Network6 min

Punycode and IDN Domains: How to Spot Homograph Phishing

Attackers register lookalike domains using non-Latin characters that render identically to real brands. Here's how Punycode works and how to catch a homograph attack before you click.

Zro7 lookups run in your browser via Cloudflare DoH — no domain history is stored.

A homograph attack registers a domain that looks like a real one but uses Unicode characters from another script — Cyrillic а, Greek ο, or Armenian օ — that render identically to Latin letters. DNS actually stores these as ASCII via Punycode (xn--). Copy the suspicious domain into Zro7 WHOIS Lookup — the real Punycode form is what the registry returns.

How Punycode works

DNS is ASCII-only. Internationalized Domain Names (IDN) encode Unicode into ASCII using Punycode. café.com becomes xn--caf-dma.com. Browsers reverse this in the address bar so users see the pretty form. Registrars can enforce a single-script policy per label, but many TLDs (including some ccTLDs) don't.

Classic homograph examples

  • аpple.com — first letter is Cyrillic U+0430, not Latin U+0061. Punycode: xn--pple-43d.com.
  • gοοgle.com — the two 'o's are Greek omicron U+03BF. Punycode: xn--ggle-55da.com.
  • раураl.com — five Cyrillic letters. Punycode: xn--80ak6aa92e.com.

How modern browsers defend

Chrome, Firefox, and Safari now show the Punycode form when a label mixes scripts, or when the whole label is in a script the user's locale doesn't use. This helps, but not always: a fully Cyrillic раураl.com passes some checks because there's no mixing. Never trust the visual.

How to verify a suspicious link

  • Right-click → Copy Link, paste into a plain-text editor. If it starts with xn--, it's an IDN.
  • Run it through WHOIS Lookup — creation date under 30 days for a 'major brand' is a giant red flag.
  • Check DNS records — homograph domains usually resolve to cheap hosting, not the brand's real ASN.
  • Look at the DNSSEC status — major brands sign their zones; hastily registered phishing rarely does.

Steps to check any domain

  1. Copy the raw URL.
  2. Paste into WHOIS. Note the registrant, creation date, and Punycode form.
  3. Run DNS Lookup; verify A/MX point where the real brand's records point.
  4. If anything looks off, don't click. Report to the brand's abuse address.

Frequently asked questions

Are IDNs bad?

Not at all — they let non-English users have domains in their own scripts. The abuse is entirely on registrars that allow visually confusable single-script registrations.

How do I search for lookalikes of my brand?

Register variants proactively, and monitor certificate transparency logs (crt.sh) for new certs with your brand name in Punycode form.

Does HTTPS protect me?

No — the phishing site can get its own valid cert for its Punycode domain. The lock icon means 'traffic is encrypted', not 'this is the real brand'.

Why does the URL bar sometimes hide Punycode?

Browsers show the Unicode form when the label matches the user's language settings and passes anti-spoof heuristics. Otherwise they fall back to <code>xn--</code>.

Any upload from Zro7 WHOIS?

Only the domain string, sent to a public RDAP server.

Related posts

← Back to blog