9 unique typosquatted nameserver variants affecting 60,346 domains
Analysis by Ishan Karunaratne · Data from 2026-04-11
Domains Affected
60,346
Unique Typos
9
% of Dataset
0.0234%
| Typo Domain | Domains Affected |
|---|
Nameserver typosquatting occurs when a domain’s NS (Name Server) records contain misspelled versions of legitimate DNS provider hostnames. For example, a domain might point to "ns1.cloudflre.com" instead of "ns1.cloudflare.com", or "dns1.googl.com" instead of "dns1.google.com". These typos typically originate from manual configuration errors when setting up DNS delegation.
The security risk is significant: if the typo domain is unregistered, an attacker can register it and set up a nameserver that responds to DNS queries for every domain pointing to the misspelled hostname. This gives the attacker full control over DNS resolution — enabling phishing, email interception, traffic hijacking, and SSL certificate issuance for the affected domains. This attack vector is documented in academic research and has been observed in real-world incidents.
DNSChkr detects typosquatted nameservers by comparing NS record hostnames against a database of known DNS provider domains, using edit-distance algorithms and common typo patterns (character transposition, omission, duplication, and adjacent-key substitution) to identify probable misspellings.
The detection pipeline processes NS records from zone files across hundreds of gTLDs. Each nameserver hostname is extracted, normalized, and compared against a curated database of 800+ known DNS provider domains. Hostnames that are within a Levenshtein edit distance of 1–2 characters from a known provider, but do not match exactly, are flagged as potential typosquats.
Additional heuristics include: adjacent-key substitution on QWERTY layouts, common character transpositions (e.g., "ie" → "ei"), vowel omission, and TLD confusion (e.g., ".comm" instead of ".com"). Each flagged typo is verified against WHOIS/RDAP data to determine whether the typo domain is registered or available — unregistered typo domains represent the highest risk.
| hostgator.co | 23,534 |
| ultradns2.com | 15,966 |
| ultradns2.org | 15,959 |
| cloudyns.net | 1,146 |
| hostineer.com | 988 |
| emarkmonitor.com | 914 |
| sap.com | 813 |
| sas.com | 649 |
| hostinger.co | 377 |
Typosquatted nameservers affect thousands of domains across the global DNS infrastructure. While the percentage of total domains is small, each typosquatted NS record can affect critical services — a single misspelled nameserver domain could be exploited to hijack DNS for every domain pointing to it.
Yes. If an attacker controls DNS resolution for a domain via a typosquatted nameserver, they can pass domain validation (DV) challenges used by certificate authorities like Let’s Encrypt. This allows the attacker to obtain valid SSL certificates for the victim domain, enabling convincing phishing attacks.
Domain typosquatting targets end users by registering misspelled versions of popular websites (e.g., "gooogle.com"). Nameserver typosquatting targets DNS infrastructure by registering misspelled versions of DNS provider hostnames. The latter is more dangerous because it can silently hijack all DNS traffic for affected domains without any visible change to the domain name itself.
Typosquatted nameservers are a form of DNS hijacking. Unlike traditional DNS hijacking (which requires compromising a registrar account or DNS server), NS typosquatting exploits a configuration error that already exists in the victim’s DNS records. The attacker simply needs to register an available typo domain.