diff --git a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
index 63edeb3f3d6..c945cdb4f14 100644
--- a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
@@ -218,7 +218,7 @@ public static InternetDomainName validateDomainName(String name) throws EppExcep
     return domainName;
   }
 
-  private static void validateFirstLabel(String firstLabel) throws EppException {
+  public static void validateFirstLabel(String firstLabel) throws EppException {
     if (firstLabel.length() > MAX_LABEL_SIZE) {
       throw new DomainLabelTooLongException();
     }
diff --git a/core/src/main/java/google/registry/flows/host/HostCheckFlow.java b/core/src/main/java/google/registry/flows/host/HostCheckFlow.java
index dc00a363b74..c11e47d5c33 100644
--- a/core/src/main/java/google/registry/flows/host/HostCheckFlow.java
+++ b/core/src/main/java/google/registry/flows/host/HostCheckFlow.java
@@ -65,6 +65,7 @@ public EppResponse run() throws EppException {
         ForeignKeyUtils.loadKeys(Host.class, hostnames, clock.nowUtc()).keySet();
     ImmutableList.Builder<HostCheck> checks = new ImmutableList.Builder<>();
     for (String hostname : hostnames) {
+      HostFlowUtils.validateHostName(hostname);
       boolean unused = !existingIds.contains(hostname);
       checks.add(HostCheck.create(unused, hostname, unused ? null : "In use"));
     }
diff --git a/core/src/main/java/google/registry/flows/host/HostFlowUtils.java b/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
index 5652a9a60b1..1c1d32f8c39 100644
--- a/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
@@ -14,12 +14,14 @@
 
 package google.registry.flows.host;
 
+import static google.registry.flows.domain.DomainFlowUtils.validateFirstLabel;
 import static google.registry.model.EppResourceUtils.isActive;
 import static google.registry.model.tld.Tlds.findTldForName;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static java.util.stream.Collectors.joining;
 
 import com.google.common.base.Ascii;
+import com.google.common.base.CharMatcher;
 import com.google.common.net.InternetDomainName;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.AuthorizationErrorException;
@@ -38,6 +40,10 @@
 /** Static utility functions for host flows. */
 public class HostFlowUtils {
 
+  /** Validator for ASCII lowercase letters, digits, and "-_", allowing "." as a separator */
+  private static final CharMatcher HOST_NAME_ALLOWED_CHARS =
+      CharMatcher.inRange('a', 'z').or(CharMatcher.inRange('0', '9').or(CharMatcher.anyOf("-._")));
+
   /** Checks that a host name is valid. */
   public static InternetDomainName validateHostName(String name) throws EppException {
     checkArgumentNotNull(name, "Must specify host name to validate");
@@ -53,6 +59,9 @@ public static InternetDomainName validateHostName(String name) throws EppExcepti
       if (!name.equals(hostNamePunyCoded)) {
         throw new HostNameNotPunyCodedException(hostNamePunyCoded);
       }
+      if (!HOST_NAME_ALLOWED_CHARS.matchesAllOf(name)) {
+        throw new BadHostNameCharacterException();
+      }
       InternetDomainName hostName = InternetDomainName.from(name);
       if (!name.equals(hostName.toString())) {
         throw new HostNameNotNormalizedException(hostName.toString());
@@ -71,6 +80,7 @@ public static InternetDomainName validateHostName(String name) throws EppExcepti
       if (hostName.parts().size() < effectiveTld.parts().size() + 2) {
         throw new HostNameTooShallowException();
       }
+      validateFirstLabel(hostName.parts().getFirst());
       return hostName;
     } catch (IllegalArgumentException e) {
       throw new InvalidHostNameException();
@@ -180,4 +190,11 @@ public HostNameNotNormalizedException(String expectedHostName) {
           String.format("Host names must be in normalized format; expected %s", expectedHostName));
     }
   }
+
+  /** Host names can only contain a-z, 0-9, '.', '_', and '-'. */
+  static class BadHostNameCharacterException extends ParameterValueSyntaxErrorException {
+    public BadHostNameCharacterException() {
+      super("Host names can only contain a-z, 0-9, '.', '_', and '-'");
+    }
+  }
 }
diff --git a/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java b/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java
index ca1d69426fe..4d8bc24d07f 100644
--- a/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java
+++ b/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java
@@ -20,7 +20,9 @@
 import static google.registry.testing.EppExceptionSubject.assertAboutEppExceptions;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
+import com.google.common.collect.ImmutableMap;
 import google.registry.flows.EppException;
+import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
 import google.registry.flows.FlowUtils.NotLoggedInException;
 import google.registry.flows.ResourceCheckFlowTestCase;
 import google.registry.flows.exceptions.TooManyResourceChecksException;
@@ -95,4 +97,36 @@ void testIcannActivityReportField_getsLogged() throws Exception {
     runFlow();
     assertIcannReportingActivityFieldLogged("srs-host-check");
   }
+
+  @Test
+  void testFailure_dotHost() throws Exception {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", ".host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_dashHost() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "-host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_underscoreHost() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "_host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_hostDash() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "host-"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
 }
diff --git a/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java b/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java
index 8297737e232..f466db2ec07 100644
--- a/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java
+++ b/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java
@@ -39,12 +39,12 @@
 import google.registry.flows.exceptions.ResourceCreateContentionException;
 import google.registry.flows.host.HostCreateFlow.SubordinateHostMustHaveIpException;
 import google.registry.flows.host.HostCreateFlow.UnexpectedExternalHostIpException;
+import google.registry.flows.host.HostFlowUtils.BadHostNameCharacterException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotLowerCaseException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotNormalizedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotPunyCodedException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooLongException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooShallowException;
-import google.registry.flows.host.HostFlowUtils.InvalidHostNameException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainDoesNotExistException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainInPendingDeleteException;
 import google.registry.model.ForeignKeyUtils;
@@ -286,7 +286,7 @@ private void doFailingHostNameTest(String hostName, Class<? extends EppException
 
   @Test
   void testFailure_badCharacter() {
-    doFailingHostNameTest("foo bar", InvalidHostNameException.class);
+    doFailingHostNameTest("foo bar", BadHostNameCharacterException.class);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java b/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java
index fba77b4bcfa..84b7bf8f466 100644
--- a/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java
+++ b/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java
@@ -54,13 +54,13 @@
 import google.registry.flows.ResourceFlowUtils.StatusNotClientSettableException;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
 import google.registry.flows.exceptions.ResourceStatusProhibitsOperationException;
+import google.registry.flows.host.HostFlowUtils.BadHostNameCharacterException;
 import google.registry.flows.host.HostFlowUtils.HostDomainNotOwnedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotLowerCaseException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotNormalizedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotPunyCodedException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooLongException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooShallowException;
-import google.registry.flows.host.HostFlowUtils.InvalidHostNameException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainDoesNotExistException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainInPendingDeleteException;
 import google.registry.flows.host.HostUpdateFlow.CannotAddIpToExternalHostException;
@@ -1259,7 +1259,7 @@ private void doFailingHostNameTest(String hostName, Class<? extends EppException
 
   @Test
   void testFailure_renameToBadCharacter() throws Exception {
-    doFailingHostNameTest("foo bar", InvalidHostNameException.class);
+    doFailingHostNameTest("foo bar", BadHostNameCharacterException.class);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java b/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java
index 1a9a8e6e776..4c916313f26 100644
--- a/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java
+++ b/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java
@@ -74,7 +74,9 @@ void testInvalidNameserver_returns400() {
         .that(generateActualJson("invalid/host/name"))
         .isEqualTo(
             generateExpectedJsonError(
-                "invalid/host/name is not a valid nameserver: Invalid host name", 400));
+                "invalid/host/name is not a valid nameserver: Host names can only contain a-z, 0-9,"
+                    + " '.', '_', and '-'",
+                400));
     assertThat(response.getStatus()).isEqualTo(400);
   }
 
diff --git a/core/src/test/resources/google/registry/flows/host/host_check_50.xml b/core/src/test/resources/google/registry/flows/host/host_check_50.xml
index 8ddf873ad27..6e3d192a76d 100644
--- a/core/src/test/resources/google/registry/flows/host/host_check_50.xml
+++ b/core/src/test/resources/google/registry/flows/host/host_check_50.xml
@@ -3,56 +3,56 @@
     <check>
       <host:check
        xmlns:host="urn:ietf:params:xml:ns:host-1.0">
-        <host:name>www1.tld</host:name>
-        <host:name>www2.tld</host:name>
-        <host:name>www3.tld</host:name>
-        <host:name>www4.tld</host:name>
-        <host:name>www5.tld</host:name>
-        <host:name>www6.tld</host:name>
-        <host:name>www7.tld</host:name>
-        <host:name>www8.tld</host:name>
-        <host:name>www9.tld</host:name>
-        <host:name>www10.tld</host:name>
-        <host:name>www11.tld</host:name>
-        <host:name>www12.tld</host:name>
-        <host:name>www13.tld</host:name>
-        <host:name>www14.tld</host:name>
-        <host:name>www15.tld</host:name>
-        <host:name>www16.tld</host:name>
-        <host:name>www17.tld</host:name>
-        <host:name>www18.tld</host:name>
-        <host:name>www19.tld</host:name>
-        <host:name>www20.tld</host:name>
-        <host:name>www21.tld</host:name>
-        <host:name>www22.tld</host:name>
-        <host:name>www23.tld</host:name>
-        <host:name>www24.tld</host:name>
-        <host:name>www25.tld</host:name>
-        <host:name>www26.tld</host:name>
-        <host:name>www27.tld</host:name>
-        <host:name>www28.tld</host:name>
-        <host:name>www29.tld</host:name>
-        <host:name>www30.tld</host:name>
-        <host:name>www31.tld</host:name>
-        <host:name>www32.tld</host:name>
-        <host:name>www33.tld</host:name>
-        <host:name>www34.tld</host:name>
-        <host:name>www35.tld</host:name>
-        <host:name>www36.tld</host:name>
-        <host:name>www37.tld</host:name>
-        <host:name>www38.tld</host:name>
-        <host:name>www39.tld</host:name>
-        <host:name>www40.tld</host:name>
-        <host:name>www41.tld</host:name>
-        <host:name>www42.tld</host:name>
-        <host:name>www43.tld</host:name>
-        <host:name>www44.tld</host:name>
-        <host:name>www45.tld</host:name>
-        <host:name>www46.tld</host:name>
-        <host:name>www47.tld</host:name>
-        <host:name>www48.tld</host:name>
-        <host:name>www49.tld</host:name>
-        <host:name>www50.tld</host:name>
+        <host:name>ns1.www1.tld</host:name>
+        <host:name>ns1.www2.tld</host:name>
+        <host:name>ns1.www3.tld</host:name>
+        <host:name>ns1.www4.tld</host:name>
+        <host:name>ns1.www5.tld</host:name>
+        <host:name>ns1.www6.tld</host:name>
+        <host:name>ns1.www7.tld</host:name>
+        <host:name>ns1.www8.tld</host:name>
+        <host:name>ns1.www9.tld</host:name>
+        <host:name>ns1.www10.tld</host:name>
+        <host:name>ns1.www11.tld</host:name>
+        <host:name>ns1.www12.tld</host:name>
+        <host:name>ns1.www13.tld</host:name>
+        <host:name>ns1.www14.tld</host:name>
+        <host:name>ns1.www15.tld</host:name>
+        <host:name>ns1.www16.tld</host:name>
+        <host:name>ns1.www17.tld</host:name>
+        <host:name>ns1.www18.tld</host:name>
+        <host:name>ns1.www19.tld</host:name>
+        <host:name>ns1.www20.tld</host:name>
+        <host:name>ns1.www21.tld</host:name>
+        <host:name>ns1.www22.tld</host:name>
+        <host:name>ns1.www23.tld</host:name>
+        <host:name>ns1.www24.tld</host:name>
+        <host:name>ns1.www25.tld</host:name>
+        <host:name>ns1.www26.tld</host:name>
+        <host:name>ns1.www27.tld</host:name>
+        <host:name>ns1.www28.tld</host:name>
+        <host:name>ns1.www29.tld</host:name>
+        <host:name>ns1.www30.tld</host:name>
+        <host:name>ns1.www31.tld</host:name>
+        <host:name>ns1.www32.tld</host:name>
+        <host:name>ns1.www33.tld</host:name>
+        <host:name>ns1.www34.tld</host:name>
+        <host:name>ns1.www35.tld</host:name>
+        <host:name>ns1.www36.tld</host:name>
+        <host:name>ns1.www37.tld</host:name>
+        <host:name>ns1.www38.tld</host:name>
+        <host:name>ns1.www39.tld</host:name>
+        <host:name>ns1.www40.tld</host:name>
+        <host:name>ns1.www41.tld</host:name>
+        <host:name>ns1.www42.tld</host:name>
+        <host:name>ns1.www43.tld</host:name>
+        <host:name>ns1.www44.tld</host:name>
+        <host:name>ns1.www45.tld</host:name>
+        <host:name>ns1.www46.tld</host:name>
+        <host:name>ns1.www47.tld</host:name>
+        <host:name>ns1.www48.tld</host:name>
+        <host:name>ns1.www49.tld</host:name>
+        <host:name>ns1.www50.tld</host:name>
       </host:check>
     </check>
     <clTRID>ABC-12345</clTRID>
diff --git a/core/src/test/resources/google/registry/flows/host/host_check_generic.xml b/core/src/test/resources/google/registry/flows/host/host_check_generic.xml
new file mode 100644
index 00000000000..4418fd34315
--- /dev/null
+++ b/core/src/test/resources/google/registry/flows/host/host_check_generic.xml
@@ -0,0 +1,11 @@
+<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
+    <command>
+        <check>
+            <host:check
+                    xmlns:host="urn:ietf:params:xml:ns:host-1.0">
+                <host:name>%HOSTNAME%</host:name>
+            </host:check>
+        </check>
+        <clTRID>ABC-12345</clTRID>
+    </command>
+</epp>