Hidden subdomains


I’m putting drafts-in-progess of a book on my website so that invited friends can check it out and criticise.

In order to avoid the hassle of login and passwords, I’m simply putting it in a subdirectory with an unguessable name, so that random visitors and robots won’t encounter it by chance,

for example: www.mydomain.com/xqxqx/

But it would be much cooler to give it a subdomain with an unguessable name,

for example: xqxqx.mydomain.com/

Is this safe, or is there some way that random visitors (or robots, for that matter) could discover systematically what subdomains exist in a domain?


If you make the subdomain name long enough and obscure enough, no one will guess it.

Also, practically speaking, I’ve never had any visitors to any site I haven’t had published to search engines and that I’ve never linked to.

If it is actually sensitive information rather than just embarrassing, would it be that hard for you to throw a password on the directory?

Use the [color=#CC0000]3DOM50[/color] promo code for 3 extra lifetime domains and $50 off
More Dreamhost coupons here!


A “hidden” subdomain just can’t stay hidden. “Security through obscurity” is a lousy security model. Remember that if there’s a link in that subdomain, that link may show up as the HTTP Referer when you land at the next site and ends up in the logs.

Just password the thing. You only need a single username and password. Heck, you can even set the .htaccess message to show the username and all they have to know is the password.



Thanks for the reply.

The reason I asked is because I’m puzzled about the following:

Another of my websites, that I’ve had for many years, has never been published or linked to. It just has a cute (and unique) little jingle on its front page and is otherwise completely empty.

Also, the email addresses on that domain have never been published, I use them as a private recipient that my public email addresses forward to.

Well, after about a year, I noticed that the jingle started showing up in google, pointing to my website. For some years it stayed that way, as a googlewhack (i.e. the sole result returned by google.) Then last year, the jingle started showing up on the web in ‘collections of memorable phrases’, again referencing my website as the source.

I’ve been wondering how this can possibly happen.

I’m wondering if robots have access to internet domain name routing tables and do searches based on that.

P.S. just seen the second reply also. I tend to agree, but am still puzzled about the foregoing, and would be happy even with lousy but simple security through obscurity.


I can confirm that. I put up a new web site about a year ago. Never published, no links pointing to it and this month perhaps even a few months ago, I started getting bots accessing the site. I would never have known it, but the stupid idiots spammed the contact page. Never figured out why on earth would someone want to spam the administrator. Knowing full well that give us the info needed to block them.
I think they have a spider crawling the whois database.

My website


There’s a way to prevent bots from accessing the site, I don’t remember it though. It’s a meta tag.

Then security through obscurity should keep away the humans. At the same time, if this is legally sensitive information, you need to put up a password.


“security through obscurity” isn’t security at all … it’s the same thing as leaving your door unlocked and hoping no one notices. :wink:



Just to mention, that in the original post I never mentioned the word security.

And also just to mention, where I live we never need to lock the door at nights. Yes, such places do exist, even in the 21st century.

Anyway, thanks for all the info. I’m still interested in knowing what sort of robot traffic I might get to an unpublished subdomain without links either into or out of it.

Does the ‘whois’ database also contain subdomain names?


Oh, I know that … and I wasn’t directing that comment at you in a pejorative way at all … I was just pointing out the realilty of that concept. :wink:

Yep, me too, and I think it’s great! That said, the web is NOT such a place, and by definition my not locking my doors means I’m not practicing “security” of a certain sort (there is the gun in the night stand, but that is another matter altogether!) :wink:

Anyway, thanks for all the info. I’m still interested in knowing what sort of robot traffic I might get to an unpublished subdomain without links either into or out of it.[/quote]
It’s really hard to tell; my experience has been mixed. As has already been mentioned, there is referrer information to consider (if you ever browse to another site from that subdomain).

No, it doesn’t but there are other tools out “in the wild” that can (think reverse DNS tools, etc.)



Thank you for the replies. Obscurity has been quite satisfactory so far, but things are progressing and we have a publisher’s contract, so maybe it’s time to move up a step.

Lensman rhetorically asks, “would it be that hard for you to throw a password on the directory?”

Well, using Dreamhost’s ultra-easy Goodies/Htaccess panel I’ve added a .htaccess and .htpasswd file,

which is OK with Firefox Safari and Opera, but it makes Internet Explorer (version 7) throw up the following horrible message:

“Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).”

Maybe IE is trying to be helpful, in its clumsy Microsoft way, and suggesting that HTTPS would be more appropriate. But the overall effect is to be unwelcoming. It is not going to impress the publisher, and it is going to scare away some of my friends.

However, according to the Dreamhost support wiki, “In order to allow visitors to access your site securely, you will need to have your own unique IP address and sign up for the Secure Server.”


What would be a more sensible way of getting rid of that scary message from IE?