Security analysis of 258,641,903+ domains derived from zone file data across hundreds of gTLDs. DNSChkr identifies misconfigurations, delegation failures, and infrastructure vulnerabilities that put domains at risk of hijacking, downtime, or DNS-based attacks.
This dashboard monitors five categories of DNS security findings across every gTLD in the dataset — from typosquatted nameservers that could enable phishing to DNSSEC gaps that leave domains vulnerable to cache poisoning (RFC 5452). Each finding includes severity ratings, affected domain counts, and actionable remediation guidance.
Analysis by Ishan Karunaratne · Data from 2026-04-12
Domains Analyzed
258,641,903
Finding Categories
5
High Severity Findings
3
Snapshot Date
2026-04-12
As of 2026-04-12, automated analysis of 258,641,903 domains across hundreds of gTLDs reveals five categories of DNS security vulnerabilities. Lame delegations affect 11,069,708 domains where NS records point to non-functional nameservers — leaving them unreachable and vulnerable to nameserver takeover (RFC 1912). Typosquatted nameservers affect 185,587 domains with misspelled provider hostnames that attackers could register to hijack DNS resolution. DNSSEC adoption stands at just 5.2% despite its critical role in preventing cache poisoning attacks (RFC 4033–4035, RFC 5452). Provider concentration analysis shows 37 TLDs with over 90% of domains relying on a single DNS provider — a systemic risk demonstrated by the 2016 Dyn DDoS attack.
| Finding | Severity | Domains / TLDs Affected |
|---|---|---|
| Lame Delegations | high | 11,069,708 domains |
| Ns On Risky Tlds | high |
The DNS (Domain Name System) is the foundation of the internet — it translates domain names to IP addresses. When DNS is misconfigured or compromised, websites become unreachable, email stops working, and users can be silently redirected to malicious servers.
This dashboard analyzes zone files from hundreds of gTLDs we have access to, detecting five categories of DNS security issues:
11,069,708 domains pointing to non-functional nameservers
11,069,708
domains affected
Impact
Domains with lame delegations have no functioning DNS — they are unreachable and vulnerable to nameserver takeover if the expired NS domain becomes available for registration.
Mitigation
Check that all NS records point to active, responsive nameservers. Remove or update stale delegation records.
Each report includes full data tables, per-TLD breakdowns, and analysis methodology. Click through to explore the raw findings.
11 unique typosquatted nameserver variants affecting 185,587 domains
Updated 2026-04-12
11,069,708 domains with lame delegations (4.28% of dataset)
Updated 2026-04-12
7 TLDs with >90% single-provider dependency
Updated 2026-04-12
Global DNSSEC adoption at 5.2%
Updated 2026-04-12
322,510 domains using nameservers on high-abuse TLDs
Updated 2026-04-12
DNS security findings are derived from automated analysis of gTLD zone files — the authoritative records that map domain names to their nameservers. The analysis pipeline processes zone data from hundreds of gTLDs we have access to, covering 258,641,903 domains as of the latest snapshot.
A lame delegation occurs when a domain's NS records point to nameservers that don't actually serve DNS for that domain. This can happen when a domain expires, the hosting account is deleted, or nameserver records become stale. Lame delegations are defined in RFC 1912 Section 2.8 and represent one of the most common DNS misconfigurations.
Nameserver typosquatting occurs when a domain's NS records contain misspelled versions of legitimate DNS provider hostnames — for example, "cloudflare.comm" instead of "cloudflare.com". If the typo domain is unregistered, an attacker can register it and gain full control over DNS resolution for every domain pointing to it, enabling phishing, email interception, and traffic hijacking.
DNSSEC (DNS Security Extensions, RFC 4033–4035) adds cryptographic signatures to DNS responses, allowing resolvers to verify that the response hasn't been tampered with. Without DNSSEC, domains are vulnerable to cache poisoning attacks where an attacker injects forged DNS responses to redirect users to malicious servers — all without any visible warning to the user.
When a large percentage of domains under a single TLD rely on one DNS provider, an outage or compromise at that provider becomes a single point of failure for the entire TLD. The 2016 Dyn DDoS attack demonstrated this risk — taking down major sites including Twitter, GitHub, and Netflix due to DNS provider concentration.
Use these free tools to audit your own domain's DNS configuration and identify potential vulnerabilities.
Query any DNS record type (A, AAAA, MX, NS, TXT, SOA, CNAME) for your domain.
Verify DNS changes have propagated globally across 50+ resolvers worldwide.
Check if your domain or IP is listed on DNSBL/RBL blacklists.
Check your domain reputation across 17 threat intelligence sources for malware and phishing.
Validate your SPF record syntax and check for common misconfigurations.
Verify your DMARC policy to protect against email spoofing and phishing.
Data scope: Security findings are derived from analysis of gTLD zone files we have access to. This covers hundreds of generic top-level domains including .com, .net, .org, .xyz, .io, and many more — but excludes country-code TLDs (ccTLDs) like .uk, .de, .jp and infrastructure TLDs like .arpa.
Methodology: Findings are informational and based on automated analysis of nameserver records, delegation chains, and DNSSEC configurations. Not all findings represent active threats — some may reflect domains in transition, pending deletion, or intentional parking configurations.
References: RFC 1912 (DNS Operational Guidelines) · RFC 4033–4035 (DNSSEC) · RFC 5452 (DNS Resilience) · RFC 8914 (Extended DNS Errors)
| 322,510 domains |
| Typosquatted Nameservers | low | 185,587 domains |
| Provider Concentration | low | 37 TLDs |
| Dnssec Gaps | high | 5.2% adoption |
322,510 domains using nameservers on high-abuse TLDs
322,510
domains affected
11 unique typosquatted nameserver variants detected
185,587
domains affected
Impact
An attacker who registers the misspelled nameserver domain gains full control over DNS resolution for every domain pointing to it — enabling phishing, traffic interception, and email hijacking.
Mitigation
Audit your NS records for typos. Use DNS monitoring to detect unauthorized nameserver changes.
7 TLDs have >90% single-provider dependency
37
TLDs affected
Impact
When the majority of a TLD's domains depend on a single DNS provider, an outage or compromise at that provider could render most domains under that TLD unreachable — a systemic risk to the namespace.
Mitigation
Registry operators should encourage provider diversity. Domain owners should consider secondary DNS with a different provider.
Only 5.2% of domains have DNSSEC enabled
5.2%
adoption rate
Impact
Without DNSSEC, DNS responses can be forged through cache poisoning attacks (Kaminsky attack, RFC 5452). Attackers can redirect users to malicious servers without any visible indication.
Mitigation
Enable DNSSEC signing at your DNS provider. Most major providers (Cloudflare, AWS Route 53, Google Cloud DNS) support one-click DNSSEC activation.