Typosquatted Nameservers
1 unique typosquatted nameserver variants affecting 232,843 domains
Analysis by Ishan Karunaratne · Data from 2026-05-26
Domains Affected
232,843
Unique Typos
1
% of Dataset
0.0862%
| Typo Domain | Domains Affected |
|---|---|
| domainnamens.com | 232,843 |
What Are Typosquatted Nameservers?
Nameserver typosquatting occurs when a domain’s NS (Name Server) records contain misspelled versions of legitimate DNS provider hostnames. For example, a domain might point to "ns1.cloudflre.com" instead of "ns1.cloudflare.com", or "dns1.googl.com" instead of "dns1.google.com". These typos typically originate from manual configuration errors when setting up DNS delegation.
The security risk is significant: if the typo domain is unregistered, an attacker can register it and set up a nameserver that responds to DNS queries for every domain pointing to the misspelled hostname. This gives the attacker full control over DNS resolution — enabling phishing, email interception, traffic hijacking, and SSL certificate issuance for the affected domains. This attack vector is documented in academic research and has been observed in real-world incidents.
DNS Checker detects typosquatted nameservers by comparing NS record hostnames against a database of known DNS provider domains, using edit-distance algorithms and common typo patterns (character transposition, omission, duplication, and adjacent-key substitution) to identify probable misspellings.
How DNS Checker Detects Typosquatted Nameservers
The detection pipeline processes NS records from zone files across hundreds of gTLDs. Each nameserver hostname is extracted, normalized, and compared against a curated database of 800+ known DNS provider domains. Hostnames that are within a Levenshtein edit distance of 1–2 characters from a known provider, but do not match exactly, are flagged as potential typosquats.
Additional heuristics include: adjacent-key substitution on QWERTY layouts, common character transpositions (e.g., "ie" → "ei"), vowel omission, and TLD confusion (e.g., ".comm" instead of ".com"). Each flagged typo is verified against WHOIS/RDAP data to determine whether the typo domain is registered or available — unregistered typo domains represent the highest risk.
How to Fix Typosquatted Nameservers
- Audit all NS records for your domains using the DNS Checker DNS Inspector. Verify that each nameserver hostname exactly matches your DNS provider’s documented nameservers.
- Cross-reference your NS records against your provider’s official documentation. For example, Cloudflare’s nameservers follow the pattern: {name}.ns.cloudflare.com.
- Set up DNS monitoring to detect unauthorized or unexpected nameserver changes. Services like DNS Checker’s DNS Inspector can help verify NS records on demand.
- If you manage DNS for multiple domains, use automation (Terraform, Pulumi, or provider APIs) to set NS records programmatically, eliminating manual typo risk.
- Consider registering common typo variants of your own nameserver domains as a defensive measure, especially if you operate a DNS hosting service.
Frequently Asked Questions
How common are typosquatted nameservers?
Typosquatted nameservers affect thousands of domains across the global DNS infrastructure. While the percentage of total domains is small, each typosquatted NS record can affect critical services — a single misspelled nameserver domain could be exploited to hijack DNS for every domain pointing to it.
Can typosquatted nameservers lead to SSL certificate issuance?
Yes. If an attacker controls DNS resolution for a domain via a typosquatted nameserver, they can pass domain validation (DV) challenges used by certificate authorities like Let’s Encrypt. This allows the attacker to obtain valid SSL certificates for the victim domain, enabling convincing phishing attacks.
What is the difference between typosquatted nameservers and typosquatted domains?
Domain typosquatting targets end users by registering misspelled versions of popular websites (e.g., "gooogle.com"). Nameserver typosquatting targets DNS infrastructure by registering misspelled versions of DNS provider hostnames. The latter is more dangerous because it can silently hijack all DNS traffic for affected domains without any visible change to the domain name itself.
How does this relate to DNS hijacking?
Typosquatted nameservers are a form of DNS hijacking. Unlike traditional DNS hijacking (which requires compromising a registrar account or DNS server), NS typosquatting exploits a configuration error that already exists in the victim’s DNS records. The attacker simply needs to register an available typo domain.