In June, I attended NPNOG 11 in Nepal. In the evening, I discussed ccTLD infrastructure with some friends. We compared how some regional economies host their ccTLD themselves, while others outsource to larger ccTLD operators.
I get the sense that hosting a ccTLD today is challenging, not because of the technical stack, but due to Distributed Denial-of-Service (DDoS) concerns, and the only way to handle large-scale DDoS effectively is to:
- Over-provision the bandwidth
- Spread the attack surface using anycast
To reliably host a ccTLD in 2025, one would need at least eight to ten global locations near major data sources to mitigate attacks. Something like Ashburn, Dallas, Palo Alto, Frankfurt, Amsterdam, Singapore, Hong Kong, and so on. While we were having the discussion, I wanted to check how many ccTLDs are actually anycasted and if my guess was correct. Seems like I was partially correct…
Understanding anycast
Anycast basically means having more than one node and using the same address. It is assumed / expected that Border Gateway Protocol (BGP) will take us to the nearest announcement. But in reality, BGP path selection is influenced by neighbor relationships. Slides 26 to 33 of my INNOG presentation cover this in detail.
Essentially, network operators have the highest localpref on routes they learn from customers, the second highest on routes from peers, and the lowest on routes from upstreams. Therefore, using anycast with a mix of upstreams generally doesn’t work well.
To address this, anycast is typically deployed with the same set of global upstream ISPs everywhere, through heavy use of BGP action communities, or with a mix of global and local nodes. Even so, there can still be cases where some networks reach a nearby node while others are directed to a distant anycast node.
To deal with this specific part, I tested multiple providers within a given location. Anycast cannot be reliably evaluated by simply inspecting the routing table. In theory, location communities can give some indication, but it’s much easier to determine through latency measurements or traceroutes from different locations.
So I made a script to look up IPv4 and IPv6 latency to all ccTLD nameservers from the following providers/locations:
- Contabo — New York and Düsseldorf
- Hetzner — Falkenstein, Ashburn, and Singapore
- Vultr — Amsterdam, Los Angeles, and Singapore
These nodes are located in major cities where peering and interconnection occur. Measuring latency from them to ccTLD authoritative nameservers helps reveal whether those servers are anycasted. Determining the exact number of anycast nodes is difficult and requires far more distributed measurements, but it’s reasonable to assume that if an IP is anycasted across the US, EU, and Asia, it should be reachable within 80ms (typically 40 to 50ms) from those regions. If I see low latency from one provider and high latency from another, I take that as evidence of an anycast node’s presence, with the difference due to suboptimal routing (which I’m not measuring here).
Result of ccTLD anycast check
Table 1 reflects the results. I have categorized them into three simple categories:
- All NS anycasted: All nameservers for the given ccTLD are anycasted and reachable with low latency.
- At least one NS using anycast: In this case, some nameservers consistently show low latency from the US, EU, and Singapore, while others show high latency. Typically, this reflects a mix of non-anycasted in-house servers and anycasted servers operated by commercial or non-profit providers.
- None of the NS uses anycast: All nameservers show latency above 80ms when tested from the US, EU, and Singapore (usually lower latency in regions closer to the ccTLD’s origin economy).
| ccTLD | Category |
| aw | All NS anycasted |
| bh | All NS anycasted |
| fm | All NS anycasted |
| fo | All NS anycasted |
| gd | All NS anycasted |
| in | All NS anycasted |
| la | All NS anycasted |
| nl | All NS anycasted |
| pw | All NS anycasted |
| to | All NS anycasted |
| vg | All NS anycasted |
| ac | At least one NS doing anycast |
| ad | At least one NS doing anycast |
| ae | At least one NS doing anycast |
| af | At least one NS doing anycast |
| ag | At least one NS doing anycast |
| ai | At least one NS doing anycast |
| al | At least one NS doing anycast |
| am | At least one NS doing anycast |
| ao | At least one NS doing anycast |
| aq | At least one NS doing anycast |
| ar | At least one NS doing anycast |
| as | At least one NS doing anycast |
| at | At least one NS doing anycast |
| au | At least one NS doing anycast |
| ax | At least one NS doing anycast |
| az | At least one NS doing anycast |
| ba | At least one NS doing anycast |
| bb | At least one NS doing anycast |
| bd | At least one NS doing anycast |
| be | At least one NS doing anycast |
| bf | At least one NS doing anycast |
| bg | At least one NS doing anycast |
| bi | At least one NS doing anycast |
| bj | At least one NS doing anycast |
| bl | At least one NS doing anycast |
| bm | At least one NS doing anycast |
| bn | At least one NS doing anycast |
| bo | At least one NS doing anycast |
| br | At least one NS doing anycast |
| bs | At least one NS doing anycast |
| bt | At least one NS doing anycast |
| bw | At least one NS doing anycast |
| bz | At least one NS doing anycast |
| ca | At least one NS doing anycast |
| cc | At least one NS doing anycast |
| cd | At least one NS doing anycast |
| cf | At least one NS doing anycast |
| cg | At least one NS doing anycast |
| ch | At least one NS doing anycast |
| ci | At least one NS doing anycast |
| cl | At least one NS doing anycast |
| cm | At least one NS doing anycast |
| cn | At least one NS doing anycast |
| co | At least one NS doing anycast |
| cr | At least one NS doing anycast |
| cu | At least one NS doing anycast |
| cv | At least one NS doing anycast |
| cw | At least one NS doing anycast |
| cx | At least one NS doing anycast |
| cy | At least one NS doing anycast |
| cz | At least one NS doing anycast |
| de | At least one NS doing anycast |
| dj | At least one NS doing anycast |
| dk | At least one NS doing anycast |
| dm | At least one NS doing anycast |
| do | At least one NS doing anycast |
| dz | At least one NS doing anycast |
| ec | At least one NS doing anycast |
| ee | At least one NS doing anycast |
| eg | At least one NS doing anycast |
| er | At least one NS doing anycast |
| es | At least one NS doing anycast |
| eu | At least one NS doing anycast |
| fi | At least one NS doing anycast |
| fk | At least one NS doing anycast |
| fr | At least one NS doing anycast |
| ga | At least one NS doing anycast |
| gb | At least one NS doing anycast |
| gf | At least one NS doing anycast |
| gg | At least one NS doing anycast |
| gi | At least one NS doing anycast |
| gl | At least one NS doing anycast |
| gm | At least one NS doing anycast |
| gn | At least one NS doing anycast |
| gp | At least one NS doing anycast |
| gq | At least one NS doing anycast |
| gr | At least one NS doing anycast |
| gt | At least one NS doing anycast |
| gu | At least one NS doing anycast |
| gw | At least one NS doing anycast |
| gy | At least one NS doing anycast |
| hk | At least one NS doing anycast |
| hm | At least one NS doing anycast |
| hn | At least one NS doing anycast |
| hr | At least one NS doing anycast |
| ht | At least one NS doing anycast |
| hu | At least one NS doing anycast |
| id | At least one NS doing anycast |
| ie | At least one NS doing anycast |
| il | At least one NS doing anycast |
| im | At least one NS doing anycast |
| io | At least one NS doing anycast |
| iq | At least one NS doing anycast |
| ir | At least one NS doing anycast |
| is | At least one NS doing anycast |
| it | At least one NS doing anycast |
| je | At least one NS doing anycast |
| jm | At least one NS doing anycast |
| jo | At least one NS doing anycast |
| jp | At least one NS doing anycast |
| ke | At least one NS doing anycast |
| kg | At least one NS doing anycast |
| kh | At least one NS doing anycast |
| ki | At least one NS doing anycast |
| kn | At least one NS doing anycast |
| kw | At least one NS doing anycast |
| ky | At least one NS doing anycast |
| kz | At least one NS doing anycast |
| lb | At least one NS doing anycast |
| lc | At least one NS doing anycast |
| li | At least one NS doing anycast |
| lk | At least one NS doing anycast |
| lr | At least one NS doing anycast |
| ls | At least one NS doing anycast |
| lt | At least one NS doing anycast |
| lu | At least one NS doing anycast |
| lv | At least one NS doing anycast |
| ly | At least one NS doing anycast |
| ma | At least one NS doing anycast |
| mc | At least one NS doing anycast |
| md | At least one NS doing anycast |
| me | At least one NS doing anycast |
| mg | At least one NS doing anycast |
| mh | At least one NS doing anycast |
| mk | At least one NS doing anycast |
| ml | At least one NS doing anycast |
| mm | At least one NS doing anycast |
| mn | At least one NS doing anycast |
| mo | At least one NS doing anycast |
| mq | At least one NS doing anycast |
| mr | At least one NS doing anycast |
| ms | At least one NS doing anycast |
| mt | At least one NS doing anycast |
| mu | At least one NS doing anycast |
| mv | At least one NS doing anycast |
| mw | At least one NS doing anycast |
| mx | At least one NS doing anycast |
| my | At least one NS doing anycast |
| mz | At least one NS doing anycast |
| na | At least one NS doing anycast |
| nc | At least one NS doing anycast |
| ne | At least one NS doing anycast |
| nf | At least one NS doing anycast |
| ng | At least one NS doing anycast |
| ni | At least one NS doing anycast |
| no | At least one NS doing anycast |
| np | At least one NS doing anycast |
| nr | At least one NS doing anycast |
| nu | At least one NS doing anycast |
| nz | At least one NS doing anycast |
| om | At least one NS doing anycast |
| pa | At least one NS doing anycast |
| pe | At least one NS doing anycast |
| pg | At least one NS doing anycast |
| ph | At least one NS doing anycast |
| pk | At least one NS doing anycast |
| pl | At least one NS doing anycast |
| pm | At least one NS doing anycast |
| pn | At least one NS doing anycast |
| pr | At least one NS doing anycast |
| ps | At least one NS doing anycast |
| pt | At least one NS doing anycast |
| py | At least one NS doing anycast |
| qa | At least one NS doing anycast |
| re | At least one NS doing anycast |
| ro | At least one NS doing anycast |
| rs | At least one NS doing anycast |
| ru | At least one NS doing anycast |
| rw | At least one NS doing anycast |
| sa | At least one NS doing anycast |
| sb | At least one NS doing anycast |
| sc | At least one NS doing anycast |
| sd | At least one NS doing anycast |
| se | At least one NS doing anycast |
| sg | At least one NS doing anycast |
| sh | At least one NS doing anycast |
| si | At least one NS doing anycast |
| sj | At least one NS doing anycast |
| sk | At least one NS doing anycast |
| sm | At least one NS doing anycast |
| sn | At least one NS doing anycast |
| so | At least one NS doing anycast |
| st | At least one NS doing anycast |
| sv | At least one NS doing anycast |
| sx | At least one NS doing anycast |
| sy | At least one NS doing anycast |
| sz | At least one NS doing anycast |
| tc | At least one NS doing anycast |
| td | At least one NS doing anycast |
| tg | At least one NS doing anycast |
| th | At least one NS doing anycast |
| tj | At least one NS doing anycast |
| tk | At least one NS doing anycast |
| tl | At least one NS doing anycast |
| tm | At least one NS doing anycast |
| tn | At least one NS doing anycast |
| tr | At least one NS doing anycast |
| tt | At least one NS doing anycast |
| tv | At least one NS doing anycast |
| tw | At least one NS doing anycast |
| tz | At least one NS doing anycast |
| ua | At least one NS doing anycast |
| ug | At least one NS doing anycast |
| uk | At least one NS doing anycast |
| us | At least one NS doing anycast |
| uy | At least one NS doing anycast |
| uz | At least one NS doing anycast |
| va | At least one NS doing anycast |
| vc | At least one NS doing anycast |
| ve | At least one NS doing anycast |
| vi | At least one NS doing anycast |
| vn | At least one NS doing anycast |
| vu | At least one NS doing anycast |
| wf | At least one NS doing anycast |
| ws | At least one NS doing anycast |
| ye | At least one NS doing anycast |
| yt | At least one NS doing anycast |
| za | At least one NS doing anycast |
| zm | At least one NS doing anycast |
| zw | At least one NS doing anycast |
| by | None of NS doing anycast |
| ck | None of NS doing anycast |
| et | None of NS doing anycast |
| ge | None of NS doing anycast |
| gh | None of NS doing anycast |
| km | None of NS doing anycast |
| kr | None of NS doing anycast |
| pf | None of NS doing anycast |
| sr | None of NS doing anycast |
Table 1 — ccTLD nameservers catergorized by anycast usage.
Conclusion
I was partially correct (and partially incorrect). Most ccTLDs do not use anycast on all their nameservers, but at least one nameserver typically does. According to this list, 11 ccTLDs have full anycast, 9 have no anycast, and the remaining 219 have partial anycast, with some nameservers anycasted and others not. Some ccTLDs were skipped because all their nameservers have ICMP disabled. In hindsight, I should have measured DNS latency in addition to ICMP latency.
The raw latency checks are posted here.
Anurag Bhatia is a Network Researcher for Hurricane Electric (AS6939), working closely with BGP routing, IXPs, DNS, IPv6, anycast, and other related aspects of the Internet core.
Originally posted on Anurag’s blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.