Summary of Audit of Top Ten Domains for Top TLDs (2021-10)

DNS Institute again used its extensive DNS analysis system to look at top domains (as ranked by Tranco 1 Million) for the top TLDs. We purposely skipped COM, NET, and ORG, but looked at the other 62 TLDs that had at least 1000 domains in the top one million list. This audit was about domains with SOA records and have a specific delegation. Around 100 checks based on IETF/RFC standards, registry polices, government mandates, and vendor best practices, including for IPv6 and DNSSEC, were performed.

This analysis identified 55 unique DNS problems or anomalies for the 620 domain names analyzed. By checking different authoritative nameservers and protocols, this totaled 41765 issues. Of these domain names in the list, 16 domains didn't even exist. (The list had bad data.) This summary highlights some of the interesting problems.

Fourteen domains did not have working TCP (over IPv4): 360.cn, 6.cn, aa.com.tr, avacharms.xyz, beian.gov.cn, e-taxes.gov.az, incometax.gov.in, independent.co.uk, isabellacharms.xyz, jobkorea.co.kr, momoshop.com.tw, sapo.pt, tianya.cn, and uidai.gov.in. This included 18 TCP failures via 18 nameservers and 24 TCP timeouts via 23 nameservers, such as 103.58.114.134.

Four domains had a nameserver delegation that didn't have an A address, for example, people.com.cn's ns5.people.cn.

Eleven domains had nameservers that returned a Recursion Available (RA) flag. This was for 20 nameserver IP addresses, such as 94.100.180.138. (We didn't check for open resolvers in this run.)

Six domains had multiple delegations re-using the same IPv4 address, such as fitgirl-repacks.site's 185.129.100.200. Six domains also had repeated IPv6 nameserver addresses.

Nine domains only had one working nameserver over IPv4 with UDP, such as at.ua. For IPv4/TCP, 9 domains only had one working nameserver, such as xn--90adear.xn--p1ai. Twenty-five domains only had one working nameserver over IPv6 with UDP, such as wp.pl. For IPv6/TCP, 25 domains only had one working nameserver, such as biz.ua.

One-hundred-forty-seven domains didn't have working IPv6 nameservers that provided an answer for the domain (over UDP), for example, 6.cn. Four-hundred-seventy-one of the domains did have working DNS over IPv6/UDP.

Sixty-one domains were served from IPv4 nameservers only in one topological network. For IPv6, 186 domains were served from only one topological network.

For DNSSEC, 70 had signatures. Twenty-two of these domains were set to expire in less than three days. One of the domains was set to expire in less than one day, for example, piwik.pro.

This is only a small snapshot of the thousands of anomalies detected. For further information or to sign up for your domains, contact us today.