.example (for examples), .invalid (invalid domains), .localhost (avoids conflict with localhost hostname), .test (for tests), .local (link-local names), .onion (for Tor)

Also good to reserve localhost since some system resolvers will actually resolve any subdomain of localhost as 127.0.0.1. (I think systemd-resolved does, but I know for sure glibc NSS with the nss-myhostname module does.)

That's the speced behavior of localhost:

> The domain "localhost." and any names falling within ".localhost." are special in the following ways:

> 4. [---] Instead, caching DNS servers SHOULD, for all such address queries, generate an immediate positive response giving the IP loopback address

https://datatracker.ietf.org/doc/html/rfc6761#section-6.3

Couple things here:

The GP describes resolver software, which corresponds to item 6.3.3, not a caching server. This does specify the same behavior.

In RFC terminology, "MUST" > "SHOULD" > "MAY", so there is some wiggle room there.

6.3.2 permits Chromium and other apps to hardcode localhost names as such, instead of using a resolver.

A very popular vector for adware/malware is to take over the system resolver, or replace the DNS client configuration, so this is one reason Chromium jealously guards 127.0.0.0/8

I haven't figured out how to get unbound to do this. It's easy to configure dnsmasq to do it, though

    address=/localhost/127.0.0.1
    address=/localhost/::1

I do this on my network because not every system resolver does it itself (annoyingly).

I actually did not know this was specified by a standard. That does indeed make it perplexing that not all resolvers do it.

what about .localdomain? I haven't been able to find anything standards-wise about it.

The IANA link is probably better.

https://www.iana.org/assignments/special-use-domain-names/sp...