The domain http://to./ appears to violate conventional DNS rules, yet it works because of several technical nuances:
// Example of how browsers might handle such requests
function resolveSingleLabelDomain(hostname) {
if (hostname.endsWith('.')) {
return hostname.slice(0, -1) + '.com';
}
return hostname.includes('.') ? hostname : hostname + '.com';
}
When you request http://to./:
- The trailing dot indicates a fully qualified domain name (FQDN)
- Browsers and DNS resolvers treat this as a single-label domain in the root zone
- Some registrars have special provisions for such domains in their DNS infrastructure
The difference in behavior between to./ and com./ stems from:
nslookup to.
;; ANSWER SECTION:
to. 3600 IN A 104.18.11.231
nslookup com.
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
URL shorteners specifically configure their DNS records at the root level, while TLDs like .com don't have A records at their root.
Modern browsers maintain strict origin policies even with these special domains:
// Chrome's security check pseudocode
function isSameOrigin(currentURL, requestedURL) {
return new URL(currentURL).origin === new URL(requestedURL).origin;
}
Phishing protection remains intact because:
- Certificate validation still occurs for the full domain
- Same-origin policy treats
to.as a distinct origin - No silent redirects occur without proper HTTP headers
When handling URLs programmatically:
// Safe URL parsing in Node.js
const { URL } = require('url');
try {
const url = new URL('http://to./path');
console.log(url.hostname); // 'to.'
console.log(url.href); // 'http://to./path'
} catch (err) {
console.error('Invalid URL');
}
Key takeaways for web applications:
- Always use proper URL parsing libraries
- Don't make assumptions about TLD validation
- Implement server-side validation for all incoming URLs
When you encounter a URL like http://to./, it immediately breaks several assumptions about how domains should work. Normally, we expect domains to follow the subdomain.domain.tld pattern, but this appears to be a single-label top-level domain (sTLD).
// Example of normal DNS resolution vs. sTLD behavior
normalResolution("example.com") // => returns A/AAAA records
singleLabelResolution("to.") // => treated differently by browsersModern browsers implement special handling for single-label domains:
- Chrome/Firefox automatically append
www.prefix - They may also append common TLDs like
.comas fallback - The resolution follows a predefined search list similar to Unix DNS resolution
// Browser's internal pseudo-code for handling single-label domains
function resolveSingleLabel(host) {
if (host.endsWith('.')) {
return tryDNS(host) ||
tryDNS(www.${host}) ||
tryDNS(${host}.com);
}
return standardResolution(host);
}The key difference lies in the trailing dot (indicating a FQDN) and browser heuristics:
http://to./→ browser assumes URL shortening intenthttp://com./→ treated as literal FQDN resolution
// Testing different variations in JavaScript
const testUrls = [
'http://to./',
'http://com./',
'http://to',
'http://com'
];
testUrls.forEach(url => {
console.log(Testing ${url}:, new URL(url).hostname);
});While browsers maintain same-origin policy strictly, the initial resolution has these characteristics:
| Case | Behavior | Security Impact |
|---|---|---|
| http://to./ | Redirects to www.to | Low risk (known shortener) |
| http://com./ | Fails resolution | No risk |
| http://evil./ | Could redirect anywhere | Potential phishing |
This behavior stems from multiple standards:
- RFC 1034 - Domain name structure
- RFC 6761 - Special-Use Domain Names
- Browser-specific implementation quirks