You may be familiar with some of the shortest internet domains used by major companies, such as m.me and fb.me from Facebook (Meta) and Twitter’s t.co URL shortener.
But, it’s possible for live domain names to be even shorter than these choices—and contain no dots.
Dotless domains, you say?
London-based software engineer James Williams has steered everyone’s attention towards domains that are even shorter than the widely known g.co or m.me.
Although the vast majority of internet domains contain TLDs separated by one or more dots, turns out it’s not a must for a domain.
In theory, for example, it would be possible for internet regulatory authorities to enable top-level domains (TLDs) like com to be a valid domain by itself and have valid DNS records resolving to a server. Had that been the case, navigating to http://com/ would present the user with a web page.
“There’s nothing stopping TLD registry operators [from] serving A records at the apexes of their TLD zones,” explains Williams in a succinct blog post from last month.
“For example, if Verisign (the operator of the com TLD registry) wished, they could add an A record at the apex of the com TLD zone – com would then resolve to that IP, and your browser would connect to that IP when you visited https://com.”
“Does any registry operator actually do this though? Surprisingly, the answer is yes.”
Williams gathered a list of TLDs that have valid DNS A records. Although not all TLDs may show a web page when entered in a web browser, some of them do.
In tests by BleepingComputer, visiting http://ai/ in Google Chrome on macOS presented a valid webpage, that can otherwise also be reached at: http://offshore.ai/
As for Vince Cate, the cryptographer and software developer who owns and operates the offshore.ai domain, there’s a little history lesson on his website.
Of course, the ai TLD in fact has valid DNS A records making the magic possible:
Likewise, the http://pn/ TLD shows the server’s default webpage reading “It works!”
It must be noted, that our tests did not succeed with all ISPs, DNS providers and devices, and varied by the choice of web browser even when on the same device with DNS settings unchanged.
For example, visiting ai/ during our tests on a macOS, using the ISP’s default DNS provider successfully showed the webpage in Chrome and Firefox, but not Safari web browser. However, the pn/ domain resolved seamlessly across all web browsers and devices.
On Windows, our attempts to access pn/ and ai/ using a variety of web browsers (Chrome, Firefox, and Brave) did not always succeed, when tested with both ISP’s DNS settings as well as DNS services from Cloudflare (126.96.36.199) and Google (188.8.131.52).
On a Samsung smartphone, using Chrome for Android and the mobile network operator’s DNS settings posed no issues when visiting either domain. But, on iOS our test failed for ai/.
Why can’t all TLDs be like that?
In internal networks typically implemented by enterprises, it isn’t unusual to have dotless domains reachable from within the company. For example, heading over to http://intranet/ or http://company/ may present valid websites—viewable by only staff and users on the corporate network.
But, when it comes to the world wide web, this practice is neither widely prevalent nor encouraged.
In 2013, the internet regulatory authority ICANN adopted a resolution banning dotless domain names and stating that their usage could be harmful as such domains are usually expected to resolve in a local context (i.e. a corporate network).
“Dotless names would require the inclusion of, for example, an A, AAAA, or MX, record in the apex of a TLD zone in the DNS (i.e., the record relates to the TLD-string itself),” states ICANN’s older announcement.
“Dotless domains would not be universally reachable and recommended strongly against their use. As a result, the SSAC recommended that the use of DNS resource records such as A, AAAA, and MX in the apex of a Top-Level Domain (TLD) should be contractually prohibited where appropriate, and strongly discouraged in all cases.”
But that has still not stopped administrators of all TLDs, like ai, from breaking the norm.
A YCombinator Hacker News reader chimed in saying that typing ai/security, shorthand for http://offshore.ai/security/, in a web browser felt “very cyberpunk.”
(And I checked; ai.security is parked. Very amusing.)
And, that’s not it. It’s possible for ‘blank’ domains to exist, at least in theory.
“Bonus fact: there’s also nothing stopping ICANN [from] adding an A record to the apex of the root zone, which would theoretically make the empty hostname resolvable,” explains Williams.
“I imagine most browsers etc. would consider a URL with an empty hostname invalid – Chrome considers both http:// and http://. invalid, at least.”