Punycode Encoder Decoder

Encode and Decode Internationalized Domain Names

The Domain Name System (DNS) was originally designed to handle only ASCII characters—letters, digits, and hyphens. This limitation excluded the vast majority of the world's written languages from being used in domain names. Punycode is the encoding scheme that bridges this gap, allowing internationalized domain names (IDN)—domain names containing non-ASCII characters from any Unicode script—to be represented in a format that the existing ASCII-based DNS infrastructure can process.

Our free Punycode encoder and decoder converts internationalized domain name labels between their Unicode form (the human-readable version containing characters in any script) and their Punycode form (the ASCII-compatible encoding beginning with `xn--` that DNS resolvers process). Enter a Unicode domain name to see its Punycode equivalent, or enter a Punycode label to decode it to Unicode.

How Punycode Works

Punycode (defined in RFC 3492) encodes a domain label that contains non-ASCII Unicode characters into an ASCII string consisting of two parts: the ASCII characters from the original label (if any), followed by a hyphen separator, followed by an encoding of the non-ASCII characters. The result is always ASCII-safe. The `xn--` prefix is prepended to signal that the label is Punycode-encoded.

A fully Unicode domain name like `münchen.de` (the German city Munich) is encoded as `xnchen-3ya.de`. The ASCII letters "mnchen" from the original label appear at the start, and the Punycode encoding of "ü" (U+00FC) is appended after the hyphen separator. When a browser resolves this domain name, it converts the Unicode form to Punycode before submitting the DNS query, and DNS servers handle the ASCII-safe Punycode label without modification.

Why Internationalized Domain Names Matter

Over 60% of internet users are not native English speakers, and many write in scripts that don't use the Latin alphabet at all—Arabic, Chinese, Japanese, Korean, Cyrillic, Devanagari, and dozens of others. Before internationalized domain names were standardized, these users could only register and use domain names in ASCII, effectively requiring them to represent their language names and brands in a foreign script. IDN support allows Arabic-speaking users to have domain names entirely in Arabic, Chinese users in Chinese, and Korean users in Korean.

ICANN approved the first internationalized country code top-level domains (IDN ccTLDs) in 2010, allowing countries to have their internet infrastructure's top-level domain in their native script. The .مصر domain for Egypt, .中国 for China, .भारत for India, and many others emerged from this. Today, thousands of internationalized domain names are registered and used across dozens of scripts.

Punycode and Security: The Homograph Problem

While internationalized domain names improve accessibility, they introduce a significant security concern known as the homograph attack or homoglyph attack. Unicode contains many characters that look visually identical or nearly identical to common ASCII characters. The Cyrillic lowercase а (U+0430) is indistinguishable from the Latin lowercase a (U+0061) in most fonts. The Cyrillic о (U+043E) looks identical to the Latin o (U+006F). An attacker can register a domain like аpple.com using a Cyrillic 'а' that looks identical to apple.com with a Latin 'a', creating a convincing phishing URL that passes visual inspection.

The Punycode form of such a domain immediately reveals the attack: аpple.com in Cyrillic becomes `xn--pple-43d.com`, which is obviously not apple.com. Modern browsers display the Punycode form for domain names that mix scripts or use characters from scripts not matching the website's apparent language—specifically to make homograph attacks visible. Security-conscious users can check a suspicious domain's Punycode form using our decoder to verify it's using the expected characters.

Technical Details: The ACE Prefix

The `xn--` prefix attached to Punycode-encoded domain labels is called the ACE prefix (ASCII-Compatible Encoding prefix). It serves as a namespace marker that distinguishes Punycode labels from regular ASCII domain labels, allowing DNS servers that don't support IDN to simply treat `xn--mnchen-3ya.de` as a normal ASCII domain name, while IDN-aware resolvers and browsers recognize the prefix and apply Punycode decoding to display the original Unicode form to users. The double-hyphen construction (`--`) was chosen because it doesn't appear in any valid ASCII domain name registered before IDN was introduced, guaranteeing no collision with existing labels.

Free, Private, and Instant

The Punycode encoder and decoder runs entirely in your browser. No domain names or encoded strings you enter are transmitted to any server or stored anywhere. The tool is completely free with no account required and works on any device with a modern browser.