11,079,346 domains with lame delegations (4.29% of dataset)
Analysis by Ishan Karunaratne · Data from 2026-04-11
Domains Affected
11,079,346
% of Dataset
4.29%
Categories
6
| Category | Domains |
|---|---|
A lame delegation is a DNS misconfiguration where a domain’s NS (Name Server) records point to nameservers that do not actually serve authoritative DNS data for that domain. The term "lame" comes from RFC 1912 Section 2.8, which defines it as a nameserver that is listed as authoritative for a zone but does not actually serve that zone. When a resolver queries a lame nameserver, it receives a referral or SERVFAIL instead of an authoritative answer.
Lame delegations typically occur when a domain expires, a hosting account is deleted, nameserver infrastructure is decommissioned, or DNS configuration is migrated without updating all NS records. The result is that the domain becomes partially or completely unreachable — DNS queries fail, websites go offline, and email delivery stops.
Beyond availability issues, lame delegations create a security vulnerability: if the nameserver hostname’s domain becomes available for registration, an attacker can register it and set up a nameserver that responds authoritatively for every domain still pointing to it. This is known as a nameserver takeover or orphaned delegation attack.
DNSChkr analyzes NS records from gTLD zone files and cross-references nameserver hostnames against known indicators of expired, deleted, suspended, or non-functional delegations. Detection categories include: nameservers resolving to parking/expired pages, NS domains that no longer exist in DNS, nameservers returning REFUSED or SERVFAIL for the delegated zone, and NS hostnames matching known domain-expired or hosting-deleted patterns.
The analysis pipeline processes zone data daily, tracking changes in delegation health over time. Each lame delegation is categorized by type (expired domain, deleted hosting, suspended nameserver, unresponsive server) and severity based on the number of domains affected and the likelihood of nameserver takeover.
| parked N S |
| 17,372,753 |
| expired Domain | 3,294,278 |
| suspended N S | 668,743 |
| other | 403,188 |
| for Sale | 358,629 |
| lame Delegation | 40,757 |
An expired domain has lapsed at the registrar and may be in a redemption grace period or pending delete. A lame delegation is a DNS-level issue where the domain’s NS records point to non-functional nameservers — the domain itself may still be registered and active, but its DNS is broken. A domain can have a lame delegation without being expired, and an expired domain doesn’t necessarily have a lame delegation.
Yes. If a nameserver hostname’s domain becomes available for registration (because the hosting provider’s domain expired or was deleted), an attacker can register that domain, set up a nameserver, and gain control over DNS resolution for every domain still pointing to it. This is known as a nameserver takeover attack.
When a domain has a lame delegation, MX record lookups fail because the authoritative nameserver cannot be reached. This causes email delivery failures — sending servers receive SERVFAIL responses and bounce the email. Even if the mail server itself is operational, email cannot be delivered if DNS resolution is broken.
RFC 1912 ("Common DNS Operational and Configuration Errors") Section 2.8 defines lame delegations as a configuration error where NS records point to nameservers that are not authoritative for the zone. RFC 8906 ("A Common Operational Problem in DNS Servers: Failure to Communicate") also discusses delegation issues.