The danger of the trailing dot in the domain name

Domain Name Trailing Dot


There is a such thing as fully qualified domain names, so each domain name in fact has a dot at the end. Maybe you are even not aware that your website is also accessible on domain name with the dot at the end (for example www.likebtn.com and www.likebtn.com.) as browsers allow to use both ways.


Possible issues


If you do not consider the fact that the user can accidentally enter the domain name with a dot at the end, or follow a link received from some "well-wisher" and get on your domain name with the dot at the end, as the result it may lead to unexpected consequences:

1) If the website uses HTTPS, when navigating to the domain name with the dot at the end, the browser will display the warning on untrusted connection.

2) Authentication may be broken, as cookies are usually set for the domain name without a dot at the end. User in this case will be quite surprised why he can’t log in. It is noteworthy, that if you set a cookie for a domain name with a dot at the end, this cookie will not be passed to the domain name without the dot at the end and vice versa.

3) JavaScript on the page may be broken.

4) There may be problems with the caching of website pages (for example, https://www.cloudflare.com/ does not clear the pages cache if domain name has a dot at the end considering it an invalid domain name).

5) If in conditions in the web server configuration you rely on the particular domain name ($http_host in Nginx, %{HTTP_HOST} in Apache) without the dot at the end, you may face a variety of unexpected situations: unexpected redirects, basic-authorization problems, etc.

6) If the web server is not configured to accept requests on the domain name with the trailing dot, any user who accidentally typed a domain name with the trailing dot will see something like Bad Request - Invalid Hostname.

7) It is possible that search engines may find that your resource has a duplicate content, if someone accidentally or intentionally post links to your web pages with a dot at the end of the domain name.


Workaround


Redirect to the domain name without a dot would allow to avoid some of the described problems:

Apache (.htaccess)
RewriteCond %{HTTP_HOST} !^domain\.zone$
RewriteRule ^(.*)$ http://domain.zone/$1 [L,R=301]


Nginx (nginx.conf)
if ($http_host != 'domain.zone') {
    return 301 http://domain.zone$request_uri;
}

IIS (web.config)
<httpRuntime relaxedUrlToFileSystemMapping="true"/>
<rule name="point" stopProcessing="true"> <match url="^(.*)\.$" />
    <action type="Redirect" url="{R:1}" redirectType="Temporary" /> 
</rule>


Reconnaissance


Facebook
https://www.facebook.com.
Redirects to https://www.facebook.com (after bypassing a warning on untrusted connection.)

Megaupload
https://mega.co.nz./#login
Authentication works, but after navigating to https://mega.co.nz user is not authenticated anymore.

Stack Overflow
http://stackoverflow.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.

GitHub
https://github.com./login
Authentication does not work.

Twitter
https://twitter.com.
404 - Page not found

Yahoo
https://login.yahoo.com.
Authentication does not work.

Wikipedia
http://en.wikipedia.org./w/index.php?title=Special:UserLogin
Authentication does not work.

MSN
http://msn.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.

Microsoft
http://microsoft.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.

eBay
https://signin.ebay.com./ws/eBayISAPI.dll?SellItem
Authentication works.

Tumblr
http://www.tumblr.com.
Not found.

Flickr
http://www.flickr.com.
We're sorry, Flickr doesn't allow embedding within frames.

Dropbox
https://www.dropbox.com./login 
Error (403) It seems you tried to do something we can't verify. Did you log into a different Dropbox account in a different window?

VK
http://vk.com.
Authentication does not work.
JavaScript error: "NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN: Illegal document.domain value"

Alexa
https://www.alexa.com.
Redirects to https://www.alexa.com


UPD


1) In Nginx you can't specify a virtual server using the Fully Qualified Domain Name:

server {
     server_name domain.zone. ;
    ...
}



6 комментариев :

  1. Ответы
    1. $ curl -I http://www.google.co.in.
      HTTP/1.1 200 OK
      Date: Sat, 16 Mar 2013 17:08:50 GMT
      Expires: -1
      Cache-Control: private, max-age=0
      Content-Type: text/html; charset=ISO-8859-1
      Set-Cookie: PREF=ID=41394d01ad80ecef:FF=0:TM=1363453730:LM=1363453730:S=mg72E_bD90O4JafN; expires=Mon, 16-Mar-2015 17:08:50 GMT; path=/; domain=.google.co.in
      Set-Cookie: NID=67=HlL4mxXbPaUiXjgvMUAB8Uhmb4xJlxNb65A9DQKeNErThwfSaX_ykxPwpJDOFtoulMSP1s6CwUZXqEeTiImLo2FmKwMzcemqHyXhZzog__KrhU25L6epTwx3nWhBdrG8; expires=Sun, 15-Sep-2013 17:08:50 GMT; path=/; domain=.google.co.in; HttpOnly
      P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
      Server: gws
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Transfer-Encoding: chunked

      Удалить
  2. The following is preferable for nginx, as it works without having to hard code the host name.

    if ($http_host ~ "\.$" ){
    rewrite ^(.*) http://$host$1 permanent;
    }

    ОтветитьУдалить
    Ответы
    1. In this case your website will be available from "www.domain.zone" and from "domain.zone"

      Удалить
  3. Following Liam's lead, the following may be preferable for Apache2, as it works without hard-coding the host name, and it works with custom ports:

    RewriteCond %{HTTP_HOST} ^(.*)\.(:\d+)?$
    RewriteRule ^(.*)$ http://%1%2$1 [L,R=301]

    ОтветитьУдалить
  4. Ultimate information you have provided, It is very informatic for me...
    Thanks for sharing this information.. Register Website

    ОтветитьУдалить