I am trying to learn how to implement a DNS server, and am looking first at Heroku.
Why do they have @ point to hidden-sierra-7936.herokudns.com.? Why not just foo.herokudns.com., or better yet, herokudns.com. (no subdomain), or even better, heroku.com. (main website). What are the reasons for this? Is it security, performance, architecture-needs, something else, all of the above? More specifically, what are the details of these reasons, does it depend on the number of requests coming through and that's why the <dynamic-name>.herokudns..., so there are a lot of them? Or perhaps if there is an error in one they can quickly switch it?
Finally, can these reasons be avoided/countered/argued-against so you could make the domain a little nicer and just do heroku.com.? Why can't you just do it on heroku.com.? (If you were building Heroku that is, obviously Heroku doesn't support this).
I am also looking at this. It looks like Heroku used to do it like proxy.heroku.com, but for some reason they switched it. Why?
As far as using subdomains on .heroku.com, this is at least partly a security mitigation.
Consider the arguments made in this blog post from GitHub, published when they moved Pages sites from .github.com to .github.io:
There are two broad categories of potential security vulnerabilities that led to this change.
- Session fixation and CSRF vulnerabilities resulting from a browser security issue sometimes referred to as “Related Domain Cookies”. Because Pages sites may include custom JavaScript and were hosted on github.com subdomains, it was possible to write (but not read) github.com domain cookies in way that could allow an attacker to deny access to github.com and/or fixate a user’s CSRF token.
- Phishing attacks relying on the presence of the “github.com” domain to create a false sense of trust in malicious websites. For instance, an attacker could set up a Pages site at “account-security.github.com” and ask that users input password, billing, or other sensitive information.