What is the real maximum length of a DNS name?

The maximum length of a DNS name is 255 octets. This is spelled out in RFC 1035 section 2.3.4. A customer didn't understand why the DnsValidateName was rejecting the following string:

(63 letters).(63 letters).(63 letters).(62 letters)

The documentation says

Returns ERROR_INVALID_NAME if the DNS name

  • Is longer than 255 octets.
  • Contains a label longer than 63 octets.
  • ... other criteria not relevant here...

The length of the domain name passed in is 63+1+63+1+63+1+62=254 characters, just under the length limit of 255. Why is it rejecting this name that is under the limit?

Because the limit isn't the number of characters; it's the number of octets.

Section 3.3 says that a domain-name is represented as a series of labels, and is terminated by a label of length zero. (The label of length zero represents the root label.) A label consists of a length octet followed by that number of octets representing the name itself. Therefore, the domain name www.microsoft.com is encoded as follows:

3 'w' 'w' 'w' 9 'm' 'i' 'c' 'r' 'o' 's' 'o' 'f' 't' 3 'c' 'o' 'm' 0

Technically, www.microsoft.com is shorthand for www.microsoft.com. with a trailing period, and the trailing zero byte encodes that implied period.

If you sit down and do the math, you'll see that the the readable maximum length of an ASCII DNS name is 253 characters: You don't encode the dots, but you do encode the length bytes, so they cancel out, except for the length byte of the first label and the length byte of the root label, for an additional cost of two bytes. (On the off chance that you explicitly specified the root label, don't count it towards the 253-character limit.)

If you use UTF-8 encoding, then the maximum length is harder to describe since UTF-8 is a variable-length encoding.

Comments (18)
  1. Henning Makholm says:

    If you use UTF-8 encoding in domain names, then you're doing something wrong, because domain names are supposed to use Punycode instead. Which is also variable-length, but much harder to predict than UTF-8.

  2. If http://www.microsoft.com is shorthand for http://www.microsoft.com. then why can I not navigate to the latter domain?

  3. Damien says:

    @Shawn – because whatever tool you're using has it's own concept of what a valid domain name is, rather than just relying on a reply from DNS as being the yardstick to judge a domain name by?

  4. Chris says:

    @Damien Nope – http://www.microsoft.com. fails for me too, but other domains I've tried are fine.  Presumably http://www.microsoft.com's web server doesn't accept the trailing . in the HTTP Host: header.

  5. Dan Bugglin says:

    @Sharn @Chris @Damien Works in Chrome, but the MS server does not recognize the domain and returns an HTTP 400 Bad Request and claims an invalid hostname.

    http://www.google.com./ works though

  6. BOFH says:

    No, it's due to some configuration on the IIS (response code 400), but I don't know what. It's probably not related to having a host header enabled, since browsing directly to the IP-address still works.

    Usually I try to circumvent all these problems by having a catch-all site on the IP-address and having a permanent redirect from there to the actual website, which has the correct FQDN configured as host header.

    But that doesn't work so well if you need to host several sites on the same IP-address.

  7. Paul says:

    @Shawn "http://www.microsoft.com." is getting a response, which just happens to be 400 Bad Request. The DNS and HTTP protocols are working just fine, but the web server just doesn't "like" it. Probably what @Damien said, it doesn't like the Host header whereas other web sites don't mind.

  8. Adam Rosenfield says:

    It seems that Microsoft-HTTPAPI/2.0 responds with a "400 Bad Request" when the "Host:" HTTP header ends with a dot.  I just played around with it (e.g. "curl -I http://www.microsoft.com. -H 'Host: foobarbaz'"), and it gives a "302 Found" for almost anything, as long as it doesn't end in a dot.  So file a bug with whoever owns that product.

    [I wouldn't be surprised if it was intentional. Having an obscure alternative way of accessing something has been the source of security vulnerabilities in the past. -Raymond]
  9. Joshua says:

    It said in the Unix manual that a lot of tools don't like the trailing dot at the application level. Apparently the same is true for Windows tools

  10. Skyborne says:

    One content filtering proxy could have its banned host list bypassed by appending the final dot.  Soon after I noticed, they fixed the bug by having the proxy return HTTP 400 in that case.

    Using a trailing dot is sufficiently uncommon that my browser doesn't recognize it as a valid name and searches on it instead.  I have to go to http://example./ to get it to treat it as a host.

  11. Alexander says:

    Accessing http://www.microsoft.com. gives

    HTTP Error 400. The request hostname is invalid.

  12. cheong00 says:

    Regarding host name ending with ".", when using Fiddler, I have to use "localhost." to let Fiddler intercept local web requests. If Fiddler doesn't start. it relays the request to coporate HTTP proxy, when returns "Invalid Request" from squid.

    On the other hand, trying that at home on a PC without web server installed also return "Bad Request", seems also relyed to whatever web proxy my ISP is using.

  13. Larry Hosken says:

    254 characters? At 254 characters, that name might be less convenient than memorizing a numeric IP address. Good thing it's not allowed.

  14. Sven Groot says:

    Nslookup has no problems with the trailing dot notation, which is a better indication than what IIS thinks of it. :)

  15. cheong00 says:

    In fact when configuring domains in BIND, adding trailing "." is the way to tell the server it's a FQDN instead of something under the current domain. So it's common convention on DNS management.

  16. hacksoncode says:

    Hmmm… So if a label comprises the length byte octet plus the octets of the name string, and if a label can be at most 63 octets, doesn't that mean that the maximum name is 62 characters long (plus the length byte)? Oh, wait, a "label" does not include the length octet according to 2.3.1. I'll just go sit in the nitpicker's corner now.

  17. steve says:

    I Regularly.WorkSomeWhereWith.AReallyLongDomainNames.com.

    I wish the limit was much, much shorter.

  18. Michael G says:

    One instance where the trailing dot to indicate FQDN is useful: There is a web server hosted at Anguilla's TLD, so it's just "ai.".  

    Which I guess is would be more appropriate to the discussion to exact opposite question, "What is the *minimum* length of a DNS name?"

Comments are closed.

Skip to main content