Ask HN: List of Subdomains to Reserve
One of the features I am working on for my app (https://bigpicture.site) is the ability for each customer to have a custom subdomain in their url (similar to slack where each workspace is in the form of {name}.slack.com.)
I understand the technical details of setting up the wildcard subdomains and handling it, but I am curious if there is a canonical list somewhere of subdomains I shouldn't let a customer register.
For instance, I wouldn't want a customer to use www as their workspace name. www.bigpicture.site should be reserved.
What other subdomain names should be reserved? Just from brain storming, here is the list I came up with. But I'd love to know if there is a better list somewhere:
www mail ftp web smtp imap pop pop3 blog support about social billing admin knowledge help community
Additionally, I am going to reserve anything that starts with the letters "bp" so I can use those internally. You may be safer by keeping customer stuff on a subdomain of your primary domain, or even having a user content domain. Otherwise you will be chasing this for a long time: Official.example.net, postmaster.example.net, search.example.net, mail.example.net, payments.example.net Vs Official.users.example.net, mail.users.example.net, etc. You may want to consider connecting with the PSL: > or even having a user content domain. This is the way to go, spend another ~$10/yr and keep customer subdomains on another domain. Another option instead of doing "dave123.users.example.net" is to suffix or prefix the subdomain with something, like "zone-dave123.example.net". Yeah, using a different domain isn't a bad idea. I had considered it, but I know slack doesn't do it. (I also know I'm not Slack). There was a service I used some years (decades?) ago that let users choose from three or four domains that they owned. I could always do that in the future, too. > But I'd love to know if there is a better list somewhere There's a few lists but I suggest going through them and removing some entries. Here's one list (tons of entries that don't make much sense):
https://github.com/jedireza/reserved-subdomains/blob/master/... This is another list which is a bit better quality: https://minhajuddin.com/2016/03/09/subdomains-to-restrict-fr... Another list (there's some I don't agree with): https://github.com/nkkollaw/reserved-subdomains/blob/master/... Thanks! I also found this list: https://github.com/rbsec/dnscan/tree/master Has entries for the most popular 100, 500, 1000, and 10,000 subdomains. Some ideas
Don't let them select a name. - Create a random url ghrff.domain.com Don't do this on your primary domain buy a new one If you still want to go ahead and you've created an 'a' record for www or mail previously your a record will superseed the wildcat entry which will create a bug where the user cannot access their subdomain. You need to filter any a records you've created to avoid this. It's important to think about reputational risk when coming up with the list. You probably don't want swear words in front of your domain. Good point. I am already checking against the naughty-words list from here: https://github.com/LDNOOBW/List-of-Dirty-Naughty-Obscene-and... I would also suggest at least initially anything which is not pure ASCII alphanumerics, eg starting with _ since those may be special for say DMARC. What are the DNS implications?