DNS and subdomains

Hi Folks,

Feel free to tell me this isn’t the proper place for my question but given that networking and DNS are hand in hand I thought it might be reasonable to ask here.

In working with several OSINT sources for domain processing it seems like the way domains and subdomains are processed essentially equates subdomains with FQDNs.

For example, several APIs (and even ChatGPT) classify the following:

access.api.bbc.com

account-api.api.bbc.com

account-api.int.api.bbc.com

account-api.stage.api.bbc.com

account-api.test.api.bbc.com

account-cdn.test.api.bbc.com

with subdomains as either:
all subdomains as api.bbc.com

or as subdomains of access.api, account-api.api, account-api.int.api, etc.

instead of classifying as:
api.bbc.com
int.api.bbc.com
stage.api.bbc.com
test.api.bbc.com

Has this become common practice? Is there a definitive way to determine subdomains? I seem to recall that “older” dns server software wouldn’t allow this but it could be that my memory is faulty.

Thanks!

Cheers,
Harry

Most security tools, browsers included, use the boundaries from
https://publicsuffix.org/ . While DNS could indicate what is a zone
cut and what is not, it's not the only feature that indicates a
transition between administrations.

Rubens

Every domain is a subdomain of something else other than the root.

access.api.bbc.com is a subdomain of api.bbc.com and a subdomain of
bbc.com and a subdomain of com and a subdomain of . (the root).

All subdomains are domains. All domains can have subdomains except
those that are maximal size and maximal size - 1. The minimum label
size is 2 (length + value) except for the root which takes 1 octet
(length == 0).

Subdomain is just a relationship to a parent domain. A domain may or
may not correspond to a zone cut. All domains have a parent domain
except the root.

Mark

In working with several OSINT sources for domain processing it seems like the way domains and subdomains are processed essentially equates subdomains with FQDNs.

Hi Harry,

I don't understand what you mean. Do you mean how do local resolvers
expand local names (e.g. "server") in FQDNs
("server.examplecompany.com")?

Has this become common practice? Is there a definitive way to determine subdomains? I seem to recall that "older" dns server software wouldn't allow this but it could be that my memory is faulty.

Subdomain is kinda a fuzzy question. Everywhere there's a dot there's
a "subdomain," but the only technical meanings those dots have is
that:

1. There *might* be a DNS delegation there.
2. The resolver's primitive internal compression algorithm can break
the name in parts there when composing the query or response packet.

There's another similar question you might be trying to ask: how do
you determine whether a DNS name has been delegated from one zone file
at one server to another zone file at another server? That has a more
precise answer with technical meaning: If a NS and SOA records exist
at the "dot" boundary then there's a delegation. If not, then there
isn't.

For example, I have a host named "cat.p.dirtside.com." "dirtside.com"
is a delegation of "com" because there's an NS record for
"dirtside.com." However, "p.dirtside.com" is NOT a delegation of
"dirtside.com" because there's no NS record. "cat.p" is simply a name
within the "dirtside.com" zone file.

Regards,
Bill Herrin

a message of 195 lines which said:

Has this become common practice? Is there a definitive way to determine
subdomains? I seem to recall that "older" dns server software wouldn't
allow this but it could be that my memory is faulty.

You already got three excellent replies but I may add that there *was*
an attempt at IETF to design a way to find administrative boundaries
in the DNS but it basically failed:

https://datatracker.ietf.org/wg/dbound/

My favorite example, when I lecture on DNS, is gouv.fr (no zone cut
between gouv.fr and fr but it is administratively distinct).

Thanks everyone for the wonderful answers! The thoughts in my head were not aligned with reality

I had a thought similar to what Bill describes, that everywhere there’s a dot (.) there’s a subdomain. I also had the thought/assumption that the data to the left of the leftmost dot (.) was essentially the hostname. It’s been a while since I’ve regularly been into DNS but I thought I remembered it that way. But then seeing some of the OSINT data, that seemed to throw that idea out the window as they appear to use the publicsuffix.org site to divine suffix and domain and then consider everything to the left of that as a subdomain. I’ve now updated my understanding.

Cheers,
Harry

a message of 168 lines which said:

I had a thought similar to what Bill describes, that everywhere there's a
dot (.) there's a subdomain.

This is true. But a sub-domain is not always delegated (not every
domain is a zone).

to use the publicsuffix.org site to divine suffix and domain and
then consider everything to the left of that as a subdomain. I've
now updated my understanding.

Sorry, but not yet. Every domain name is a subdomain, except the root
(which has no parent). And not every domain name is a host name
(saying that the DNS is "to translate names into IP addresses" is a
gross simplification).

Yes. I believe the confusion is that some documentation,
APIs, or software incorrectly obfuscate the concept of a domain
and take that the domain is only the part registered with a domain registrar.

E.g. "EXAMPLE.COM" would be a domain, and in "B.C.EXAMPLE.COM"
the C.EXAMPLE.COM would be disregarded and considered part of Example.com
leading to the strange claims that you have a "B.C" subdomain of example.com
or that B.c.example.com is a subdomain of example.com
But that would be completely non-standard.

Every subdomain is in fact a domain name. And every domain under the root
is a subdomain of the label directly above it and ONLY the one
specific DNS label
directly above that particular subdomain.

And the management or registration structure of the DNS; the zone
boundaries users
refer to, have nothing to do with which names are actually a domain or
subdomain.

A subdomain is exclusively the direct descendent of another domain
which is observed solely by the addition of one dot and label on the
lefthand side.

Take for example: A.B.EXAMPLE.COM. Assume that FQDN exists.

Given that exists you are guaranteed that A.B.EXAMPLE.COM. is a domain,
B.EXAMPLE.COM. is a domain, EXAMPLE.COM. is a domain, COM.
is a domain, and . is a domain.

A.B.EXAMPLE.COM. is a subdomain, but it should never be referred to
as a subdomain of EXAMPLE.COM. It is only a subdomain of B.EXAMPLE.COM.

This is exactly the logic that I was operating under: A.B.EXAMPLE.COM. is a subdomain, but it should never be referred to
as a subdomain of EXAMPLE.COM. It is only a subdomain of B.EXAMPLE.COM.

Heya, Shumon! Great to hear from you and thanks for adjusting my understanding. It’s also a good reminder to go read the RFCs so that I can eliminate assumptions

Cheers,
Harry

Hey Harry, long time no see

No, actually your statement is not correct. All of those are subdomains example.com.

To quote the DNS Terminology RFC ( https://datatracker.ietf.org/doc/html/rfc9499 ):

Subdomain: “A domain is a subdomain of another domain if it is
contained within that domain. This relationship can be tested by
seeing if the subdomain’s name ends with the containing domain’s
name.” (Quoted from [RFC1034], Section 3.1) For example, in the
host name “nnn.mmm.example.com”, both “mmm.example.com” and
“nnn.mmm.example.com” are subdomains of “example.com”. Note that
the comparisons here are done on whole labels; that is,
“ooo.example.com” is not a subdomain of “oo.example.com”.

Shumon.

Hi Jay,

Not necessarily.

Remember my example cat.p.dirtside.com? P.dirtside.com is a subdomain
of dirtside.com. It's an administrative grouping of domain names that
have a particular characteristic. However, p.dirtside.com is NOT a
domain name. It has no DNS records of its own. Only subsidiaries like
cat.p.dirtside.com exist and have DNS records.

"Subdomain" has some funky contradictions to it, some of which can
only be resolved with administrative knowledge about the DNS zone
they're a part of. That's what makes them a less than useful concept
for an outside observer trying to categorize a set of fully qualified
domain names (FQDNs).

Regards,
Bill Herrin

Bill,

Hi Dave,

I agree that "p.dirtside.com" is a subdomain. Recheck what I said.
It's not a domain name, no more so than "sdkflkdfgfsgdfg". That's the
contradiction.

It gets worse. Is "cat.p.dirtside.com" a subdomain? It's definitely a
domain name. You can know it's a subdomain if you find another domain
name like abc.cat.p.dirtside.com. But if you don't find another name,
how can you as an external observer know that cat.p.dirtside.com is
NOT a subdomain?

Regards,
Bill Herrin

I’m lost / unclear how you got there…

RFC1034 says:

"3. DOMAIN NAME SPACE and RESOURCE RECORDS

3.1. Name space specifications and terminology

The domain name space is a tree structure. Each node and leaf on the

tree corresponds to a resource set (which may be empty). The domain

system makes no distinctions between the uses of the interior nodes and

leaves, and this memo uses the term “node” to refer to both.

[SNIP]

The domain name of a node is the list of the labels on the path from the

node to the root of the tree. "

and RFC8499 says:

"Domain name: An ordered list of one or more labels.

Note that this is a definition independent of the DNS RFCs

([RFC1034] and [RFC1035]), and the definition here also applies to

systems other than the DNS. [RFC1034] defines the "domain name

space" using mathematical trees and their nodes in graph theory,

and that definition has the same practical result as the

definition here. Any path of a directed acyclic graph can be

represented by a domain name consisting of the labels of its

nodes, ordered by decreasing distance from the root(s) (which is

the normal convention within the DNS, including this document). [SNIP]"

Nothing in this says that a “domain name” has to have records of its own, and in fact seem quite clear that this is not the case ("The domain name of a node is the list of the labels on the path from the

node to the root of the tree. " and “Any path of a directed acyclic graph can be represented by a domain name consisting of the labels of its nodes.”)

W

Given “cat.p.dirtside.com”, to argue that “p.dirtside.com” is not a domain of which “cat.p.dirtside.com” is a sub-domain, is to claim, that “cat.p” is a single token. This is no more true than claiming a series of words with spaces can be a single word. It doesn’t matter if I think, want or intend “tooth brush” to be a single word, “tooth brush” is two words with a separator between them. Whereas “toothbrush” is a single word.

Regards,

Brian Dantzig