Every time you type a URL into your browser, you’re relying on a system that has been quietly running the internet’s address book for decades. Domain names look simple on the surface — just a few words separated by dots — but behind them lies a layered infrastructure of global organizations, technical protocols, legal frameworks, and business interests. This article breaks down how the whole thing works.
What Is a Domain Name?
A domain name is a human-readable label that maps to an IP address. Computers communicate using numeric addresses (like 93.184.216.34), but humans find it easier to remember names. The Domain Name System (DNS) bridges this gap by translating names like example.com into the IP addresses that routers and servers actually use.
A fully qualified domain name (FQDN) has a hierarchical structure, read right to left:
subdomain.second-level-domain.top-level-domain.
blog . example .com.The trailing dot represents the DNS root — it’s usually invisible but always technically there.
The DNS Hierarchy
The domain system is organized as a tree:
1. The Root
At the very top sits the DNS root zone, a single authoritative file that lists all top-level domains and points to their name servers. This file is maintained and published by IANA (Internet Assigned Numbers Authority), which is part of ICANN.
2. Top-Level Domains (TLDs)
TLDs are the suffixes at the end of domain names. There are several types:
| Type | Examples | Description |
|---|---|---|
| Generic (gTLD) | .com, .org, .net, .info | Open to anyone globally |
| Sponsored (sTLD) | .gov, .edu, .mil, .aero | Restricted to specific communities |
| Country Code (ccTLD) | .uk, .de, .ua, .jp | Assigned to countries and territories |
| New gTLDs | .app, .shop, .blog, .xyz | Launched after 2012 expansion program |
| Infrastructure | .arpa | Used internally by the internet’s technical systems |
There are currently over 1,500 TLDs in existence, following ICANN’s 2012 new gTLD program that allowed organizations to apply for custom extensions (like .google, .amazon, or .bank).
3. Second-Level Domains (SLDs)
This is the part you register: example in example.com. The SLD sits directly to the left of the TLD and is what most people think of when they say “domain name.”
4. Subdomains
Anything to the left of the SLD is a subdomain: blog.example.com, api.example.com, mail.example.com. These are configured by the domain owner and don’t require registration.
Who Controls the Domain System?
ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN) is the non-profit organization at the center of domain governance. Founded in 1998 and based in Los Angeles, ICANN coordinates the global DNS, IP address allocation, and the assignment of protocol identifiers.
ICANN does not directly sell domains. Instead, it:
- Accredits registrars who are authorized to sell domains
- Publishes and enforces the policies that registrars must follow
- Manages contracts with TLD operators (called registries)
- Runs the Governmental Advisory Committee (GAC), which allows national governments to influence policy
ICANN has a multi-stakeholder model — meaning its governance includes input from governments, businesses, civil society, technical experts, and individual internet users. This is a deliberate choice to avoid any single government or company controlling the internet’s naming system.
IANA
The Internet Assigned Numbers Authority (IANA) is a function operated by ICANN. IANA manages the root zone file, IP address blocks, and protocol number registries. When a new TLD is created, IANA is responsible for adding it to the root.
Registries
A registry is the organization that operates a TLD. For example:
- Verisign operates
.comand.net - Public Interest Registry (PIR) operates
.org - Nominet operates
.uk - HOSTMASTER operates
.ua(Ukraine)
Registries maintain the authoritative database of all domain names registered under their TLD. They set wholesale prices, technical standards, and policies specific to their TLD.
Registrars
Registrars are the companies that sell domain names to end users. They are accredited by ICANN and have contractual relationships with registries. Examples include:
- GoDaddy
- Namecheap
- Google Domains (now Squarespace)
- Cloudflare Registrar
- Name.com
Registrars compete on price, interface, bundled services (hosting, email, SSL), and support. They pay registry wholesale fees and add their own margin. Some registries (like Verisign for .com) have ICANN-regulated price caps.
Resellers
Many hosting companies resell domains on behalf of registrars without being ICANN-accredited themselves. The domain is still registered through an underlying registrar, but the customer-facing brand is the reseller.
How Domain Registration Works
When you register a domain, several things happen:
- Availability check — Your registrar queries the registry’s WHOIS database (or RDAP, its modern replacement) to confirm the domain is available.
- Registration — The registrar submits your registration to the registry, which adds the domain to the zone file with your chosen name servers.
- DNS propagation — The new NS (name server) records propagate across the global DNS infrastructure. This can take minutes to 48 hours, though it’s usually fast.
- WHOIS publication — Your registration data is stored. Historically this was fully public; privacy laws and ICANN policies have changed what gets disclosed (see the Privacy section below).
- Renewal obligation — Domains are leased, not purchased. Registration periods typically range from 1 to 10 years. If you don’t renew, the domain expires and becomes available to others.
The Lifecycle of a Domain
Available → Registered → Active → Expired → Grace Period → Redemption Period → Deleted → Available- Grace period (~30 days): You can still renew at normal price after expiry.
- Redemption period (~30 days): The domain is held. You can reclaim it for a higher fee.
- Pending delete (~5 days): The domain is queued for release. No recovery possible.
- Released: The domain drops and becomes available for registration.
Domain drop-catching is an industry: automated systems race to register valuable domains the moment they’re released.
WHOIS and Privacy
The WHOIS protocol has existed since the early 1980s. It was designed to make registration data — name, address, email, phone number of the registrant — publicly accessible for accountability purposes.
The Privacy Problem
By the 2010s, public WHOIS had become a major source of spam, phishing, and harassment. Registrars began offering “WHOIS privacy” or “proxy registration” services, substituting the registrar’s contact details for the registrant’s real information.
GDPR’s Impact
When the EU’s General Data Protection Regulation (GDPR) came into force in 2018, it forced a fundamental rethinking of WHOIS. Exposing personal data publicly without consent violated GDPR principles. ICANN temporarily permitted registrars in the EU (and globally, to be cautious) to redact personal data from public WHOIS.
This led to the development of RDAP (Registration Data Access Protocol) and a tiered access model where:
- Basic contact data is redacted from public view
- Legitimate third parties (law enforcement, IP rights holders) can request access through formal channels
- Registrars are responsible for verifying and disclosing data appropriately
The debate over how open WHOIS should be is ongoing and varies significantly between TLDs.
Laws and Legal Frameworks
UDRP — Uniform Domain-Name Dispute-Resolution Policy
The UDRP is ICANN’s mandatory dispute resolution framework for gTLDs. If someone registers a domain in bad faith that infringes on your trademark, you can file a UDRP complaint without going to court. A UDRP panel can order the domain transferred or cancelled.
To succeed under UDRP, the complainant must prove:
- The domain is identical or confusingly similar to their trademark
- The registrant has no legitimate rights or interests in the domain
- The domain was registered and is being used in bad faith
UDRP proceedings are handled by approved dispute resolution providers, including WIPO (World Intellectual Property Organization) and the National Arbitration Forum.
Country-Level Laws
Each country can regulate domains registered under its ccTLD independently of ICANN. For example:
- .uk (Nominet): has its own dispute resolution policy (DRS) and registration rules
- .de (DENIC): requires a local administrative contact in Germany
- .ua (Ukraine): managed by Hostmaster Ltd., with Ukrainian-specific rules
- .eu (EURid): restricted to EU/EEA residents and businesses
National governments can also legislate around domain-related activity — cybersquatting, phishing, illegal content — using broader laws beyond specific domain policies.
The ACPA (USA)
The US Anticybersquatting Consumer Protection Act (ACPA), passed in 1999, allows trademark holders to sue in federal court over bad-faith domain registrations. Unlike UDRP, ACPA can result in monetary damages, not just domain transfers.
Court Orders and Seizures
Governments and law enforcement can seize domains through court orders. The US Department of Justice has seized thousands of domains used for fraud, sanctions violations, copyright infringement, and drug sales. How this works depends on where the registry is physically located and its legal obligations.
Restrictions and Eligibility
Not all domains can be registered by anyone:
Restricted gTLDs
- .gov — US federal, state, and local government entities only (verified by CISA)
- .edu — US accredited post-secondary institutions only (managed by Educause)
- .mil — US Department of Defense only
Sponsored/Community TLDs
- .aero — aviation industry
- .coop — cooperative associations
- .museum — museums (must be verified)
- .bank — verified financial institutions (strict eligibility, expensive)
New gTLDs with Restrictions
Some newer TLDs impose requirements:
- .doctor, .lawyer, .pharmacy — licensed professionals (policy varies by registry)
- .amsterdam, .nyc — geographic nexus requirements
- .catholic, .bible — community membership
ccTLD Restrictions
Many country-code TLDs restrict registration to residents, citizens, or locally-registered businesses:
- .de — requires a German administrative contact
- .fr — requires EU presence
- .ca — requires Canadian presence
- .au — requires Australian ACN/ABN or trademark
Some ccTLDs, however, are entirely open and have become popular for non-country uses:
- .io (British Indian Ocean Territory) — popular with tech startups
- .ai (Anguilla) — popular with AI companies
- .tv (Tuvalu) — popular with media
- .fm (Federated States of Micronesia) — popular with radio/podcasts
These small territories earn significant royalty income from their ccTLD’s popularity.
How DNS Actually Resolves a Domain
When you visit www.example.com, here’s what happens behind the scenes:
- Local cache check — Your operating system checks its DNS cache. If it has a recent answer, it uses it.
- Recursive resolver — Your request goes to a recursive DNS resolver (usually provided by your ISP, or a public resolver like
8.8.8.8or1.1.1.1). - Root name servers — The resolver asks a root name server: “Who handles
.com?” The root server responds with the address of Verisign’s.comname servers. - TLD name servers — The resolver asks Verisign’s
.comservers: “Who handlesexample.com?” They respond with the authoritative name servers forexample.com. - Authoritative name servers — The resolver asks
example.com‘s name servers: “What’s the IP forwww.example.com?” It gets back an A record (IPv4) or AAAA record (IPv6). - Response cached and returned — The resolver caches the answer for the duration of the TTL (time-to-live) value and returns it to your browser.
This entire process typically takes 20–120 milliseconds and involves multiple servers across the globe.
DNSSEC — Signing the DNS
The DNS was designed without authentication — any server could theoretically respond with a forged answer (DNS spoofing or cache poisoning). DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that the data hasn’t been tampered with.
DNSSEC creates a chain of trust from the root zone down to individual domains. While adoption has grown, it’s still not universal — many registrars and domain owners haven’t implemented it, leaving DNS queries vulnerable to certain attacks.
Premium Domains and the Secondary Market
Popular or short domain names — especially in .com — can be worth enormous sums. The secondary market for domains is large and largely unregulated:
- short.com domains (2–4 characters) routinely sell for millions
- voice.com sold for $30 million in 2019
- sex.com sold for $13 million in 2010
- insurance.com sold for $35.6 million in 2010
Domain investors (sometimes called “domainers”) register or buy domains speculatively and resell them. The line between legitimate investment and cybersquatting depends on intent and trademark conflicts.
Auction platforms like Sedo, Afternic, and Flippa facilitate domain sales. Escrow services (like Escrow.com) protect both parties in large transactions.
Internationalized Domain Names (IDNs)
For most of the internet’s history, domain names were restricted to ASCII characters (letters a–z, digits 0–9, and hyphens). This excluded billions of users whose languages use different scripts.
Internationalized Domain Names (IDNs) allow domain names in Arabic, Chinese, Cyrillic, Hindi, and other scripts. They work by encoding the Unicode string using Punycode, an ASCII-compatible encoding:
пример.испытание→xn--e1afmapc.xn--80akhbyknj4f
ICANN has also introduced internationalized TLDs (IDN ccTLDs), allowing country codes in local scripts (e.g., .рф for Russia, .中国 for China, .مصر for Egypt).
The Future of Domains
Several developments are reshaping the domain landscape:
Blockchain Domains
Projects like Ethereum Name Service (ENS) offer .eth domains registered on the Ethereum blockchain. These are decentralized — no registrar, no ICANN, no central authority. They map to crypto wallet addresses and decentralized websites. However, they’re not part of the traditional DNS and require special browsers or plugins to resolve.
Certificate Transparency and HTTPS
The rise of HTTPS and Let’s Encrypt has made TLS certificates nearly universal. Certificate Transparency (CT) logs mean every certificate issued for a domain is publicly auditable — a useful tool for detecting fraudulent certificates.
New gTLD Rounds
ICANN opened applications for new gTLDs in 2012, receiving nearly 2,000 applications. A second round is underway (delayed multiple times), which is expected to add thousands more TLDs to the root.
Privacy vs. Accountability Tensions
The tension between WHOIS transparency (useful for abuse fighting and law enforcement) and privacy rights (GDPR and similar laws) remains unresolved. ICANN continues to work on a standardized access framework that satisfies both camps.
Key Takeaways
- Domains are leased, not owned — they must be renewed or they expire.
- ICANN accredits registrars but doesn’t sell domains directly; registries operate TLDs.
- DNS resolution is a distributed, hierarchical system involving root, TLD, and authoritative name servers.
- WHOIS data exposure is increasingly governed by privacy law, particularly GDPR.
- Trademark disputes over domains are handled through UDRP or national courts.
- ccTLDs are governed by local policies that can differ significantly from gTLD rules.
- The secondary market for premium domains operates largely like commodity trading — with million-dollar sales and speculative investing.
The domain system is one of the internet’s most fundamental and underappreciated pieces of infrastructure. It’s a technical standard, a legal battleground, a governance experiment, and a market — all at once.