On October 21, 2016, the Mirai botnet launched a DDoS attack against Dyn, a managed DNS provider. Twitter went down. GitHub went down. Netflix, Reddit, Spotify, and dozens of other major services went dark. The attack didn't target any of these companies directly — it targeted the DNS provider they all shared.
That was nearly a decade ago. I wanted to know: has the internet learned anything from Dyn? So I analyzed DNS provider distribution across 240.3 million domains in 1,929 TLDs to measure how concentrated DNS hosting is today. The answer is sobering. 112 TLDs have a single provider controlling more than half their domains. The conditions that made the Dyn attack devastating are still present — in some cases, they're worse.
For the current provider concentration data by TLD, see the provider concentration dashboard. For provider market share rankings, see DNS provider rankings. This article explores the failure scenarios — what actually happens when concentrated DNS infrastructure goes down.
The Anatomy of a DNS Provider Failure
When a DNS provider goes down, the failure cascades in ways that aren't obvious until you trace the dependency chain:
T+0 seconds: Provider goes offline. Name servers stop responding to queries. This could be a DDoS attack, a BGP misconfiguration, a software bug, or hardware failure.
T+0 to T+30 seconds: Resolvers detect the failure. Recursive resolvers (Google, Cloudflare, ISPs) send queries to the provider's name servers and get timeouts. They retry. More timeouts.
T+30 seconds to T+5 minutes: Cached records still work. Any resolver that has the domain's records in cache continues to serve them. Domains with high TTLs (3600s or more) are temporarily shielded. Domains with low TTLs (60-300s) start failing as caches expire.
T+5 to T+60 minutes: Cascading failures begin. As caches expire, more domains become unreachable. Each failed DNS lookup triggers downstream failures:
- Websites return connection errors
- Email bounces with temporary failures
- API calls timeout, breaking dependent services
- Authentication systems fail (OAuth callbacks, SSO redirects)
- Payment processors can't reach merchant domains
- CDN edge nodes can't resolve origin servers
T+1 hour+: The long tail. Even after the provider recovers, stale negative caches (NXDOMAIN responses that resolvers cached during the outage) continue to block resolution for some clients. Recovery is not instantaneous — it trails the outage by the TTL of the negative cache entries.
This is what happened with Dyn in 2016. It's what happened during the Cloudflare outage on June 21, 2022 (BGP misconfiguration). And it's what happened during the CenturyLink/Lumen BGP leak in August 2020. The pattern repeats because the underlying concentration hasn't changed.
Why TLD-Level Concentration Matters
Global DNS provider market share looks reasonably distributed — GoDaddy at 18.49%, Cloudflare at 11.21%, no single provider above 20%. But this global view is misleading because domains don't fail globally, they fail by TLD ecosystem.
When I measured concentration at the TLD level, the picture is very different. Some TLDs have provider diversity. Others are essentially single-vendor ecosystems.
The numbers: 36 TLDs have a single provider above 90%. 62 above 70%. 112 above 50%. For those 112 TLDs, a single provider outage doesn't just affect "some" domains — it takes out the majority.
Consider .shop with over 1.1 million domains and 62% at a single provider. Or .top with over 4.2 million domains and nearly 59% at one provider. These aren't obscure TLDs — they're in the top 10 by domain count. An outage at the dominant provider in either case would be a headline event.
Browse the full TLD-level concentration data, including HHI scores, on the provider concentration dashboard.
Case Study: What a Cloudflare-Scale Outage Looks Like Today
Cloudflare hosts 28.9 million domains — 11.21% of all domains in the dataset. But their share isn't evenly distributed across TLDs. In some TLDs, Cloudflare's share exceeds 50%, meaning a Cloudflare outage would take down the majority of that TLD's DNS resolution.
During the June 2022 Cloudflare outage (caused by a BGP route change gone wrong), resolution failed for domains across all TLDs where Cloudflare was the DNS provider. The outage lasted about 90 minutes. For TLDs where Cloudflare controls the majority of domains, those 90 minutes meant the TLD itself was functionally offline.
Now imagine a sustained attack. Not 90 minutes, but 90 hours. Persistent DDoS against Cloudflare's authoritative DNS infrastructure, targeting the anycast prefixes that serve their name servers. At 28.9 million domains, this would be the largest DNS outage in internet history — and for high-concentration TLDs, it would be indistinguishable from the TLD itself being down.
The Compounding Dependencies
DNS concentration risk is worse than it appears because DNS providers aren't just DNS providers. Modern infrastructure stacks create dependency chains:
Cloudflare provides DNS + CDN + WAF + DDoS protection + Workers. When Cloudflare DNS goes down, domains can't resolve, but they also lose their CDN (so even if DNS is restored via failover, the origin server may be overloaded), their WAF (exposing the origin to attacks during the outage), and their edge compute (breaking application logic).
GoDaddy provides DNS + hosting + email + website builder. Their 47.7 million domains include millions where GoDaddy provides the complete stack. A GoDaddy DNS outage doesn't just break resolution — it breaks the entire web presence.
This means multi-provider DNS — the standard recommendation for concentration risk — only partially mitigates the problem. If your Cloudflare DNS failover works but your Cloudflare CDN is also down, your domain resolves to an IP that serves errors.
The HHI Framework: Measuring Market Power in DNS
I use the Herfindahl-Hirschman Index (HHI) to quantify concentration beyond just the top provider's share. HHI sums the squared market shares of all providers in a TLD. The U.S. Department of Justice uses HHI to assess market concentration in antitrust cases — the same framework applies to DNS.
- HHI below 1,500 — Competitive market. Multiple providers, no single point of failure. Most major gTLDs (.com, .net, .org) fall here.
- HHI 1,500–2,500 — Moderately concentrated. A few providers dominate but alternatives exist.
- HHI 2,500–5,000 — Highly concentrated. One or two providers control the market. Outage risk is significant.
- HHI above 5,000 — Near-monopoly. Effectively a single provider. Any outage is a total TLD outage.
The TLDs I've flagged with the highest concentration have HHI values of 3,000 to 5,000+ — well into the "highly concentrated" and "near-monopoly" ranges. For comparison, the U.S. DOJ considers HHI above 2,500 to indicate a market where mergers require scrutiny. By that standard, dozens of TLDs have DNS markets that would trigger antitrust review.
Why Concentration Persists
If concentration is so risky, why does it persist? Several structural factors:
Registrar bundling. Most domain owners register a domain and get DNS hosting bundled for free. They never think about DNS as a separate service because it comes with the registration. This means the largest registrars (GoDaddy, Namecheap, IONOS) automatically become the largest DNS providers.
Migration friction. Moving DNS to a different provider requires changing NS records at the registrar, recreating all zone records at the new provider, and waiting for propagation. This takes effort and creates a risk window. Most domain owners never bother.
Pricing. Premium DNS services (NS1, DNSimple, Route 53) charge monthly fees. The bundled DNS from registrars is free. For the millions of domains that cost $10/year to register, paying $5/month for DNS doesn't make economic sense.
Multi-provider complexity. Running DNS across two providers requires zone synchronization, monitoring, and failover logic. This is operationally complex and not well-supported by most registrar interfaces. Only enterprises with dedicated DNS teams typically maintain multi-provider setups.
Practical Resilience: What Actually Helps
For Critical Domains
If your domain is business-critical (revenue-generating, customer-facing, authentication infrastructure), the investment in multi-provider DNS is worth it:
- Primary + secondary DNS. Configure your domain with NS records from two independent providers. Use zone transfer (AXFR/IXFR) or API sync to keep records consistent. If one provider goes down, the other continues serving.
- DNS provider on different infrastructure. Ensure your two DNS providers use different networks, different anycast prefixes, and different hosting infrastructure. Two providers that share the same upstream transit don't provide real independence.
For All Domains
- Set reasonable TTLs. During an outage, cached records are your lifeline. A TTL of 3600 (1 hour) gives you a buffer. A TTL of 60 seconds means you're exposed almost immediately.
- Monitor NS responsiveness. Use external monitoring that queries your name servers from multiple locations. An alert on NS timeout lets you respond before users notice.
- Know your TLD's concentration. Before registering a domain, check whether the TLD has healthy provider diversity. A domain under a concentrated TLD inherits that systemic risk regardless of your own DNS configuration.
For the Ecosystem
- Registries should publish concentration metrics. If ICANN required registries to report HHI or top-provider share as part of their annual compliance, it would create transparency and pressure for improvement.
- Registrars should make multi-provider DNS easier. A registrar that offers one-click setup for secondary DNS with a partner provider would differentiate itself on resilience.
- The research community should model correlated failures. The interaction between DNS concentration, BGP routing concentration, and CDN dependency creates failure scenarios that are poorly understood and underresearched.
For live provider concentration data across all TLDs, see the provider concentration dashboard. For provider market share rankings, see DNS provider rankings. To explore individual providers, visit the provider directory.