Analysing ccTLD anycast
In June, I attended NPNOG in Nepal. In the evening, I had a discussion with some friends about infra hosting ccTLD. We compared how some countries in the region host their ccTLD on their own while some outsource it to larger ccTLD operators. I have a feeling that it’s pretty hard to host a ccTLD these days, not because of the tech stack, but because of DDoS concerns. The only way to take care of DDoS at large-scale is to a) Over provision on the bandwidth and b) Spread the attack surface using anycast
So to host a ccTLD reliably in 2025, one would need at least eight‑ten global locations near major data sources to take care of the attack. Something like Ashburn, Dallas, Palo Alto, Frankfurt, Amsterdam, Singapore, Hong Kong, etc. While we had the discussion - I wanted to check how many ccTLDs are actually anycasted and if my guess was correct. Seems like I was partially correct.
Understanding anycast
Anycast basically means having more than one node and using the same address. It is assumed/expected that BGP will take us to the nearest announcement. But in reality, BGP path selection is influenced by neighbor relationships. Slide 26-33 of my presentation at INNOG covers this in detail. Essentially, network operators have the highest localpref on routes they learn from customers, the second highest on routes from peers, and the lowest on routes from upstream. Thus, if one does anycast with a mix and match of upstreams, it won’t work well. To deal with this, anycast is usually done with the same set of global upstream ISPs everywhere or with a very aggressive use of BGP action communities or a mix of global + local nodes. But even with all this, there can still be cases where some networks hit a local node, some hit far off anycast node.
Thus, to deal with this specific part, I have to test from multiple providers in a given location. Anycast cannot be easily tested by just looking at the routing table. In theory, with location communities, one can get an idea, but it’s much easier to find it from latency/trace from different locations.
So I ended up putting a script to look up for IPv4 and IPv6 latency to all ccTLD nameservers from the following providers/locations:
- Contabo - New York and Düsseldorf
- Hetzner - Falkenstein, Ashburn, and Singapore
- Vultr - Amsterdam, Los Angeles, and Singapore
These nodes are in key cities where peering/interconnection happens. Latency from these to ccTLD auth ns can determine whether they are anycasted or not. Finding the exact number of anycast nodes is hard and need a lot more distributed measurements but one can safely assume that if an IP is anycasted across the US, EU, and Asia, one should be able to reach it in less than 80ms from these locations (more like within 40-50ms actually). If I get low latency from one provider and high from other, I consider that it proves that an anycast node exists and it’s just bad routing (which I am not measuring here).
Result of ccTLD anycast check
The table below reflects the results. I have categorized into three simple categories:
- All NS anycasted - All nameservers for the given ccTLD are anycasted and reachable with low latency.
- At least one NS doing anycast - This is a case where I see some nameservers giving consistently low latency from the US, EU & Singapore, but some with high. In most cases, it’s basically non-anycasted own servers and anycasted servers of commercial/non-profit providers.
- None of the NS is doing anycast - All nameservers have above 80ms latency when checked from the US, EU, and Singapore (at least two of these regions, usually lower latency where closer to the ccTLD origin country)
| ccTLD | Category |
|---|---|
| aw | All NS anycasted |
| bh | All NS anycasted |
| fm | All NS anycasted |
| fo | All NS anycasted |
| gd | All NS anycasted |
| in | All NS anycasted |
| la | All NS anycasted |
| nl | All NS anycasted |
| pw | All NS anycasted |
| to | All NS anycasted |
| vg | All NS anycasted |
| ac | Atleast one NS doing anycast |
| ad | Atleast one NS doing anycast |
| ae | Atleast one NS doing anycast |
| af | Atleast one NS doing anycast |
| ag | Atleast one NS doing anycast |
| ai | Atleast one NS doing anycast |
| al | Atleast one NS doing anycast |
| am | Atleast one NS doing anycast |
| ao | Atleast one NS doing anycast |
| aq | Atleast one NS doing anycast |
| ar | Atleast one NS doing anycast |
| as | Atleast one NS doing anycast |
| at | Atleast one NS doing anycast |
| au | Atleast one NS doing anycast |
| ax | Atleast one NS doing anycast |
| az | Atleast one NS doing anycast |
| ba | Atleast one NS doing anycast |
| bb | Atleast one NS doing anycast |
| bd | Atleast one NS doing anycast |
| be | Atleast one NS doing anycast |
| bf | Atleast one NS doing anycast |
| bg | Atleast one NS doing anycast |
| bi | Atleast one NS doing anycast |
| bj | Atleast one NS doing anycast |
| bl | Atleast one NS doing anycast |
| bm | Atleast one NS doing anycast |
| bn | Atleast one NS doing anycast |
| bo | Atleast one NS doing anycast |
| br | Atleast one NS doing anycast |
| bs | Atleast one NS doing anycast |
| bt | Atleast one NS doing anycast |
| bw | Atleast one NS doing anycast |
| bz | Atleast one NS doing anycast |
| ca | Atleast one NS doing anycast |
| cc | Atleast one NS doing anycast |
| cd | Atleast one NS doing anycast |
| cf | Atleast one NS doing anycast |
| cg | Atleast one NS doing anycast |
| ch | Atleast one NS doing anycast |
| ci | Atleast one NS doing anycast |
| cl | Atleast one NS doing anycast |
| cm | Atleast one NS doing anycast |
| cn | Atleast one NS doing anycast |
| co | Atleast one NS doing anycast |
| cr | Atleast one NS doing anycast |
| cu | Atleast one NS doing anycast |
| cv | Atleast one NS doing anycast |
| cw | Atleast one NS doing anycast |
| cx | Atleast one NS doing anycast |
| cy | Atleast one NS doing anycast |
| cz | Atleast one NS doing anycast |
| de | Atleast one NS doing anycast |
| dj | Atleast one NS doing anycast |
| dk | Atleast one NS doing anycast |
| dm | Atleast one NS doing anycast |
| do | Atleast one NS doing anycast |
| dz | Atleast one NS doing anycast |
| ec | Atleast one NS doing anycast |
| ee | Atleast one NS doing anycast |
| eg | Atleast one NS doing anycast |
| er | Atleast one NS doing anycast |
| es | Atleast one NS doing anycast |
| eu | Atleast one NS doing anycast |
| fi | Atleast one NS doing anycast |
| fk | Atleast one NS doing anycast |
| fr | Atleast one NS doing anycast |
| ga | Atleast one NS doing anycast |
| gb | Atleast one NS doing anycast |
| gf | Atleast one NS doing anycast |
| gg | Atleast one NS doing anycast |
| gi | Atleast one NS doing anycast |
| gl | Atleast one NS doing anycast |
| gm | Atleast one NS doing anycast |
| gn | Atleast one NS doing anycast |
| gp | Atleast one NS doing anycast |
| gq | Atleast one NS doing anycast |
| gr | Atleast one NS doing anycast |
| gt | Atleast one NS doing anycast |
| gu | Atleast one NS doing anycast |
| gw | Atleast one NS doing anycast |
| gy | Atleast one NS doing anycast |
| hk | Atleast one NS doing anycast |
| hm | Atleast one NS doing anycast |
| hn | Atleast one NS doing anycast |
| hr | Atleast one NS doing anycast |
| ht | Atleast one NS doing anycast |
| hu | Atleast one NS doing anycast |
| id | Atleast one NS doing anycast |
| ie | Atleast one NS doing anycast |
| il | Atleast one NS doing anycast |
| im | Atleast one NS doing anycast |
| io | Atleast one NS doing anycast |
| iq | Atleast one NS doing anycast |
| ir | Atleast one NS doing anycast |
| is | Atleast one NS doing anycast |
| it | Atleast one NS doing anycast |
| je | Atleast one NS doing anycast |
| jm | Atleast one NS doing anycast |
| jo | Atleast one NS doing anycast |
| jp | Atleast one NS doing anycast |
| ke | Atleast one NS doing anycast |
| kg | Atleast one NS doing anycast |
| kh | Atleast one NS doing anycast |
| ki | Atleast one NS doing anycast |
| kn | Atleast one NS doing anycast |
| kw | Atleast one NS doing anycast |
| ky | Atleast one NS doing anycast |
| kz | Atleast one NS doing anycast |
| lb | Atleast one NS doing anycast |
| lc | Atleast one NS doing anycast |
| li | Atleast one NS doing anycast |
| lk | Atleast one NS doing anycast |
| lr | Atleast one NS doing anycast |
| ls | Atleast one NS doing anycast |
| lt | Atleast one NS doing anycast |
| lu | Atleast one NS doing anycast |
| lv | Atleast one NS doing anycast |
| ly | Atleast one NS doing anycast |
| ma | Atleast one NS doing anycast |
| mc | Atleast one NS doing anycast |
| md | Atleast one NS doing anycast |
| me | Atleast one NS doing anycast |
| mg | Atleast one NS doing anycast |
| mh | Atleast one NS doing anycast |
| mk | Atleast one NS doing anycast |
| ml | Atleast one NS doing anycast |
| mm | Atleast one NS doing anycast |
| mn | Atleast one NS doing anycast |
| mo | Atleast one NS doing anycast |
| mq | Atleast one NS doing anycast |
| mr | Atleast one NS doing anycast |
| ms | Atleast one NS doing anycast |
| mt | Atleast one NS doing anycast |
| mu | Atleast one NS doing anycast |
| mv | Atleast one NS doing anycast |
| mw | Atleast one NS doing anycast |
| mx | Atleast one NS doing anycast |
| my | Atleast one NS doing anycast |
| mz | Atleast one NS doing anycast |
| na | Atleast one NS doing anycast |
| nc | Atleast one NS doing anycast |
| ne | Atleast one NS doing anycast |
| nf | Atleast one NS doing anycast |
| ng | Atleast one NS doing anycast |
| ni | Atleast one NS doing anycast |
| no | Atleast one NS doing anycast |
| np | Atleast one NS doing anycast |
| nr | Atleast one NS doing anycast |
| nu | Atleast one NS doing anycast |
| nz | Atleast one NS doing anycast |
| om | Atleast one NS doing anycast |
| pa | Atleast one NS doing anycast |
| pe | Atleast one NS doing anycast |
| pg | Atleast one NS doing anycast |
| ph | Atleast one NS doing anycast |
| pk | Atleast one NS doing anycast |
| pl | Atleast one NS doing anycast |
| pm | Atleast one NS doing anycast |
| pn | Atleast one NS doing anycast |
| pr | Atleast one NS doing anycast |
| ps | Atleast one NS doing anycast |
| pt | Atleast one NS doing anycast |
| py | Atleast one NS doing anycast |
| qa | Atleast one NS doing anycast |
| re | Atleast one NS doing anycast |
| ro | Atleast one NS doing anycast |
| rs | Atleast one NS doing anycast |
| ru | Atleast one NS doing anycast |
| rw | Atleast one NS doing anycast |
| sa | Atleast one NS doing anycast |
| sb | Atleast one NS doing anycast |
| sc | Atleast one NS doing anycast |
| sd | Atleast one NS doing anycast |
| se | Atleast one NS doing anycast |
| sg | Atleast one NS doing anycast |
| sh | Atleast one NS doing anycast |
| si | Atleast one NS doing anycast |
| sj | Atleast one NS doing anycast |
| sk | Atleast one NS doing anycast |
| sm | Atleast one NS doing anycast |
| sn | Atleast one NS doing anycast |
| so | Atleast one NS doing anycast |
| st | Atleast one NS doing anycast |
| sv | Atleast one NS doing anycast |
| sx | Atleast one NS doing anycast |
| sy | Atleast one NS doing anycast |
| sz | Atleast one NS doing anycast |
| tc | Atleast one NS doing anycast |
| td | Atleast one NS doing anycast |
| tg | Atleast one NS doing anycast |
| th | Atleast one NS doing anycast |
| tj | Atleast one NS doing anycast |
| tk | Atleast one NS doing anycast |
| tl | Atleast one NS doing anycast |
| tm | Atleast one NS doing anycast |
| tn | Atleast one NS doing anycast |
| tr | Atleast one NS doing anycast |
| tt | Atleast one NS doing anycast |
| tv | Atleast one NS doing anycast |
| tw | Atleast one NS doing anycast |
| tz | Atleast one NS doing anycast |
| ua | Atleast one NS doing anycast |
| ug | Atleast one NS doing anycast |
| uk | Atleast one NS doing anycast |
| us | Atleast one NS doing anycast |
| uy | Atleast one NS doing anycast |
| uz | Atleast one NS doing anycast |
| va | Atleast one NS doing anycast |
| vc | Atleast one NS doing anycast |
| ve | Atleast one NS doing anycast |
| vi | Atleast one NS doing anycast |
| vn | Atleast one NS doing anycast |
| vu | Atleast one NS doing anycast |
| wf | Atleast one NS doing anycast |
| ws | Atleast one NS doing anycast |
| ye | Atleast one NS doing anycast |
| yt | Atleast one NS doing anycast |
| za | Atleast one NS doing anycast |
| zm | Atleast one NS doing anycast |
| zw | Atleast one NS doing anycast |
| by | None of NS doing anycast |
| ck | None of NS doing anycast |
| et | None of NS doing anycast |
| ge | None of NS doing anycast |
| gh | None of NS doing anycast |
| km | None of NS doing anycast |
| kr | None of NS doing anycast |
| pf | None of NS doing anycast |
| sr | None of NS doing anycast |
Conclusion
I was partially correct (and partially incorrect). The majority of ccTLDs are not using anycast on all their nameservers but are using anycast on atleast one of their nameserver. As per this list, nameservers of 11 ccTLDs have full anycast, 9 have no anycast, and the remaining 219 have partial anycast, with some nameservers doing anycast, some not. Also, some ccTLDs are skipped from the list where all nameservers have ICMP closed. I should have probably tested with DNS latency instead of ICMP latency only.
The raw latency checks are posted here.