Comment by albert_e

Depending on what you understand by the term "prefix" you can dramatically shrink the search space without doing any thinking.

As I understand it, yeah, there's a way to ask the .ai nameserver for its entire "zone" (the mapping from domain names to... everything else). That's a "zone transfer" a.k.a. "AXFR" request, which you can make by first locating a nameserver that knows about .ai:

    $ dig NS ai.

Now you have the names of .ai's nameservers, and the glue records for some of them:

    ;; ADDITIONAL SECTION:
    v0n3.nic.ai.  107 IN A 199.115.155.1
    v0n3.nic.ai.  107 IN AAAA 2001:500:a3::1
    v0n0.nic.ai.  7 IN A 199.115.152.1

Now you ask that nameserver for a zone transfer:

    $ dig AXFR ai. @199.115.155.1

...And it quickly says "no, not to you; I don't know you and so I'm not going to spend the bandwidth to tell you all that."

    ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> AXFR ai. @199.115.155.1
    ;; global options: +cmd
    ; Transfer failed.

But hey, that's how you'd ask. Now, if you were on the nameserver's whitelist, you'd see the whole zone, and the answer to the blog's puzzle would be somewhere in there. (But note that the answer is also at the end of TFA; you don't have to solve it yourself if you don't want to.)

I wouldn't use the words "API access" to describe "permission to make AXFR requests," but yeah, it's the same general idea: if you're not on the list, you can't do the thing.

More than I care to know about AXFR: https://cr.yp.to/djbdns/axfr-notes.html