Summary of Analysis for Single Top Ranked Domain for Each TLD

DNS Institute analyzed the top domain (as ranked by Tranco) for 1020 TLDs (within the Tranco list) with our comprehensive DNS auditing system. Of these, 92 were not currently registered domains (implying the Tranco sources may have mistakes). This research is about domains that have specific delegation and SOA records. Of this research, another four names aren't delegated domains (they are CNAMEs directly under the TLDs).

We identified 50 unique DNS problems or anomalies for a total of 61,733 issues detected (out of only 1020 names analyzed). This article highlights some of the interesting problems for a single domain only for each TLD.

Eight domains didn't have working TCP (over IPv4): 360.cn, bswhealth.med, btkitty.bid, google.com.jm, google.com.kh, patria.org.ve, teensex.sexy, and times.co.sz. For example, the six nameservers tested for 360.cn all had TCP timeouts.

Four domains had nameservers that returned a RA (Recursion Available) flag: ami.mr, kcna.kp, times.co.sz, and www.gov.bm. This was for seven nameserver IP addresses. Of these, four were open resolvers.

26 domains had multiple nameservers using the same IPv4 address or had delegations that again delegated to some of the same nameservers already seen. Nine domains also had repeated IPv6 nameserver addresses. For example, hotel.democrat's nameservers ns1.selectel.org and ns3.selectel.org have the same address.

Twenty domains only had one working nameserver over IPv4 using UDP. 23 domains only had one for IPv4 for TCP. 21 domains only had one for IPv6 using UDP and 19 domains only had one working nameserver for IPv6 with TCP.

103 domains were served from IPv4 nameservers in only one topological (same ASN) network. And 321 domains were only served from one IPv6 network.

One domain, xn--mgbbb9a1b0dvb.xn--wgbh1c, published an internal or reserved domain in its SOA MNAME.

77 of the domains had DNSSEC signatures. Three of these domains used a non-recommended RSA/SHA-1 algorithm: activitypub.actor, mp3-youtube.download, and nih.gov. Twenty of the DNSSEC signed domains were soon to expire within three days.

744 of the domains had working DNS over IPv6 only — except google.ne and yemen.net.ye didn't have IPv6 over TCP.

This is just a small snapshot of anomalies seen. The DNS Institute analyzer checks for over 95 anomalies such as defined by IETF RFC specifications and best practices, government requirements, and registry guidelines. We have done extensive studies for complete TLDs (all domains for some TLDs including EDU), thousands of Fortune 500 domains, US government and military domains, and S&P 100 Global banks domains. For further information or to sign up for your domains, contact us today.

We used the full Tranco list generated on February 26, 2021 available at https://tranco-list.eu/list/VG2N. Also see our Popularity Rankings for TLDs.