One of the features I am working on for my app (https://bigpicture.site) is the ability for each customer to have a custom subdomain in their url (similar to slack where each workspace is in the form of {name}.slack.com.)<p>I understand the technical details of setting up the wildcard subdomains and handling it, but I am curious if there is a canonical list somewhere of subdomains I shouldn't let a customer register.<p>For instance, I wouldn't want a customer to use www as their workspace name. www.bigpicture.site should be reserved.<p>What other subdomain names should be reserved? Just from brain storming, here is the list I came up with. But I'd love to know if there is a better list somewhere:<p>www
mail
ftp
web
smtp
imap
pop
pop3
blog
support
about
social
billing
admin
knowledge
help
community<p>Additionally, I am going to reserve anything that starts with the letters "bp" so I can use those internally.
You may be safer by keeping customer stuff on a subdomain of your primary domain, or even having a user content domain.<p>Otherwise you will be chasing this for a long time:<p>Official.example.net, postmaster.example.net, search.example.net, mail.example.net, payments.example.net<p>Vs<p>Official.users.example.net, mail.users.example.net, etc.<p>You may want to consider connecting with the PSL:<p><a href="https://en.m.wikipedia.org/wiki/Public_Suffix_List" rel="nofollow">https://en.m.wikipedia.org/wiki/Public_Suffix_List</a>
> But I'd love to know if there is a better list somewhere<p>There's a few lists but I suggest going through them and removing some entries.<p>Here's one list (tons of entries that don't make much sense):
<a href="https://github.com/jedireza/reserved-subdomains/blob/master/names.json">https://github.com/jedireza/reserved-subdomains/blob/master/...</a><p>This is another list which is a bit better quality: <a href="https://minhajuddin.com/2016/03/09/subdomains-to-restrict-from-your-saas-app/" rel="nofollow">https://minhajuddin.com/2016/03/09/subdomains-to-restrict-fr...</a><p>Another list (there's some I don't agree with): <a href="https://github.com/nkkollaw/reserved-subdomains/blob/master/reserved-subdomains.yaml">https://github.com/nkkollaw/reserved-subdomains/blob/master/...</a>
Some ideas
Don't let them select a name. - Create a random url ghrff.domain.com<p>Don't do this on your primary domain buy a new one<p>If you still want to go ahead and you've created an 'a' record for www or mail previously your a record will superseed the wildcat entry which will create a bug where the user cannot access their subdomain. You need to filter any a records you've created to avoid this.