322,510 domains using nameservers on high-abuse TLDs
Analysis by Ishan Karunaratne · Data from 2026-04-12
Domains Affected
322,510
Unique Providers
0
% of Dataset
0.125%
| Nameserver Domain | TLD | Domains Affected |
|---|
Some domains use nameservers hosted on top-level domains that are associated with higher rates of abuse, spam, or malicious activity. These “risky TLDs” are extensions where domain registration is cheap, verification is minimal, and abuse complaint handling may be slow — making them attractive to bad actors and creating a higher risk of domain lapse or suspension.
When a domain’s authoritative nameservers are hosted on a risky TLD, the domain inherits additional risk: the nameserver domain is more likely to lapse (due to low renewal rates), be suspended (due to abuse complaints), or be re-registered by a malicious actor (enabling a nameserver takeover attack). This is analogous to building critical infrastructure on unstable ground.
DNSChkr identifies nameserver domains hosted on TLDs that appear on multiple abuse tracking lists, have disproportionately high abuse-to-registration ratios, or are frequently associated with spam, phishing, and malware campaigns. The goal is not to flag all domains on these TLDs as malicious, but to highlight the elevated infrastructure risk of hosting authoritative nameservers on them.
The detection pipeline extracts nameserver hostnames from zone files and classifies the TLD of each nameserver domain. TLD risk classification uses data from multiple sources: Spamhaus, SURBL, abuse.ch, and public registrar abuse reports. TLDs are scored based on abuse-to-registration ratios, complaint handling responsiveness, and historical association with malicious activity.
Nameservers hosted on flagged TLDs are reported with the number of domains they serve, allowing domain owners and registry operators to assess the scale of exposure. The analysis focuses on nameservers that serve DNS for domains on different TLDs — a .com domain using nameservers on a high-abuse TLD represents a cross-TLD dependency risk.
TLDs with high abuse-to-registration ratios, low-cost bulk registrations, and slow abuse complaint handling are considered higher risk. Specific TLDs change over time as registries improve or degrade their abuse mitigation. DNSChkr’s classification uses data from Spamhaus, SURBL, and abuse.ch to identify currently elevated-risk TLDs.
No. Having a nameserver on a risky TLD does not mean your domain is compromised — it means your DNS infrastructure has an elevated risk profile. The nameserver domain is more likely to lapse, be suspended, or be targeted by bad actors. It’s a proactive risk indicator, not evidence of active compromise.
Common reasons include: legacy configurations from when the TLD was less associated with abuse, cost optimization (cheap TLDs for NS domains), geographic preference (ccTLDs in certain regions), or simply lack of awareness about the risk. Some small DNS providers also register nameserver domains on cheaper TLDs to reduce operational costs.