networks.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

A search domain is a domain used as part of a domain search list. The search list, as well as the local domain name, is used by a resolver to create a fully qualified domain name (FQDN) from a relative name. For this purpose, the local domain name functions as a single-item search list.

References

↑ P. Mockapetris (November 1987). "Name space specifications and terminology". Domain names - concepts and facilities. IETF. sec. 3.1. doi: 10.17487/RFC1034 . RFC 1034 . Retrieved 2008-08-03.
↑ RFC 1034, Domain Names - Concepts and Facilities, P. Mockapetris (Nov 1987)
↑ RFC 1035, Domain names--Implementation and specification, P. Mockapetris (Nov 1987)
↑ "About custom domains and GitHub Pages § Using an apex domain for your GitHub Pages site". GitHub Docs. Archived from the original on 2021-08-08. Retrieved 2021-04-09.
↑ owasp-amass/amass, OWASP Amass Project, 2024-10-27, retrieved 2024-10-27
↑ projectdiscovery/subfinder, ProjectDiscovery, 2024-10-27, retrieved 2024-10-27
↑ "crt.sh | Certificate Search". crt.sh. Retrieved 2024-10-27.
↑ "The World's Fastest Growing Subdomain & Shadow IT Database". subdomain.center. Retrieved 2024-10-27.
↑ TheTechromancer. "Subdomain Enumeration Tool Face-off - 2023 Edition". blog.blacklanternsecurity.com. Retrieved 2024-10-27.
↑ Shweta; Main, Kelly. "What Is A Subdomain? Everything You Need To Know – Forbes Advisor". www.forbes.com. Reviewed by Rob Watts. Archived from the original on 2023-03-31. Retrieved 2023-03-31.
↑ "UK court systems set to adopt judiciary.uk domain names". BBC News. 23 November 2011. Archived from the original on 4 July 2018. Retrieved 26 February 2014.
↑ John, Alex. "Subdomain". Archived from the original on 20 August 2024. Retrieved 29 November 2021.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[RFC_1034_section_3.1-1] P. Mockapetris (November 1987). "Name space specifications and terminology". Domain names - concepts and facilities. IETF. sec. 3.1. doi: 10.17487/RFC1034 . RFC 1034 . Retrieved 2008-08-03.

[rfc1034-2] RFC 1034, Domain Names - Concepts and Facilities, P. Mockapetris (Nov 1987)

[rfc1035-3] RFC 1035, Domain names--Implementation and specification, P. Mockapetris (Nov 1987)

[4] "About custom domains and GitHub Pages § Using an apex domain for your GitHub Pages site". GitHub Docs. Archived from the original on 2021-08-08. Retrieved 2021-04-09.

[5] owasp-amass/amass, OWASP Amass Project, 2024-10-27, retrieved 2024-10-27

[6] projectdiscovery/subfinder, ProjectDiscovery, 2024-10-27, retrieved 2024-10-27

[7] "crt.sh | Certificate Search". crt.sh. Retrieved 2024-10-27.

[8] "The World's Fastest Growing Subdomain & Shadow IT Database". subdomain.center. Retrieved 2024-10-27.

[9] TheTechromancer. "Subdomain Enumeration Tool Face-off - 2023 Edition". blog.blacklanternsecurity.com. Retrieved 2024-10-27.

[10] Shweta; Main, Kelly. "What Is A Subdomain? Everything You Need To Know – Forbes Advisor". www.forbes.com. Reviewed by Rob Watts. Archived from the original on 2023-03-31. Retrieved 2023-03-31.

[11] "UK court systems set to adopt judiciary.uk domain names". BBC News. 23 November 2011. Archived from the original on 4 July 2018. Retrieved 26 February 2014.

[12] John, Alex. "Subdomain". Archived from the original on 20 August 2024. Retrieved 29 November 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]