Friday, August 30, 2013

Domaint: qha.cc

Seen a scan for this domain.

Source:

80.82.70.239 AS29073 Ecatel Network

Seen before:

      2 evgeniy-marchenko.cc

      1 qha.cc



Response:

240 A records in the 204.46.43.x range


IPtables rule:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03514841 && 0x2c&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS Q qha.cc"


More rules here

Name servers:


;; ANSWER SECTION:
qha.cc. 10800 IN NS c.dns.gandi.net.
qha.cc. 10800 IN NS b.dns.gandi.net.
qha.cc. 10800 IN NS a.dns.gandi.net.

;; ADDITIONAL SECTION:
c.dns.gandi.net. 86310 IN A 217.70.182.20
b.dns.gandi.net. 86310 IN A 217.70.184.40
a.dns.gandi.net. 86310 IN A 173.246.97.2


Whois:

domain: qha.cc
reg_created: 2013-08-22 16:35:05
expires: 2014-08-22 16:35:05
created: 2013-08-22 18:35:05
changed: 2013-08-22 18:36:34
transfer-prohibited: yes
ns0: a.dns.gandi.net
ns1: b.dns.gandi.net
ns2: c.dns.gandi.net
owner-c:
  nic-hdl: DD7253-GANDI
  owner-name: duck duck
  organisation: ~
  person: duck duck
  address: Lolkino
  zipcode: 123456
  city: Russhka
  country: Ukraine
  phone: +380.2282282288
  fax: ~
  email: 1da73e36cc887f074e8f9e877b796d54-1769481@contact.gandi.net
  lastupdated: 2013-08-22 18:10:02
admin-c:
  nic-hdl: DD7253-GANDI
  owner-name: duck duck
  organisation: ~
  person: duck duck
  address: Lolkino
  zipcode: 123456
  city: Russhka
  country: Ukraine
  phone: +380.2282282288
  fax: ~
  email: 1da73e36cc887f074e8f9e877b796d54-1769481@contact.gandi.net
  lastupdated: 2013-08-22 18:10:02
tech-c:
  nic-hdl: DD7253-GANDI
  owner-name: duck duck
  organisation: ~
  person: duck duck
  address: Lolkino
  zipcode: 123456
  city: Russhka
  country: Ukraine
  phone: +380.2282282288
  fax: ~
  email: 1da73e36cc887f074e8f9e877b796d54-1769481@contact.gandi.net
  lastupdated: 2013-08-22 18:10:02
bill-c:
  nic-hdl: DD7253-GANDI
  owner-name: duck duck
  organisation: ~
  person: duck duck
  address: Lolkino
  zipcode: 123456
  city: Russhka
  country: Ukraine
  phone: +380.2282282288
  fax: ~
  email: 1da73e36cc887f074e8f9e877b796d54-1769481@contact.gandi.net
  lastupdated: 2013-08-22 18:10:02

Friday, August 23, 2013

Domain: srvit.org

Seen a scan for this domain on a passive box.

Source:


80.82.65.204 AS29073 Ecatel Network (again!)

Response:


151 A records in the 123.45.67.x range.

IPtables rule:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x05535256 && 0x2c&0xDFDFFFDF=0x4954034f && 0x30&0xDFDFFFFF=0x52470000" -j DROP -m comment --comment "DROP DNS Q srvit.org"

More rules here

Name servers:


;; ANSWER SECTION:
srvit.org. 3600 IN NS ns2.srvit.org.
srvit.org. 3600 IN NS ns1.srvit.org.

;; ADDITIONAL SECTION:
ns2.srvit.org. 7200 IN A 94.102.56.221
ns1.srvit.org. 7200 IN A 94.102.56.221


Whois:



Domain ID:D169062038-LROR
Domain Name:SRVIT.ORG
Created On:26-Jun-2013 16:56:01 UTC
Last Updated On:26-Jun-2013 21:55:11 UTC
Expiration Date:26-Jun-2014 16:56:01 UTC
Sponsoring Registrar:Internet.bs Corp. (R1601-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:INTEym178v8dv1hm
Registrant Name:Domain Administrator
Registrant Organization:Fundacion Private Whois
Registrant Street1:Attn: srvit.org
Registrant Street2:Aptds. 0850-00056
Registrant Street3:
Registrant City:Panama
Registrant State/Province:
Registrant Postal Code:Zona 15
Registrant Country:PA
Registrant Phone:+507.65995877
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:51cb1d1exo492kj9@t02cduv4f7f99a255f64.privatewhois.net
Admin ID:INTEtxgnkjb9l6o0
Admin Name:Domain Administrator
Admin Organization:Fundacion Private Whois
Admin Street1:Attn: srvit.org
Admin Street2:Aptds. 0850-00056
Admin Street3:
Admin City:Panama
Admin State/Province:
Admin Postal Code:Zona 15
Admin Country:PA
Admin Phone:+507.65995877
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:51cb1d1fi7enxtvo@t02cduv4f7f99a255f64.privatewhois.net
Tech ID:INTEi280uqbcqb3i
Tech Name:Domain Administrator
Tech Organization:Fundacion Private Whois
Tech Street1:Attn: srvit.org
Tech Street2:Aptds. 0850-00056
Tech Street3:
Tech City:Panama
Tech State/Province:
Tech Postal Code:Zona 15
Tech Country:PA
Tech Phone:+507.65995877
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:51cb1d1efycum495@t02cduv4f7f99a255f64.privatewhois.net
Name Server:NS1.SRVIT.ORG
Name Server:NS2.SRVIT.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned








Domain: evgeniy-marchenko.cc

Seen attacks today with domain: evgeniy-marchenko.cc

Also happened to find the discovery packet for it!

Source:

80.82.70.239 AS29073 Ecatel Network

IPtables rule:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x11455647 && 0x2c&0xDFDFDFDF=0x454e4959 && 0x30&0xFFDFDFDF=0x2d4d4152 && 0x34&0xDFDFDFDF=0x4348454e && 0x38&0xDFDFFFDF=0x4b4f0243 && 0x3c&0xDFFFFFFF=0x43000001" -j DROP -m comment --comment "DROP DNS Q A evgeniy-marchenko.cc"

For more rules click here

Response:


240 A records in the 204.46.43.x range.

Name servers:

;; ANSWER SECTION:
evgeniy-marchenko.cc. 10800 IN NS a.dns.gandi.net.
evgeniy-marchenko.cc. 10800 IN NS b.dns.gandi.net.
evgeniy-marchenko.cc. 10800 IN NS c.dns.gandi.net.

;; ADDITIONAL SECTION:
c.dns.gandi.net. 86293 IN A 217.70.182.20
a.dns.gandi.net. 86293 IN A 173.246.97.2
b.dns.gandi.net. 86293 IN A 217.70.184.40


Tragets:



 165381  186.2.166.68 - PTR globalnet.pro-managed.com.
   61931  198.144.121.71
     7905  194.50.82.0
            1  80.82.70.239  <-- discovery IP.


Whois:

domain: evgeniy-marchenko.cc
reg_created: 2013-08-22 10:00:00
expires: 2014-08-22 10:00:00
created: 2013-08-22 12:00:00
changed: 2013-08-22 12:00:50
transfer-prohibited: yes
ns0: a.dns.gandi.net
ns1: b.dns.gandi.net
ns2: c.dns.gandi.net
owner-c:
  nic-hdl: SM9636-GANDI
  organisation: ~
  person: stelstelx@gmail.com massrek77
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: c1b35386b247e4ddaf5e7695b74eddea-1769297@contact.gandi.net
  lastupdated: 2013-08-22 11:32:25
admin-c:
  nic-hdl: SM9636-GANDI
  organisation: ~
  person: stelstelx@gmail.com massrek77
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: c1b35386b247e4ddaf5e7695b74eddea-1769297@contact.gandi.net
  lastupdated: 2013-08-22 11:32:25
tech-c:
  nic-hdl: SM9636-GANDI
  organisation: ~
  person: stelstelx@gmail.com massrek77
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: c1b35386b247e4ddaf5e7695b74eddea-1769297@contact.gandi.net
  lastupdated: 2013-08-22 11:32:25
bill-c:
  nic-hdl: SM9636-GANDI
  organisation: ~
  person: stelstelx@gmail.com massrek77
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: c1b35386b247e4ddaf5e7695b74eddea-1769297@contact.gandi.net
  lastupdated: 2013-08-22 11:32:25

Thursday, August 22, 2013

Domain: 2soe.ru

Observed a scan for this domain on: 22-Aug-2013

Source:


89.248.172.121 AS29073 Ecatel Network

Seen this IP before:

      1 hackwhatlol.cc
      1 edelion.su
      1 2soe.ru

IPtables Rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFFFDFDF=0x0432534f && 0x2c&0xDFFFDFDF=0x45025255" -j DROP -m comment --comment "DROP DNS Q 2soe.ru"

See here for more rules.


Response:


238 A records in the 204.46.43.x range.


Name servers:


;; ANSWER SECTION:
2soe.ru. 43200 IN NS ns2.reg.ru.
2soe.ru. 43200 IN NS ns1.reg.ru.

;; ADDITIONAL SECTION:
ns1.reg.ru. 86400 IN A 31.31.205.55
ns2.reg.ru. 86400 IN A 31.31.205.56
ns1.reg.ru. 86400 IN A 31.31.204.52
ns1.reg.ru. 86400 IN A 144.76.40.132
ns1.reg.ru. 86400 IN A 31.31.205.39
ns2.reg.ru. 86400 IN A 31.31.204.37
ns2.reg.ru. 86400 IN A 88.212.207.122
ns1.reg.ru. 86400 IN A 88.212.207.121
ns2.reg.ru. 86400 IN A 31.31.204.25


Whois:

domain:        2SOE.RU
nserver:       ns1.reg.ru.
nserver:       ns2.reg.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2013.08.06
paid-till:     2014.08.06
free-date:     2014.09.06
source:        TCI

Last updated on 2013.08.22 21:11:35 MSK



Tuesday, August 20, 2013

Domain: Edelion.su

Seen a scan for this domain, won't take long before it will be abused in attacks.

Query was: 20-Aug-2013 client 89.248.172.121: query: edelion.su IN A +E

Update 21-Aug-2013:

Attacks have started with this domain. Query comes in as Edelion rather than edelion. Corrected my iptables rule to be case-insensitive.

Source:


89.248.172.121 AS29073 Ecatel Network

Seen before:


      1 hackwhatlol.cc
      1 edelion.su


IPtables rule:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x07656465 && 0x2c=0x6c696f6e && 0x30=0x02737500" -j DROP -m comment --comment "DROP DNS Q edelion.su"

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07454445 && 0x2c&0xDFDFDFDF=0x4c494f4e && 0x30&0xFFDFDFFF=0x02535500" -j DROP -m comment --comment "DROP DNS Q edelion.su"

Full Rule Set

Response:


244 A records in the 204.46.43.x range

Name servers:


;; ANSWER SECTION:
edelion.su. 43200 IN NS ns2.reg.ru.
edelion.su. 43200 IN NS ns1.reg.ru.

;; ADDITIONAL SECTION:
ns1.reg.ru. 86376 IN A 31.31.204.52
ns1.reg.ru. 86376 IN A 31.31.205.55
ns1.reg.ru. 86376 IN A 144.76.40.132
ns2.reg.ru. 86376 IN A 88.212.207.122
ns1.reg.ru. 86376 IN A 31.31.205.39
ns2.reg.ru. 86376 IN A 31.31.204.37
ns2.reg.ru. 86376 IN A 31.31.205.56
ns2.reg.ru. 86376 IN A 31.31.204.25
ns1.reg.ru. 86376 IN A 88.212.207.121


Whois:


domain:        EDELION.SU
nserver:       ns1.reg.ru.
nserver:       ns2.reg.ru.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        dim199351@mail.ru
registrar:     REGRU-REG-FID
created:       2013.01.30
paid-till:     2014.01.30
free-date:     2014.03.04
source:        TCI

Last updated on 2013.08.20 23:56:40 MSK

DNS: TLD Name Servers per country

I was curious to see what countries seem to run / control most of the Domain Name System. Especially how much is actually located in the US.

Root servers


First of all lets look at the Root-Servers the one responsible for ".". These servers point to the Generic TLD and CcTLD servers such as .be, .be .nl, .uk .com .net etc.



TLD Server IP AS Country
. a.root-servers.net. 198.41.0.4 AS36620 VeriSign Global Registry Services United States
. b.root-servers.net. 192.228.79.201 AS4 University of Southern California United States
. c.root-servers.net. 192.33.4.12 AS2149 Cogent Communications United States
. d.root-servers.net. 199.7.91.13 AS27 University of Maryland at College Park United States
. e.root-servers.net. 192.203.230.10 AS297 National Aeronautics and Space Administration United States
. f.root-servers.net. 192.5.5.241 AS3557 Internet Systems Consortium, Inc. United States
. g.root-servers.net. 192.112.36.4 AS5927 DoD Network Information Center United States
. h.root-servers.net. 128.63.2.53 AS13 Headquarters, USAISC United States
. i.root-servers.net. 192.36.148.17 AS29216 NETNOD Internet Exchange i Sverige AB Sweden
. j.root-servers.net. 192.58.128.30 AS36626 VeriSign Global Registry Services United States
. k.root-servers.net. 193.0.14.129 AS25152 Reseaux IP Europeens Network Coordination Centre (RIPE NCC) Netherlands
. l.root-servers.net. 199.7.83.42 AS20144 DNS Root Name Server L.ROOT-SERVERS.NET United States
. m.root-servers.net. 202.12.27.33 AS7500 WIDE Project Japan

As you can see in the above diagram, out of the 13 servers 10 are run in the USA, 2 are run in Europe of which one in The Netherlands and one in Sweden, and one server resides in Asia, Japan.
Of the US based servers, the g.root-servers.net server is operated by the Department of Defense, two are operated by Verisign the rest by Universities, NASA and the ISC.

Infrastructure top level domain:


TLD Description Notes
.Arpa Address and Routing Parameter Area Must verify eligibility for registration; only those in various categories of air-travel-related entities may register.


The .Arpa TLD is used for reverse DNS functionality and uses the root servers.

The most common implementation of this .Arpa domain is the 'z.y.x.w.in-addr.arpa' way of resolving domains. (dig -x )


TLD Server IP ASN Country
in-addr.arpa a.in-addr-servers.arpa. 199.212.0.73 AS393225 ARIN Operations United States
in-addr.arpa b.in-addr-servers.arpa. 199.253.183.183 AS26710 ICANN DNS Operations Anycast United States
in-addr.arpa c.in-addr-servers.arpa. 196.216.169.10 AS37181 AFRINIC-ANYCAST Mauritius
in-addr.arpa d.in-addr-servers.arpa. 200.10.60.53 AS28001 Latin American and Caribbean IP address Uruguay
in-addr.arpa e.in-addr-servers.arpa. 203.119.86.101 AS18368 UNICAST AS of ANYCAST node(The Netherlands) Australia
in-addr.arpa f.in-addr-servers.arpa. 193.0.9.1 AS197000 Reseaux IP Europeens Network Coordination Centre (RIPE NCC) Netherlands

Mauritius? I admit it, I had to Google. But domaintools.com agreed with the Maxmind database: http://whois.domaintools.com/196.216.169.10

Uruguay is also an unusual country for such a high traffic service. ( in my opinion )
But again: http://whois.domaintools.com/200.10.60.53

Generic Top Level domains:

These are the Generic Top Level domains:


TLD Description Notes
.Arco air-transport industry Must verify eligibility for registration; only those in various categories of air-travel-related entities may register.
.Asia Asia-Pacific region This is a TLD for companies, organizations, and individuals based in the region of Asia, Australia, and the Pacific.
.Biz business This is an open TLD; any person or entity is permitted to register; however, registrations may be challenged later if they are not held by commercial entities in accordance with the domain's charter. This TLD was created to provide relief for the wildly popular .com TLD.
.Cat Catalan This is a TLD for Web sites in the Catalan language or related to Catalan culture.
.Com commercial This is an open TLD; any person or entity is permitted to register.
.Coop cooperatives The .coop TLD is limited to cooperatives as defined by the Rochdale Principles.
.Info information This is an open TLD; any person or entity is permitted to register.
.Int international organizations The .int TLD is strictly limited to organizations, offices, and programs which are endorsed by a treaty between two or more nations.
.Jobs companies The .jobs TLD is designed to be added after the names of established companies with jobs to advertise. At this time, owners of a "company.jobs" domain are not permitted to post jobs of third party employers.
.Mobi mobile devices Must be used for mobile-compatible sites in accordance with standards.
.Museum museums Must be verified as a legitimate museum.
.Name individuals, by name This is an open TLD; any person or entity is permitted to register; however, registrations may be challenged later if they are not by individuals (or the owners of fictional characters) in accordance with the domain's charter.
.Net network This is an open TLD; any person or entity is permitted to register. Originally intended for use by domains pointing to a distributed network of computers, or "umbrella" sites that act as the portal to a set of smaller websites.
.Org organization This is an open TLD; any person or entity is permitted to register. Originally intended for use by non-profit organizations, and still primarily used by some.
.Post postal services The .post TLD is restricted to Postal Administrations as defined in the Universal Postal Union constitution, and their large customers who wish to provide "Trusted Postal Services".
.Pro professions Currently, .pro is reserved for licensed or certified professionals worldwide. A professional seeking to register a .pro domain must provide their registrar with the appropriate credentials.
.Tel Internet communication services A contact directory housing all types of contact information directly in the Domain Name System.
.Travel travel and tourism industry related sites Must be verified as a legitimate travel-related entity.
.XXX adult content For sites providing sexually explicit content, such as pornography.


The top level domains distribution over the globe is as follows:

     77  United States
     42  Canada
      6  Germany
      3  United Kingdom
      3  Sweden
      2  Switzerland
      2  Spain
      1  Netherlands
      1  Andorra

Canada and the US top the list leaving all other countries far behind. 

Full list:

TLD Server IP AS Country
AERO ns2.switch.ch. 130.59.138.49 AS559 SWITCH, Swiss Education and Research Network Switzerland
AERO dns7.denic.de. 81.91.161.68 AS8763 DENIC eG Germany
AERO ns5.knipp.de. 195.253.6.62 AS8391 Knipp Medien und Kommunikation GmbH Germany
AERO a0.aero.afilias-nst.info. 199.254.51.1 AS12041 Afilias Limited Canada
AERO a2.aero.afilias-nst.info. 199.249.115.1 AS42 PCH PCH Canada
AERO c0.aero.afilias-nst.info. 199.254.53.1 AS12041 Afilias Limited Canada
AERO b0.aero.afilias-nst.org. 199.254.52.1 AS12041 Afilias Limited Canada
AERO b2.aero.afilias-nst.org. 199.249.123.1 AS42 PCH PCH Canada
AERO d0.aero.afilias-nst.org. 199.254.54.1 AS12041 Afilias Limited Canada
ASIA b0.asia.afilias-nst.ASIA. 199.254.28.1 AS12041 Afilias Limited Canada
ASIA d0.asia.afilias-nst.ASIA. 199.254.30.1 AS12041 Afilias Limited Canada
ASIA a0.asia.afilias-nst.info. 199.19.55.1 AS12041 Afilias Limited Canada
ASIA a2.asia.afilias-nst.info. 199.249.114.1 AS42 PCH PCH Canada
ASIA c0.asia.afilias-nst.info. 199.254.29.1 AS12041 Afilias Limited Canada
ASIA b2.asia.afilias-nst.org. 199.249.122.1 AS42 PCH PCH Canada
BIZ a.gtld.BIZ. 156.154.124.65 AS12008 NeuStar, Inc. United States
BIZ b.gtld.BIZ. 156.154.125.65 AS12008 NeuStar, Inc. United States
BIZ c.gtld.BIZ. 156.154.127.65 AS12008 NeuStar, Inc. United States
BIZ e.gtld.BIZ. 156.154.126.65 AS12008 NeuStar, Inc. United States
BIZ f.gtld.BIZ. 209.173.58.66 AS12008 NeuStar, Inc. United States
BIZ k.gtld.BIZ. 156.154.128.65 AS12008 NeuStar, Inc. United States
CAT dnsc.ad. 194.158.74.10 AS6752 Servei de Telecomunicacions d'Andorra Andorra
CAT ns.nic.CAT. 84.88.0.162 AS13041 CESCA - Anella Cientifica RREN Autonomous System Spain
CAT switch.nic.CAT. 130.59.138.49 AS559 SWITCH, Swiss Education and Research Network Switzerland
CAT nsc.nic.de. 81.91.161.84 AS8763 DENIC eG Germany
CAT ns1.nic.es. 194.69.254.1 AS25354 Entidad Publica Empresarial Red.es Spain
CAT anyc1.irondns.net. 195.253.64.4 AS50611 Knipp Medien und Kommunikation GmbH Germany
CAT cat.pch.net. 204.61.216.20 AS42 PCH PCH United States
CAT sns-pb.isc.org. 192.5.4.1 AS3557 Internet Systems Consortium, Inc. United States
COM a.gtld-servers.net. 192.5.6.30 AS36621 VeriSign Global Registry Services United States
COM b.gtld-servers.net. 192.33.14.30 AS26415 Verisign United States
COM c.gtld-servers.net. 192.26.92.30 AS36619 VeriSign Global Registry Services United States
COM d.gtld-servers.net. 192.31.80.30 AS36617 VeriSign Global Registry Services United States
COM e.gtld-servers.net. 192.12.94.30 AS36625 VeriSign Global Registry Services United States
COM f.gtld-servers.net. 192.35.51.30 AS36620 VeriSign Global Registry Services United States
COM g.gtld-servers.net. 192.42.93.30 AS36624 VeriSign Global Registry Services United States
COM h.gtld-servers.net. 192.54.112.30 AS36623 VeriSign Global Registry Services United States
COM i.gtld-servers.net. 192.43.172.30 AS36631 VeriSign Global Registry Services United States
COM j.gtld-servers.net. 192.48.79.30 AS36626 VeriSign Global Registry Services United States
COM k.gtld-servers.net. 192.52.178.30 AS36622 VeriSign Global Registry Services United States
COM l.gtld-servers.net. 192.41.162.30 AS36628 VeriSign Global Registry Services United States
COM m.gtld-servers.net. 192.55.83.30 AS36618 VeriSign Global Registry Services United States
COOP coop1.dyntld.net. 208.78.70.80 AS33517 Dynamic Network Services, Inc. United States
COOP coop2.dyntld.net. 204.13.250.80 AS33517 Dynamic Network Services, Inc. United States
COOP coop3.dyntld.net. 208.78.71.80 AS33517 Dynamic Network Services, Inc. United States
COOP coop4.dyntld.net. 204.13.251.80 AS33517 Dynamic Network Services, Inc. United States
INT ns0.ja.net. 193.63.94.20 AS786 The JNT Association United Kingdom
INT ns0.ja.net. 128.86.1.20 AS786 The JNT Association United Kingdom
INT sec2.authdns.ripe.net. 193.0.9.4 AS197000 Reseaux IP Europeens Network Coordination Centre (RIPE NCC) Netherlands
INT ns.uu.net. 137.39.1.3 AS701 MCI Communications Services, Inc. d/b/a Verizon Business United States
INT ns.icann.org. 199.4.138.53 AS26710 ICANN DNS Operations Anycast United States
INT ns1.cs.ucl.ac.uk. 128.16.5.32 AS786 The JNT Association United Kingdom
JOBS a5.nstld.com. 192.5.6.34 AS36621 VeriSign Global Registry Services United States
JOBS c5.nstld.com. 192.26.92.34 AS36619 VeriSign Global Registry Services United States
JOBS d5.nstld.com. 192.31.80.34 AS36617 VeriSign Global Registry Services United States
JOBS f5.nstld.com. 192.35.51.34 AS36620 VeriSign Global Registry Services United States
JOBS g5.nstld.com. 192.42.93.34 AS36624 VeriSign Global Registry Services United States
JOBS h5.nstld.com. 192.54.112.34 AS36623 VeriSign Global Registry Services United States
JOBS l5.nstld.com. 192.41.162.34 AS36628 VeriSign Global Registry Services United States
MIL con1.nipr.MIL. 199.252.157.234 AS721 DoD Network Information Center United States
MIL con2.nipr.MIL. 199.252.162.234 AS721 DoD Network Information Center United States
MIL eur1.nipr.MIL. 199.252.154.234 AS721 DoD Network Information Center United States
MIL eur2.nipr.MIL. 199.252.143.234 AS721 DoD Network Information Center United States
MIL pac1.nipr.MIL. 199.252.180.234 AS721 DoD Network Information Center United States
MIL pac2.nipr.MIL. 199.252.155.234 AS721 DoD Network Information Center United States
MOBI a0.mobi.afilias-nst.info. 199.254.55.1 AS12041 Afilias Limited Canada
MOBI a2.mobi.afilias-nst.info. 199.249.118.1 AS42 PCH PCH Canada
MOBI c0.mobi.afilias-nst.info. 199.254.57.1 AS12041 Afilias Limited Canada
MOBI b0.mobi.afilias-nst.org. 199.254.56.1 AS12041 Afilias Limited Canada
MOBI b2.mobi.afilias-nst.org. 199.249.126.1 AS42 PCH PCH Canada
MOBI d0.mobi.afilias-nst.org. 199.254.58.1 AS12041 Afilias Limited Canada
MUSEUM ns5.knipp.de. 195.253.6.62 AS8391 Knipp Medien und Kommunikation GmbH Germany
MUSEUM nic.MUSEUM. 130.242.24.5 AS1653 SUNET Swedish University Network Sweden
MUSEUM anyc1.irondns.net. 195.253.64.4 AS50611 Knipp Medien und Kommunikation GmbH Germany
MUSEUM ns.icann.org. 199.4.138.53 AS26710 ICANN DNS Operations Anycast United States
MUSEUM sns-pb.isc.org. 192.5.4.1 AS3557 Internet Systems Consortium, Inc. United States
NAME a6.nstld.com. 192.5.6.35 AS36621 VeriSign Global Registry Services United States
NAME c6.nstld.com. 192.26.92.35 AS36619 VeriSign Global Registry Services United States
NAME d6.nstld.com. 192.31.80.35 AS36617 VeriSign Global Registry Services United States
NAME f6.nstld.com. 192.35.51.35 AS36620 VeriSign Global Registry Services United States
NAME g6.nstld.com. 192.42.93.35 AS36624 VeriSign Global Registry Services United States
NAME h6.nstld.com. 192.54.112.35 AS36623 VeriSign Global Registry Services United States
NAME j6.nstld.com. 192.48.79.35 AS36626 VeriSign Global Registry Services United States
NAME k6.nstld.com. 192.52.178.35 AS36622 VeriSign Global Registry Services United States
NAME l6.nstld.com. 192.41.162.35 AS36628 VeriSign Global Registry Services United States
NAME m6.nstld.com. 192.55.83.35 AS36618 VeriSign Global Registry Services United States
NET a.gtld-servers.NET. 192.5.6.30 AS36621 VeriSign Global Registry Services United States
NET b.gtld-servers.NET. 192.33.14.30 AS26415 Verisign United States
NET c.gtld-servers.NET. 192.26.92.30 AS36619 VeriSign Global Registry Services United States
NET d.gtld-servers.NET. 192.31.80.30 AS36617 VeriSign Global Registry Services United States
NET e.gtld-servers.NET. 192.12.94.30 AS36625 VeriSign Global Registry Services United States
NET f.gtld-servers.NET. 192.35.51.30 AS36620 VeriSign Global Registry Services United States
NET g.gtld-servers.NET. 192.42.93.30 AS36624 VeriSign Global Registry Services United States
NET h.gtld-servers.NET. 192.54.112.30 AS36623 VeriSign Global Registry Services United States
NET i.gtld-servers.NET. 192.43.172.30 AS36631 VeriSign Global Registry Services United States
NET j.gtld-servers.NET. 192.48.79.30 AS36626 VeriSign Global Registry Services United States
NET k.gtld-servers.NET. 192.52.178.30 AS36622 VeriSign Global Registry Services United States
NET l.gtld-servers.NET. 192.41.162.30 AS36628 VeriSign Global Registry Services United States
NET m.gtld-servers.NET. 192.55.83.30 AS36618 VeriSign Global Registry Services United States
ORG a0.org.afilias-nst.info. 199.19.56.1 AS12041 Afilias Limited Canada
ORG a2.org.afilias-nst.info. 199.249.112.1 AS42 PCH PCH Canada
ORG c0.org.afilias-nst.info. 199.19.53.1 AS12041 Afilias Limited Canada
ORG b0.org.afilias-nst.ORG. 199.19.54.1 AS12041 Afilias Limited Canada
ORG b2.org.afilias-nst.ORG. 199.249.120.1 AS42 PCH PCH Canada
ORG d0.org.afilias-nst.ORG. 199.19.57.1 AS12041 Afilias Limited Canada
POST a0.post.afilias-nst.info. 65.22.0.1 AS12041 Afilias Limited Canada
POST a2.post.afilias-nst.info. 65.22.4.1 AS42 PCH PCH Canada
POST c0.post.afilias-nst.info. 65.22.2.1 AS12041 Afilias Limited Canada
POST b0.post.afilias-nst.org. 65.22.1.1 AS12041 Afilias Limited Canada
POST b2.post.afilias-nst.org. 65.22.5.1 AS42 PCH PCH Canada
POST d0.post.afilias-nst.org. 65.22.3.1 AS12041 Afilias Limited Canada
PRO a0.pro.afilias-nst.info. 199.182.0.1 AS12041 Afilias Limited Canada
PRO a2.pro.afilias-nst.info. 199.182.32.1 AS42 PCH PCH Canada
PRO c0.pro.afilias-nst.info. 199.182.16.1 AS12041 Afilias Limited Canada
PRO b0.pro.afilias-nst.org. 199.182.1.1 AS12041 Afilias Limited Canada
PRO b2.pro.afilias-nst.org. 199.182.40.1 AS42 PCH PCH Canada
PRO d0.pro.afilias-nst.org. 199.182.17.1 AS12041 Afilias Limited Canada
TEL a.dns.nic.TEL. 194.146.106.38 AS8674 NETNOD Internet Exchange i Sverige AB Sweden
TEL b.dns.nic.TEL. 192.36.144.116 AS8674 NETNOD Internet Exchange i Sverige AB Sweden
TEL c.dns.nic.TEL. 204.74.112.1 AS12008 NeuStar, Inc. United States
TEL d.dns.nic.TEL. 204.74.113.1 AS12008 NeuStar, Inc. United States
TEL e.dns.nic.TEL. 199.7.66.1 AS12008 NeuStar, Inc. United States
TEL f.dns.nic.TEL. 199.7.67.1 AS12008 NeuStar, Inc. United States
TEL g.dns.nic.TEL. 192.100.59.11 AS12008 NeuStar, Inc. United States
TEL h.dns.nic.TEL. 198.133.199.11 AS12008 NeuStar, Inc. United States
TRAVEL a.gtld.TRAVEL. 156.154.100.1 AS12008 NeuStar, Inc. United States
TRAVEL b.gtld.TRAVEL. 156.154.101.1 AS12008 NeuStar, Inc. United States
TRAVEL c.gtld.TRAVEL. 156.154.102.1 AS12008 NeuStar, Inc. United States
TRAVEL d.gtld.TRAVEL. 156.154.103.1 AS12008 NeuStar, Inc. United States
TRAVEL e.gtld.TRAVEL. 156.154.104.1 AS12008 NeuStar, Inc. United States
TRAVEL f.gtld.TRAVEL. 156.154.105.1 AS12008 NeuStar, Inc. United States
XXX a0.xxx.afilias-nst.info. 199.115.152.1 AS12041 Afilias Limited Canada
XXX a2.xxx.afilias-nst.info. 199.115.156.1 AS42 PCH PCH Canada
XXX c0.xxx.afilias-nst.info. 199.115.154.1 AS12041 Afilias Limited Canada
XXX b0.xxx.afilias-nst.org. 199.115.153.1 AS12041 Afilias Limited Canada
XXX b2.xxx.afilias-nst.org. 199.115.157.1 AS42 PCH PCH Canada
XXX d0.xxx.afilias-nst.org. 199.115.155.1 AS12041 Afilias Limited Canada


Scroll back up and look at the .COM hosters. All Verisign. All hosted in the USA. It also seems that Verisign controls all the Jobs! ;)

Country Code Top Level domains:


These TLDs are hosted basically all over the place. Most countries have their own nic/noc/dns .ccTLD organisation that takes care of most of the hosting.

I've put the raw text in pastebin as it is just too large!

http://pastebin.com/Pbx2T5pd

Top 25 counties running ccTLD name servers:

    347  United States
    100  Netherlands
     83  United Kingdom
     66  Canada
     63  Sweden
     46  France
     22  Australia
     20  Germany
     17  New Zealand
     17  Brazil
     17  Austria
     16  Mauritius
     16  Japan
     14  Switzerland
     13  Taiwan
     13  Mexico
     12  South Africa
     12  Russian Federation
     11  Turkey
      9  Italy
      9  Hong Kong
      9  Denmark
      8  Norway
      8  Czech Republic
      7  Korea, Republic of


Verisign

The .NET and .COM name servers are all hosted in Verisign IP space. I was surprised by this as I, up until now only associated Verisign with the Certificate Business. (which has been sold to Symantec. TIL! ) Verisign is also responsible for two of the root servers.

Versign presence as NS in TLD's:
     13 NET
     13 COM
     10 NAME
      7 TV
      7 JOBS
      7 CC
      6 EDU
      2 GOV
      2 .
      1 ARPA



"""We provide the routing support for more than 121 million domain names ending with .com, .net, .tv, .name, .cc, .edu and .jobs—up to 77 billion DNS queries a day. More than half (56%) of the world's DNS hosts rely on the Verisign .net and .com infrastructure.""" --http://www.verisigninc.com/en_US/products-and-services/domain-name-services/index.xhtml

Impressive!!

With and without the USA:

So how much of the internet would still function if I would block any of the US TLD Name Servers?

Total TLDs: 274
US presence in: 180 TLDs.
TLDs left when blocking all US Name servers:  251

So what are these TLD's that we would lose when blocking all US based name servers?

These 23 TLDs have all their Name Servers in the US.

AS
BIZ
CC
CO
COM
COOP
CX
EDU
FM
GOV
JOBS
KY
MH
MIL
NAME
NET
NF
SB
SO
TL
TRAVEL
TV
US

The bold TLDs are the ones I as a non US citizen see the most frequent.

Conclusion:


It is very interesting to see the distribution in which countries run what DNS server. As running these servers gives you both control and insight in what is being requested.

It has been said that the US controls most of the Internets Infrastructure, and that is mainly because most of the 'Internet'/Tech companies HQ's are located in the US. Think Google, Facebook, Microsoft etc. Though still most of the TLDs would work without the presence of US based servers Just that those two / three important ones would be missing is a bit of a shame ... Com, Net and Org.

Overall the top 30 countries running DNS services are:

    433  United States
    114  Canada
    102  Netherlands
     86  United Kingdom
     67  Sweden
     46  France
     26  Germany
     22  Australia
     17  New Zealand
     17  Japan
     17  Brazil
     17  Austria
     16  Switzerland
     16  Mauritius
     13  Taiwan
     13  Mexico
     12  South Africa
     12  Russian Federation
     11  Turkey
      9  Italy
      9  Hong Kong
      9  Denmark
      8  Norway
      8  Czech Republic
      7  Spain
      7  Korea, Republic of
      7  Chile
      6  Thailand
      6  Sri Lanka
      6  Slovakia