How is "0x43.0x9e.0x87.0xa9" a valid domain?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I got a phish in my inbox today, leading to a PayPal spoof site at:


What I don't understand is, how is this even a valid URL?  .0xa9 isn't
any valid top-level domain as far as I can tell, yet when I paste the
above into Firefox, it cheerfully shows me the spoofer's page. rejects it as invalid.  nslookup reports "server can't find
0x43.0x9e.0x87.0xa9: NXDOMAIN".  dig reports something cryptic (I admit
to being mostly baffled by the dig command -- please be gentle, I'm new
to this) that doesn't seem to include an IP address.  Yet something
like ping or traceroute goes right to (as does Firefox,

Can anyone explain to me how this works?  How did the scammer here
construct a domain name that's not known to the WHOIS servers or lookup
tools, yet resolves to a valid IP for other tools?

- Joe

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Quoted text here. Click to load it
Quoted text here. Click to load it

Welcome to the wonderful world of the standard C library. One of the
things that happens when a hostname can't be translated to an IP address
is that the resolver tries to parse it as a numeric IP address. It does
that by tokenizing on '.' and converting the segments into numbers
(assuming that the number of segments fits into the 1-4 range allowed
for IPv4 and each segment's value is in the legal range). The C
functions that convert from character strings to integers typically
automatically recognize certain patterns to indicate the base of a
number: a leading "0x" indicates a hex number, a leading "0"
octal. Translating hex to decimal, the host is

Note that this works for a lot of things. "hostnames" of the form
"n.n.Y", "n.Z" and "N" (where n is in the 0-255 range, Y in the 0-65535
range (16-bit integer), Z is in the 0 - (2^24)-1 range (24-bit integer)
and N is a number in the 0 - (2^32)-1 range (32-bit integer)) also get
treated as numeric IPs. n, Y, Z and N can be in decimal, octal (with a
leading '0') or hex (with a leading '0x').

-- because for some problems there's only one solution.

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Never mind, I apparently need more coffee this morning.  I now see that
this is simply a numeric IP, given in hexadecimal form.  I hadn't
realized that this was something tools would generally recognize, but
it's pretty obvious now that I see it.

- Joe

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

This is not compliant with the specifications of [RFC1738] (Uniform
Resource Locators).

3.1. Common Internet Scheme Syntax
        The fully qualified domain name of a network host, or its IP
        address as a set of four decimal digit groups separated by


Kind regards
Ludovic Joly

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Quoted text here. Click to load it

In more usual language that is
Whetehr any browser would decode it is less clear.

( what is wierd is that it is an electric company, and on the front page
they have a hand crancked radio and flashlight for sale. Are they trying to
tell us something?)

Quoted text here. Click to load it

Not in my firefox!

Quoted text here. Click to load it

Because it is just a number. In hex ( which is what the 0x means).

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Unruh wrote:

Quoted text here. Click to load it

Took one look at that and, 'Oh. Hex. OK, translate to decimal and see what
comes up'. But, why encode it that way? someone trying to obscure the IP
address [like a kitten covering up on the linoleum]?

Someone puzzle me that one???

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Quoted text here. Click to load it

It probably gets around some security programs, which know how to
recognize dotted-decimal addresses and block them, but don't recognize
the hex.

Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Site Timeline