- A country’s economic development does not necessarily correlate with the technical maturity of the DNS infrastructure supporting its country-code Top-Level Domain (ccTLD).
- Most ccTLDs have redundancy in place but not across all critical metrics, particularly multiple TLDs and Anycast for IPv6.
- ccTLD zone operators’ full cooperation is crucial for a complete and accurate analysis of DNS resilience.
Government websites and online businesses commonly use country-code Top Level Domains (ccTLDs) to reach their citizens and target local customers.
Like other TLDs, ccTLDs’ security relies on a resilient domain name system (DNS) infrastructure. A robust DNS ecosystem is essential to protect against cyberattacks such as Distributed Denial of Service (DDoS) attacks and to ensure continued access to online services during crises. It also boosts global trust by showcasing digital maturity.
Measuring the Robustness of the DNS
To evaluate the robustness of the DNS ecosystem concerning ccTLDs, we measured a few technical metrics (Table 1) and used the recommended best practices proposed by Sommese et al.
| Metric | Measure | Importance |
|---|---|---|
| nNSes | Number of Name Servers | Redundancy |
| nTLDs | Unique TLD used for name server addresses | Diversity |
| nIPv4 | Unique IPv4 addresses for the domain | Redundancy in IPv4 |
| nIPv6 | Unique IPv6 addresses for the domain | Redundancy in IPv6 |
| nASv4 | Unique AS announcing the IPv4 addresses | Topological diversity in IPv4 |
| nASv6 | Unique AS announcing the IPv6 addresses | Topological diversity in IPv6 |
| nAnycast4 | Unique Anycast IPv4 name server | Redundancy and DDOS protection in IPv4 |
| nAnycast6 | Unique Anycast IPv6 name server | Redundancy and DDOS protection in IPv6 |
| nGeoDiverseNSes | Geographically distributed name servers | Geographical diversity |
Most ccTLDs Have Redundancy in Place, Can Improve Anycast Use and Geographic Distribution
Our study found that most ccTLDs use two or more unique nameservers (nNSes), with nearly 80% of ccTLDs deploying four or more nameserver addresses. However, only about 50% of these ccTLDs use nameserver addresses across multiple TLDs (nTLDs), indicating a potential area for increased resilience. Redundancy in both nameserver addresses and the TLDs they use is critical: they act as the backup addresses for name resolution if the primary ones are unreachable.
While most ccTLDs leverage at least two IPv4 addresses (nIPv4), some still need to adopt two or more IPv6 addresses (nIPv6).
On the infrastructure front, more than half of the ccTLDs use networks from four or more Autonomous Systems (ASes) for both IPv4 (nASv4) and IPv6 (nASv6), and over 70% employ at least one Anycast infrastructure for IPv4 addresses (nAnycast4). Yet, only 50% of ccTLDs use Anycast for IPv6 (nAnycast6), suggesting room for improvement.
Anycast is a network routing method in which multiple servers share the same IP address, directing user requests to the nearest or most optimal server for faster and more efficient data delivery. Besides providing redundancy, it helps to reduce latency by routing queries to the nearest server, ensures continuity by rerouting traffic during failures, and defends against DDoS attacks by distributing traffic across multiple servers.
Additionally, fewer than 20% of ccTLDs rely on infrastructure from a single country (nGeoDiverseNSes), and most extend their networks to one or more countries.
Which ccTLDs Rely on the Most and Least Mature DNS Infrastructure
Despite the advanced economic development in Europe and North America, only a few ccTLDs from these regions rank among the top 20 most mature DNS infrastructures (Figure 2). Iceland (IS), Portugal (PT), Cyprus (CY), and Finland (FI) are the only representatives from Europe, while Panama (PA) and Guatemala (GT) are the sole entries from North America.
In contrast, African and Asian ccTLDs show a more robust presence, with Malawi (MW), Tanzania (TZ), and Côte d’Ivoire (CI) leading globally, and Thailand (TH), Taiwan (TW), and Palestine (PS) standing out in Asia. This highlights a surprising gap where some of the most developed regions have fewer ccTLDs in the top rankings for DNS maturity.
Among the ccTLDs with the least mature DNS infrastructures (Figure 3) are Western Sahara (EH), Caribbean Netherlands (BQ), and French Polynesia (PF). The ccTLDs for the first two countries remain unassigned due to their unique political statuses—Western Sahara as a disputed territory and the Caribbean Netherlands as part of the Netherlands following the dissolution of the Netherlands Antilles.
In Asia, the ccTLDs for North Korea (KP), the Republic of Maldives (MV), and Kyrgyzstan (KG) rank among the least mature. In the case of North Korea, its strict limitations on Internet access for its citizens might contribute to the underdevelopment of its DNS infrastructure. Notably, almost all of the 20 least mature ccTLDs lack critical DNS resilience features, such as Anycast infrastructure, multiple IPv6 addresses, or networks spanning multiple countries, highlighting issues with resilience.
These least mature ccTLDs are more vulnerable to cyberattacks, especially DDoS attacks. For example, despite having multiple nameservers with multiple IP addresses, all DNS infrastructures that support .et (Ethiopia) belong to the exact Autonomous System and are located in the same country. If the Autonomous System or the Internet connection in the country goes down, more than five thousand websites under the .et ccTLD would not be accessible.
Recommendations For Improving ccTLD Resilience
A country’s economic development does not necessarily correlate with the technical maturity of the DNS infrastructure supporting its ccTLD. For example, according to the World Bank, Brazil had the 9th highest global estimated GDP in 2023. However, the maturity of the DNS infrastructure of the .br ccTLD is relatively low. All nameserver addresses are under a single TLD without an Anycast network, and all infrastructures reside in a single country. Various other factors, including political, regulatory, and strategic considerations, might play a role, and to understand this, further interdisciplinary investigations are necessary.
Despite the relatively low investment required, diversifying TLDs for nameservers has yet to be widely adopted (see Figure 2, nTLDs). Registry operators could consider this an immediate and practical measure to enhance DNS resilience. For example, the .mw ccTLD uses seven unique nameserver addresses from four unique TLDs: .mw, .cz, .net, and .com. Therefore, if the DNS infrastructure of one of the TLDs goes down, websites under .mw ccTLD would remain accessible using nameservers from the other three TLDs.
Additionally, the adoption of Anycast name servers, particularly for IPv6, remains underused, even though it has the potential to boost resilience significantly.
Another critical strategy for improving DNS infrastructure is diversifying network topology using networks from multiple regions, which can help avoid single points of failure and further strengthen the overall system.
We plan to extend our analysis to include lower-level domains to explore country-specific DNS resilience further. To achieve a comprehensive understanding, it’s essential to investigate all hostnames registered under each ccTLD. However, this effort may be limited by data availability. Full cooperation from zone operators is crucial, as access to the corresponding ccTLD’s zone file is necessary for a complete and accurate analysis.
Yasir Haq is a Doctoral Student at the University of Twente and a 2024 Pulse Research Fellow.