Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Huge interest in non-existent domain names

Millions of queries a day about domains that don't exist

On our statistics website stats.sidnlabs.nl, we publish a range of information about the DNS queries processed by the .nl name servers. A DNS query is a request from a DNS resolver for information about one or more of the 5.9 million .nl domain names – what the name server or IP address is, for example.

However, millions of the queries sent by resolvers relate to domain names that don't exist. Such queries could be due to system configuration errors, but they could also be linked to cybercrime. For the security and stability of the .nl zone, it's therefore important to understand what's happening. Why are so many non-existent domain names queried? Who's sending the queries? And should we be concerned? This blog seeks to provide the answers.

NXDOMAINs: address unknown

Ever since we started using ENTRADA in 2014, we've been seeing quite a lot of DNS queries about non-existent domain names (NXDOMAINs). The graph entitled Unique domain names (figure 1) shows the daily numbers of unique existent and non-existent domain names queried. In other words, the graph relates to the numbers of unique domain names specified in the queries, not the total numbers of DNS queries received about those domain names. An existent domain name is defined as a domain name that is registered and published in the .nl zone. Non-existent domain names can be divided into two types:

  • Domain names that are not registered

  • Domain names that are registered, but not published in the .nl zone; a registered domain name isn't published if, for example, it doesn't comply with the publication criteria that we apply with regard to linked name servers and so on

Figuur 1 Aantal ‘OK’ en ‘NXDOMAIN’ query's.
https://stats.sidnlabs.nl/en/dns.html#unique%20domain%20names

The most striking feature of the data in figure 1 is that the number of unique non-existent domain names (NXDOMAINs) queried by resolvers is normally about ten to fifteen times greater than the number of unique existent domain names (OKs).

Why are so many non-existent domain names queried?

Published data and our own experience indicate that queries about non-existent domain names are driven by various quite dissimilar factors, including the following:

Typos

When typing domain names, people sometimes make slips, especially on mobile devices with small keyboards. Some queries about non-existent domain names are probably down to people making innocent mistakes.

Cancelled domain names

If a domain name was previously in use – for a website, say – it often goes on getting queried after its deletion, because another website (or multiple other sites) have 'dead' links to the old site. Much the same can happen with e-mail addresses. Most people are quite lax about keeping address books and contact lists updated. Addresses therefore get retained long after they've dropped out of use, with people sending mail to them sometimes even years later.

Drop-catching

When a .nl domain name is cancelled, it's deleted from the .nl zone. However, it isn't immediately made available for re-registration. First, it's placed in quarantine for forty days. And some quarantined domain names are quite desirable. So there are firms that specialise in catching dropped domain names the moment they're released from quarantine. These 'drop-catchers' use DNS queries to continuously check out whether desirable names have been released.

Zone reconstruction

Zone reconstruction involves mapping an entire zone (in the case of .nl, all 5.9 million domain names) by sending queries to find out which domain names are registered. The queries are generated from word lists or lists of the domain names in other top-level domain (TLD) zones. You can see that happening in figure 1: there are two sharp peaks in NXDOMAIN queries in January and February of this year. The queries came from a single IP address that queried the .nl equivalent of every .com domain name to find out whether it existed. Because the .com zone contains about 145 million domain names (as of late 2019), a high proportion of the DNS queries in question related to non-existent domain names.

Botnet DGAs

NXDOMAIN queries can also be due to a botnet using a Domain Generation Algorithm (DGA). A DGA generates a list of many thousands of domain names, of which just one (or a handful) will be registered by the botnet controller for the botnet's command and control (C&C) server. A botnet client discovers its C&C server's IP address by querying every domain name on its list until it finds one that's in use. The practice gives rise to large numbers of DNS queries about non-existent domain names.

Large-scale measurement campaigns

The DNS and other internet systems are frequently the subject of large-scale measurement campaigns by universities and research institutes around the world. Such campaigns may be aimed at gathering information about abusive practices, for example, or the use of new technologies. Many are explorative and result in relatively large numbers of queries about non-existent domain names. The impact of measurement campaigns is reflected in table 1, which lists the networks from which the most DNS queries about non-existent domain names originate. Two of the top ten networks are universities ('Leibniz-Rechenzentrum' and 'GEORGIA-TECH'), together accounting for 13.6 per cent of incoming DNS queries about non-existent domain names.

Who is querying non-existent domain names?

In order to answer that question, we looked to see which networks queried the most unique domain names (table 1) and sent the most DNS queries about non-existent domain names in percentage terms (table 2). Table 1 shows the ten networks querying the most unique existent (OK) and non-existent (NXDOMAIN) domain names. The only two networks that send DNS queries about all existent (OK) domain names are those belonging to SIDN and SURFnet. In our case, the reason is that we scan all existent domain names on a daily basis to check for things such as DNSSEC validation errors. Similarly, the SURFnet network is used by the University of Twente for its OpenINTEL platform, via which the university analyses the DNS attributes of the entire .nl zone every day. The NXDOMAIN top ten includes several networks that query exceptionally large numbers of unique non-existent domain names. The first network in the list (Hetzner Online GmbH) queried 163 million unique domain names, although the .nl zone includes only 5.9 million unique domain names. Table 1 Top ten querying networks, by number of unique domain names

Top 10 NXDOMAIN networks Top 10 OK networks
Hetzner Online GmbH 163,801,921 SURFnet bv 5,912,249
DIGITALOCEAN-ASN 116,023,529 Stichting Internet Domeinregistratie Nederland 5,902,201
AMAZON-02 109,069,093 GOOGLE 5,523,501
GOOGLE 68,179,829 AMAZON-02 5,372,244
Accelerated IT Services & Consulting GmbH 44,861,900 CLOUDFLARENET 5,307,856
CJ2 Hosting B.V. 30,529,786 AMAZON-AES 5,257,576
WorldStream B.V. 27,571,025 DOMAINTOOLS 4,906,475
OVH SAS 21,849,532 OVH SAS 4,340,032
Host Europe GmbH 20,504,277 WOODYNET-1 4,312,785
OPENDNS 20,183,440 DIGITALOCEAN-ASN 4,213,626

The data relates to the period 01-03-2020 to 10-03-2020, inclusive. The ten networks with the highest percentages of NXDOMAIN queries (table 2) are mainly networks operated by hosting service providers, cloud service providers and universities. Two university networks ('Leibniz-Rechenzentrum' and 'GEORGIA-TECH') together account for 13.6 per cent of incoming DNS queries about non-existent domain names. It's also apparent that certain networks send more DNS queries about non-existent domain names than one would expect from the number of DNS queries they send about existent domain names. Networks such as 'Hetzner Online GmbH' and 'Accelerated IT Services & Consulting GmbH' figure prominently in the NXDOMAIN top ten, despite being absent from the OK top ten. Table 2 Top ten querying networks, by percentage of DNS queries sent

Top 10 NXDOMAIN networks Top 10 OK networks
GOOGLE 13.25% GOOGLE 14.98%
Hetzner Online GmbH 10.13% MICROSOFT-CORP-MSN-AS-BLOCK 10.06%
Leibniz-Rechenzentrum 9.97% AMAZON-02 5.70%
AMAZON-02 8.88% FACEBOOK 5.67%
DIGITALOCEAN-ASN 7.95% KPN B.V. 5.07%
CLOUDFLARENET 4.40% AMAZON-AES 3.00%
AMAZON-AES 3.95% CLOUDFLARENET 2.97%
GEORGIA-TECH 3.60% DIGITALOCEAN-ASN 2.27%
Accelerated IT Services & Consulting GmbH 3.16% OPENDNS 1.92%
OVH SAS 2.30% OVH SAS 1.43%

The percentages are calculated from data for the period 01-03-2020 to 10-03-2020, inclusive.

Is the situation a problem for the .nl name server infrastructure?

Not really. Our infrastructure is dimensioned to be able to handle a multiple of the normal load without difficulty. We have developed a scalable and robust DNS infrastructure based on ANYCAST technology. It's also important to recognise that the number of DNS queries about non-existent domain names is normally only 12 to 15 per cent of the total number of DNS queries received. See figure 2 (Response codes) for the percentages of all DNS queries accounted for by existent (OK) and non-existent (NXDOMAIN) domain names.

Figuur 2 Percentage OK en NXDOMAIN DNS-query's.
https://stats.sidnlabs.nl/en/dns.html#response%20codes

Conclusions

The questions we posed at the outset were: Why are so many non-existent domain names queried? Who's sending the queries? And should we be concerned? It seems that there are various reasons why queries are sent about non-existent domain names. Most of the reasons are legitimate. Some are not, however; a proportion of queries come from botnets, for example. We therefore intend to continue monitoring the situation, so that we can intervene if needs be. With regard to the second question, it's apparent that some networks query relatively large numbers of non-existent domain names. Most of the networks in question are associated with hosting, education/research and public resolving services. Finally, is the situation problematic? Not in terms of the load that the NXDOMAIN queries place on the .nl name server infrastructure. However, such queries may be a pointer to activities that are problematic in other ways, such as botnet activities. Here at SIDN Labs, we therefore intend to keep studying DNS data with the aim of increasing the security and stability of the internet in the Netherlands and beyond.

Article by:

Maarten Wullink

Research engineer