Why no final dot for domain names?

domain-name-system

Every reference I've ever read about DNS makes it perfectly clear that when performing a DNS lookup the trailing dot is implied and therefore redundant. There is absolutely no advantage in adding it.


This is straight from Wikipedia:

In the Domain Name System, and most notably, in DNS zone files, a fully qualified domain name is specified with a trailing dot

It is never used outside of DNS zones, thats probably why you never see it. But in DNS zones, it has HUGE significance. That little dot can break a lot of very important things.


Because people are lazy, and will type the shortest thing they can when given an option. See also no-www.org.

If you don't trust your network you could completely get rid of any DNS suffixes on your computer and point at some other DNS servers. Or even better create a VPN to some network you do trust.

Typically only your administrator has the ability to add records to the DNS server. If your sysadmin wants to hijack your web requests there are many other more effective ways from him to do that. If a blackhat can get control of the DNS servers you are pointing at they could possibly serve any address for any domain they want, even the valid fully qualified domain. Serving names depending on the client appending a suffix wouldn't be a very useful attack.


The relative name "www.bankofamerica.com.example.com." is only exploitable by those who told your computer that it's domain is "example.com". This comes from either DHCP or by the person who setup the computer.

In order to exploit that, your DHCP provider (your company or your ISP) would have to create these clearly fishy names in their DNS.

In reality, they don't have to bother to do this to attack you (if they wanted to). They're your ISP. They already control your DNS and in fact they control your traffic as well.

They could just as easily and more reliably capture and redirect your traffic by capturing and redirecting your traffic or hijacking all your DNS requests, not just the ones that look up wacky relative names (such as www.google.com.comcast.net.). Some ISPs already "attack" their customers in this way by redirecting "no such domain" errors from upstream DNS providers with their own advertisement pages.

So, you have to trust them anyhow, so you may as well trust them (and verify your ssl certificates!).

Lastly, the terminal dot on a hostname will break lots of web servers. For instance, the stack trilogy servers freak out if you go to "http://stackoverflow.com."


When the trailing dot is omitted and you do not have a search path, it does not matter. But when you have a search path it does, for the resolver will first try to append the domain names in the search path and resolve them and if unresolved will try the name alone. When .cs was a working ccTLD it was used as an example to demonstrate this: When you pinged host.cs was host.cs. that was replying or host.cs.dom.ain?

The trailing dot does matters, but the situations that one will observe this are very few.

You may want to read A "tinyurl" service for your domain to see a clever use of the search path and the trailing dot.

Related

With no password expire notification at logon in Windows 7, how are you configuring password expire notification?
Why ethernet cables must be ended with specific arrangement
What is the most used server distro?
File replication on linux?
Find Installation Date of Windows Updates
hosting IP change, how much downtime to expect?
Router IP (Best Practice)
Staging environment, how to deal with domain name?
How can I get just the site name from the "AppCmd.exe list site" command?
19" Rackmountable fast storage arrays
Configure Apache to use external proxy for internet connection
Getting correct SERVER_PORT to php-fpm through nginx and varnish