Analyzing Reverse Lookup Nameservers within AFRINIC (2021-01)

We recently looked at 57 ccTLDs for countries within AFRINIC. For the IPv4 addresses for their nameservers within resources managed by AFRINIC (41/8, 102/8, 105/8, 196/8, 197/8), we further analyzed the DNS for the in-addr reverse lookups using our auditing tool. We identified 35 unique anomalies (out of 95+) based on IETF/RFC standards and best practices, registry policies, government mandates, and vendor guidelines. This is a summary of some of that analysis.

The recursion depth for resolving was six levels deep -- which may be beyond maximums for some iterative resolvers.

The nameservers for and return Recursion Available flag (RA) for authoritative tests. These are open resolvers: (, (, and (

Two domains only have a single nameserver: and

Several domains had nameservers that timed out:,, and ( ( and ( and ( ( UDP only). ('s nameserver ( REFUSED to provide an answer.'s nameserver ( also REFUSED to provide an answer.

Several domains were only hosted from nameservers within single topological networks:,,,,,,, and

Only one domain was DNSSEC enabled:

Some of the above may result in lame delegations. Several other domains also returned NXDOMAIN, but ignoring that in this report. If you have any questions or would like us to analyze your domains and nameservers, let us know.

We previously audited 9500 domains within ccTLDs in the AFRINIC region from a recent Tranco Top Million list. Our DNS test suite found 71 unique anomalies and well over 100000 issues, such as recursion depth exceeding resolver default, private IP addresses for nameservers, responses from different IP addresses, 6to4 addresses, IPv4-mapped addresses, responses from non-authoritative resolvers, expired DNSSEC signatures, repeated domain names (missing dot), root referrals, and 60 other problems. What do you use to check your DNS?