No hand-waving. Here's exactly what this is and where it works.
you.throb, it's written into our registry and
served live by the domainless authoritative nameserver. Add an A record
and it answers on the next query. This is the same machinery a
.com works on — a registry, a nameserver, a zone — just
run by us instead of Verisign and ICANN.
Everyone connected to the domainless VPN is handed our resolver automatically (DNS = 10.8.0.1 in the config), so .throb names just work — nothing to set up.
Our resolver answers .throb from our own nameserver and forwards everything else to the normal internet — so turning it on never breaks regular browsing.
From a device on the VPN: dig @10.8.0.1 name.throb. The resolver is bound to the VPN only — it's not a public open resolver.
.throb is not an ICANN top-level domain, so
a stranger typing you.throb into a stock browser on their
phone won't reach it — their carrier's DNS has never heard of
.throb. That's not a bug; it's the deal with running an
independent namespace. It resolves for people who opt into the
domainless network. Making it resolve for the entire planet would mean
taking .throb through ICANN — a different, six-figure story.
From a device on the domainless VPN: register a name, add an A record, then query it — you'll get your record straight back from our nameserver.