Every connection to every website begins with a question almost no one ever sees: which servers are authoritative for this name? Before a browser fetches a page, before a mail server delivers a message, before an API call resolves, a recursive resolver asks the domain's nameservers where to go. The NS record is the hinge the entire Internet swings on, and it is the one piece of infrastructure most domain owners configure exactly once and never think about again.
That "never think about again" is precisely what makes the NS layer worth measuring. Conventional wisdom treats DNS hosting as a commodity — a free checkbox bundled with a domain registration, indistinguishable from one provider to the next. But commodities concentrate, and infrastructure that everyone ignores is infrastructure whose risks compound silently. The October 2016 attack on Dyn — which used the Mirai botnet to knock Twitter, Netflix, Reddit, GitHub, Spotify and Airbnb off the Internet for hours — was not a failure of those companies' servers. It was a failure of the one nameserver provider they had all quietly delegated to.
So we asked the direct question: who runs the world's DNS? We pointed an NS-typed crawl at our full corpus, resolving the authoritative nameservers for every registrable domain we track, then attributed each domain to the organization that operates its nameservers. This is the fourth in our series measuring the Internet one record type at a time — after IPv6 (AAAA), aliases (CNAME), and mail (MX) — and like those, the NS layer turns out to be a map of who actually holds the Internet's load-bearing walls.
The headline: of 277.6 million delegated domains, just two companies — GoDaddy (18.9%) and Cloudflare (13.9%) — answer for nearly a third of the delegated web, registrar-bundled DNS runs almost half of it, and 92.5% of all delegated domains depend on a single DNS organization with no independent backup. The Internet's most load-bearing record type is also its most concentrated, and its most fragile.
The Data
We queried NS records for every registrable apex in the corpus during the 9 June 2026 crawl. A registrable apex is the domain you actually buy — example.com, example.co.uk — computed under ICANN public-suffix rules. We count delegation at the apex because that is where it lives: a domain has exactly one set of authoritative nameservers, returned once, regardless of how many subdomains hang beneath it.
| NS crawl, 9 June 2026 | Apexes | Share |
|---|---|---|
| Registry apexes observed (NOERROR) | 301,278,782 | 100% |
| Delegated (≥1 NS record) | 277,585,349 | 92.14% |
| Registered/known but undelegated (no NS) | 23,693,433 | 7.86% |
| Distinct DNS operators (primary, after grouping) | 365,592 | — |
Russian-territorial TLDs (.ru, .su, .moscow, and the two Cyrillic IDN TLDs) are excluded from every figure in this post, as they are from all our analysis.
The 7.86% that resolve NOERROR but return no nameservers are a quiet echo of the dead web: 23.7 million names the Internet still remembers but no longer delegates — lapsed registrations, half-deleted zones, and names caught mid-transfer. Everything that follows is measured against the 277.6 million domains that are actually delegated and answerable today.
Methodology
This post makes quantitative claims about market share and resilience, so the definitions matter.
- Delegated apex. A registrable domain (ICANN eTLD+1) that returns at least one NS record. We resolve the public suffix using the ICANN section only, walking up past private-section suffixes (e.g.
kasserver.com,blogspot.com) so that a hosting platform's own subdomains are not miscounted as registry apexes — the same correction our IPv6 study required. This is why the apex universe here (301M) is smaller and cleaner than a naive count. - DNS operator. We map each nameserver hostname to the organization that runs it, by the ICANN-registrable domain of the NS host:
carla.ns.cloudflare.com→ Cloudflare,ns07.domaincontrol.com→ GoDaddy,dns1.p01.nsone.net→ NS1. - Operator grouping. A handful of providers deliberately spread their nameservers across several registrable domains for resilience within their own network — AWS Route 53 across
awsdns-NN.{com,net,org,co.uk}, Azure acrossazure-dns.{com,net,org,info}, IONOS acrossui-dns.{biz,de,org,com}, Hetzner acrossfirst-ns.de/second-ns.{com,de}, plus Akamai and UltraDNS. We collapse these to one organization before counting, so they are not falsely scored as multi-provider setups. Getting this wrong inflates both vendor share and the resilience numbers; we validated each collapse against sampled records. - Primary vs. any. Each delegated apex is attributed to one primary operator (the organization running the plurality of its nameservers; ties broken deterministically) so the leaderboard sums to the delegated universe. We separately compute an any view (an apex counts toward every operator it uses) to catch multi-provider arrangements; for all but a few providers the two are within a fraction of a percent.
- Single vs. multi-provider. A domain is single-provider if every one of its nameservers belongs to one DNS organization, multi-provider if its nameservers span two or more independent organizations. Self-hosted means at least one nameserver is registrable under the apex itself (a vanity nameserver such as
ns1.example.comforexample.com). - Classification rate. We attribute 80.3% of delegated apexes to a named operator. The unclassified 19.7% is a genuine long tail of small regional registrars and hosts — the single largest unmapped operator is
dyna-ns.netat 0.59%, and nothing else exceeds 0.25%. There is no hidden giant in the residual.
Known limitations. NS is the cleanest of the typed crawls — a nameserver delegation is unambiguous in a way an MX gateway or a flattened CNAME is not — but three caveats apply. First, white-label vanity nameservers (a reseller's ns1.brand.com that is actually operated by a larger provider) are counted as self-hosted or as the brand, slightly undercounting the true platform behind them. Second, this is a single snapshot; it measures delegation, not uptime or query volume. Third, our share is by domain count, which weights the long tail of small sites equally with major properties — the opposite bias from traffic-weighted measurements, and the reason our numbers diverge from web-popularity surveys in a predictable direction (discussed below). Full pipeline and per-operator counts are reproducible from the dataset.
The Scorecard
Here is who runs the delegated web, by primary DNS operator, as a share of all 277.6 million delegated apexes.
| Rank | DNS operator | Delegated apexes | Share | Type |
|---|---|---|---|---|
| 1 | GoDaddy (domaincontrol.com) |
52,558,251 | 18.93% | registrar |
| 2 | Cloudflare | 38,539,040 | 13.88% | DNS service |
| 3 | Google Cloud DNS / Domains | 10,031,932 | 3.61% | hyperscaler |
| 4 | Namecheap | 9,636,838 | 3.47% | registrar |
| 5 | Afternic | 9,032,566 | 3.25% | parking |
| 6 | Hostinger | 8,596,087 | 3.10% | registrar |
| 7 | Wix | 6,635,585 | 2.39% | registrar |
| 8 | IONOS | 6,501,361 | 2.34% | registrar |
| 9 | Alibaba Cloud DNS | 4,210,761 | 1.52% | hyperscaler |
| 10 | OVH | 3,313,543 | 1.19% | registrar |
| 11 | AWS Route 53 | 3,242,943 | 1.17% | hyperscaler |
| 12 | NameBright | 3,202,389 | 1.15% | registrar |
| 13 | DNS.com (CN) | 3,180,581 | 1.15% | managed |
| 14 | NS1 (IBM) | 3,072,890 | 1.11% | managed |
The top ten operators run DNS for 53.7% of the delegated web; the top two alone run nearly a third (32.8%). That is steep concentration for a layer with hundreds of thousands of operators — but the more revealing cut is by type. Group every operator by what it fundamentally is, and the picture sharpens.
Concentration, by category
| Category | Delegated apexes | Share |
|---|---|---|
| Registrar / host-bundled DNS | 132,948,670 | 47.89% |
| Cloudflare | 38,539,040 | 13.88% |
| Hyperscaler cloud DNS (Google, Alibaba, AWS, Azure, Tencent, Vercel…) | 20,440,975 | 7.36% |
| Parking / aftermarket | 18,443,265 | 6.64% |
| Specialist managed DNS (NS1, DNS Made Easy, UltraDNS, Akamai…) | 11,219,286 | 4.04% |
| Self-hosted (vanity NS) | 1,111,623 | 0.40% |
| Unclassified long tail | 54,663,997 | 19.69% |
Nearly half of the delegated web — 47.9% — runs on DNS it never chose. When you register a domain at GoDaddy, Namecheap, Hostinger, IONOS or Wix, the registrar's nameservers are filled in automatically, and most owners never change them. This is the exact pattern we found in email, where registrar- and host-bundled mail beat both Google and Microsoft: the default wins by inertia. DNS is the same story, more so — because changing your nameservers is a deliberate, slightly intimidating act, the bundled default is even stickier than the bundled mailbox.
Against that backdrop, Cloudflare's 13.9% is the standout number in the dataset. Cloudflare is not a registrar; you cannot register a domain there and have it default to Cloudflare DNS. Every one of those 38.5 million domains moved — an owner went into their registrar, copied two ns.cloudflare.com hostnames, and repointed their delegation. Cloudflare is the only operator in the top tier that grew entirely by active migration, and it is now larger, by domain count, than the entire enterprise cloud combined.
GoDaddy Owns the Default, Cloudflare Owns the Choice
The two leaders embody opposite growth mechanics, and the contrast is the most important thing in the data.
GoDaddy's 52.6 million delegated domains are a direct function of being the world's largest registrar. Its domaincontrol.com nameservers are the factory setting on tens of millions of registrations, parked pages, and small-business sites. GoDaddy did not win DNS; it won registration, and DNS came along for free. That is why its footprint tracks the Anglosphere SMB market almost perfectly (more on that below).
Cloudflare's 38.5 million domains are the opposite: a coalition of the willing. To use Cloudflare you must change your nameservers, which means every Cloudflare domain represents an owner who decided the free tier's speed, DDoS protection, and analytics were worth a configuration change. This is also why Cloudflare is nearly invisible in our CNAME study but dominant here: Cloudflare flattens CNAMEs into A/AAAA records at its edge, so it barely appears in the alias map — but you reach all of that only by handing Cloudflare your nameservers first. The NS record is where Cloudflare's true footprint becomes visible.
Both observations triangulate against external measurements, with an instructive gap. W3Techs, which tracks DNS providers across the most popular ~10–50 million websites, reports (June 2026) GoDaddy DNS at 26.7% and Cloudflare at 10.8% — the same one-two ranking we find, but with GoDaddy higher and Cloudflare lower. B2B-oriented trackers like Datanyze put GoDaddy near 33% and Cloudflare near 20%. Our shares (GoDaddy 18.9%, Cloudflare 13.9%) sit below both, and the reason is methodological and consistent: we count the full 277.6-million-domain long tail, where popularity-weighted surveys count mostly active, trafficked sites. The deeper into the tail you go, the more the universe fills with small foreign and Chinese registrars that dilute the Anglosphere leaders — so GoDaddy's share falls even as its absolute lead holds. The agreement on rank, and the predictable direction of the disagreement on share, is exactly what triangulation should look like.
The Enterprise Cloud Barely Shows Up
The most counterintuitive row in the scorecard is the one that is small.
| Hyperscaler DNS | Delegated apexes | Share |
|---|---|---|
| Google Cloud DNS / Domains | 10,031,932 | 3.61% |
| Alibaba Cloud DNS | 4,210,761 | 1.52% |
| AWS Route 53 | 3,242,943 | 1.17% |
| Tencent DNSPod | 952,099 | 0.34% |
| Vercel | 761,704 | 0.27% |
| Azure DNS | 414,787 | 0.15% |
| DigitalOcean | 397,482 | 0.14% |
| All hyperscaler cloud DNS | 20,440,975 | 7.36% |
Cloudflare alone (13.88%) runs DNS for nearly twice as many domains as every hyperscaler cloud combined (7.36%), and roughly twelve times as many as AWS Route 53 (1.17%). Azure DNS, the default for the second-largest cloud on Earth, answers for one domain in 670.
This is not because Route 53 or Azure DNS are small businesses — they are enormous by revenue and by query volume, and they sit underneath some of the highest-traffic properties in existence. It is because the hyperscaler clouds sell DNS as a component of an infrastructure stack, not as a destination for the long tail. You end up on Route 53 because you already run on AWS; you do not migrate a personal blog there. Cloudflare, by contrast, productized authoritative DNS as a free standalone service and marketed it to everyone. The result is a domain-count footprint that inverts the usual cloud hierarchy — the consumer-facing free tier dwarfs the enterprise platforms, even though those platforms almost certainly carry more queries per second. This is the same domain-count-versus-weight inversion we flagged for email's Google-over-Microsoft lead: counting domains rewards reach into the tail, not revenue.
Your Registrar Runs Your DNS — and So Does the Parking Lot
Below the leaders, the registrar-bundled long tail is dense and geographically legible: Namecheap (3.47%), Hostinger (3.10%), Wix (2.39%), IONOS (2.34%), OVH (1.19%), Strato, Newfold, Network Solutions, GMO. Each is the default DNS for its slice of the registration market, and together they are why the registrar category reaches 48%.
But one category in the scorecard deserves its own spotlight, because it is larger than every cloud put together: parking and aftermarket DNS at 6.64% — roughly one delegated domain in fifteen.
| Parking / aftermarket operator | Delegated apexes | Share |
|---|---|---|
| Afternic (GoDaddy) | 9,032,566 | 3.25% |
| Sedo | 1,670,086 | 0.60% |
| Above / Trellian | 1,277,126 | 0.46% |
| NameFind (GoDaddy) | 878,807 | 0.32% |
| ParkLogic | 776,028 | 0.28% |
| Others (DAN, ParkingCrew, HugeDomains, Efty…) | ~4,800,000 | ~1.7% |
More than 18 million delegated domains point their nameservers at a for-sale or parking operator — Afternic alone (GoDaddy's aftermarket arm) accounts for 9 million. These are domains whose only "service" is a landing page advertising the name for sale, and their DNS is operated by the marketplace. This is the live-infrastructure complement to our parking and dead-web findings: the parking economy is not a fringe — by nameserver delegation it is bigger than Google, Alibaba, AWS, and Azure's DNS businesses combined. When marketplaces consolidate or shut down, as Bodis did in early 2026, the delegation layer is where the disruption first becomes visible.
The Single Point of Failure
The leaderboard answers who. The resilience numbers answer a more uncomfortable question: what happens when they blink?
| Resilience metric (of 277.6M delegated) | Apexes | Share |
|---|---|---|
| Single DNS organization (no independent backup) | 256,837,191 | 92.53% |
| Multi-provider (NS across ≥2 organizations) | 20,748,158 | 7.47% |
| Self-hosted (≥1 vanity nameserver) | 1,152,300 | 0.42% |
| 1 nameserver host (RFC 2182 violation) | 349,377 | 0.13% |
| 2 nameserver hosts | 209,104,941 | 75.33% |
| 3 nameserver hosts | 22,989,953 | 8.28% |
| 4+ nameserver hosts | 45,141,078 | 16.26% |
More than nine in ten delegated domains — 92.5% — depend on a single DNS organization. They publish the recommended two-or-more nameservers (75.3% publish exactly two, satisfying RFC 1034's minimum), but those nameservers live inside one company's network. If that company suffers a network-wide outage, a BGP withdrawal, a DDoS like the one that took down Dyn in 2016, or a billing dispute, all of the domain's nameservers go dark together. The redundancy is an illusion: two nameservers, one point of failure.
Only 7.5% of domains spread their DNS across two or more independent operators — the configuration that actually survives a provider-level outage, where resolvers fall back to the surviving network. This is the architecture every major DNS incident since 2016 has recommended, and it remains the rare exception. It tracks with industry surveys showing roughly 44% of SaaS platforms still run on a single DNS provider even among sophisticated operators — and our number is far higher because our universe is the entire delegated web, not a curated list of well-run services. Self-hosting has nearly vanished entirely: just 0.42% of domains run any nameserver under their own name, and most of those are large technology firms and hosting providers running their own infrastructure, not small operators.
The single-nameserver population is small but striking: 349,377 domains publish exactly one nameserver, violating RFC 2182's two-decade-old requirement for at least two on separate networks. For those domains, a single server reboot is a total outage. They are a rounding error in percentage terms (0.13%) and a real-world fragility for the third of a million owners who have them.
The structural reason redundancy stays rare is the same inertia that drives the concentration: multi-provider DNS requires deliberate configuration that the bundled default actively discourages. Your registrar gives you its two nameservers and no obvious path to add a second, independent operator. The market has optimized for one-click convenience, and one-click convenience is, by construction, a single point of failure.
DNS Is a Map
Break the leaderboard down by TLD and the abstract market shares resolve into a geography — who registered where, and which default they inherited.
| TLD | Delegated | Cloudflare | Route 53 | GoDaddy |
|---|---|---|---|---|
| .com | 137,890,677 | 11.95% | 1.28% | 23.98% |
| .net | 10,209,571 | 11.45% | 1.84% | 23.91% |
| .org | 9,975,239 | 13.07% | 1.34% | 26.06% |
| .ca (Canada) | 2,677,351 | 8.52% | 0.96% | 41.46% |
| .in (India) | 2,139,863 | 7.70% | 0.99% | 38.90% |
| .us | 1,424,133 | 9.95% | 1.12% | 35.05% |
| .co.uk | 5,668,692 | 11.18% | 0.94% | 31.73% |
| .com.au | 2,171,603 | 11.22% | 2.35% | 28.49% |
| .shop | 2,595,068 | 31.91% | 0.16% | 16.33% |
| .io | 989,495 | 23.47% | 5.42% | 21.30% |
| .info | 3,443,286 | 24.82% | 0.62% | 25.34% |
| .cn (China) | 3,093,676 | 20.85% | 0.07% | 0.67% |
| .com.br (Brazil) | 3,251,716 | 15.95% | 1.58% | 4.26% |
| .de (Germany) | 11,733,150 | 3.55% | 0.38% | 5.71% |
| .fr (France) | 3,606,572 | 5.83% | 0.54% | 1.43% |
| .jp (Japan) | 866,078 | 3.15% | 7.59% | 1.00% |
GoDaddy owns the Anglosphere. It runs DNS for 41% of Canadian .ca domains, 39% of Indian .in, 35% of .us, 32% of .co.uk, and 28% of Australian .com.au. These are the markets where GoDaddy's registrar business is strongest, and the DNS share is the registration share by another name — the default, inherited at scale.
Cloudflare owns the new and the emerging. Its share peaks on the gTLDs that attract technically engaged owners making active choices: 32% of .shop, 25% of .info, 23% of .io, and 16% of Brazil's .com.br. Strikingly, Cloudflare runs 20.9% of Chinese .cn DNS — where GoDaddy and the entire Western hyperscaler bloc are near zero — making it the most visible non-domestic operator in a namespace otherwise served by Alibaba and local Chinese DNS services. Where owners choose, they choose Cloudflare.
Continental Europe runs on itself. German .de (Cloudflare 3.6%, GoDaddy 5.7%), French .fr (5.8% / 1.4%), Swiss, Czech and Dutch domains are low on every American operator because their registration markets are dominated by domestic incumbents — IONOS and Strato in Germany, OVH in France, local hosts everywhere. The default-wins dynamic is universal; only the identity of the default changes with the border.
And Japan is the lone exception to every rule. It is the only significant TLD where AWS Route 53 (7.6%) outruns Cloudflare (3.15%), and where GoDaddy is a rounding error (1.0%). Japanese DNS runs on a mix of AWS's Tokyo presence and domestic providers (GMO, Value-Domain, Xserver) — a market that imported the enterprise cloud and grew its own registrars, but never adopted the bundled-registrar-or-Cloudflare pattern that defines almost everywhere else.
What's at Stake
- Correlated failure is the default architecture. With 92.5% of domains on a single DNS organization, a major provider outage is not an edge case — it is a guaranteed, recurring, large-blast-radius event. The 2016 Dyn attack is the template, and the conditions that made it catastrophic are now more concentrated, not less.
- Two companies are systemic. GoDaddy and Cloudflare together answer for a third of the delegated web. A sustained failure at either would be among the largest infrastructure events the Internet can produce — not because their engineering is weak, but because the dependency is that broad.
- The enterprise-cloud blind spot. Route 53 and Azure DNS carry enormous query volume under high-traffic sites while serving a tiny share of domains. Resilience planning that benchmarks against "what the big clouds do" misreads the long tail, where bundled defaults and single-provider setups are the norm.
- The parking layer is real infrastructure. 18 million domains delegate DNS to aftermarket operators. Consolidation or shutdown in that sector — already underway — propagates through the delegation layer first, and it is large enough to matter.
- Redundancy is a luxury good. Multi-provider DNS, the one configuration that survives provider failure, is used by 7.5% of domains and is concentrated among the largest, most sophisticated operators. Everyone else has inherited a single point of failure they did not choose and cannot see.
What Would Help
- Registrars: make secondary DNS a one-click option. The single biggest lever on Internet resilience is not new technology — it is a checkbox. If adding a second, independent DNS provider were as easy as the default delegation, the 7.5% multi-provider figure would move. The inertia that built the concentration can be redirected to fix it.
- Domain owners: add a second operator before you need one. If your business depends on resolving, your two nameservers should not live in one company's network. Multi-provider DNS (primary plus a secondary like NS1, Dyn, or a second cloud zone) is the difference between a competitor's outage and your own. Start with the stats dashboard to see how concentrated your TLD already is.
- Enterprises: audit the gap between query weight and domain risk. Your flagship may sit on redundant enterprise DNS while dozens of acquired brands, campaign microsites, and legacy domains quietly run on a single bundled default. Inventory delegation across your whole portfolio, not just the properties you watch.
- Standards bodies and registries: enforce and modernize RFC 2182. A third of a million domains still publish a single nameserver. Minimum-nameserver and network-diversity checks at registration time are cheap, and the recommendation is twenty-five years old.
- Researchers and journalists: track delegation concentration over time. Single-snapshot share is a starting point; the trajectory is the story. A repeated NS census shows whether the default-wins dynamic is intensifying, whether multi-provider adoption is rising after each outage, and which TLDs are most exposed. This dataset is built to make that longitudinal.
Methodology: NS-typed resolution of 301,278,782 registry apexes from the DomainsProject corpus (9 June 2026 crawl), of which 277,585,349 are delegated. Operators attributed by the ICANN-registrable domain of each nameserver host, with multi-registrable providers (AWS, Azure, IONOS, Hetzner, Akamai, UltraDNS) grouped to one organization; 80.3% of delegated apexes attributed to a named operator. Russian-territorial TLDs excluded. Single snapshot; shares are by domain count, not query volume. Companion to The IPv6 Mirage, The Landlords of the Web, and Who Runs the World's Email. Explore the underlying data at /stats/ and /dataset.