The Kubernetes Census Hidden in DNS: 74,508 Apex Domains, 20,420 Cluster Identities, and One Default Value That Owns Them All
We extracted every Kubernetes signal we could find from a 17 April 2026 DNS crawl — heritage=external-dns TXT markers AND CNAME chains terminating in managed-Kubernetes ingress endpoints (AWS ELB k8s-prefixed names, .azmk8s.io, .gke.goog, .openshiftapps.com, .k8s.ondigitalocean.com, etc.). 74,508 unique apex domains carry at least one strict-precision Kubernetes signal (41,565 with TXT markers, 34,219 with strict CNAME pointers, 1,276 in both). 20,420 distinct cluster identities are visible. 13,620 apexes (32.8% of TXT-marker side) use the literal string "default" as their cluster identifier. 815 use the literal example strings from the ExternalDNS README. 6,842 apexes publish a sensitive Kubernetes namespace (argocd, vault, kube-system, istio-system) to public DNS. 1,936 apexes have already migrated to the Gateway API. This is the first combined-signal cluster-identity census of the public Kubernetes footprint.