是谁在控制互联网？

| 导语 中午没睡贼困。看到一篇文章，蛮有意思的，写篇文章翻译一下，也是自己之前在搞DNS的时候想完成的一个事情，没想到，时隔一年，已经转岗了，不搞域名解析了。本文算是对以往遗憾的一个弥补吧。 本文是对权威解析数据的简单分析，通过分析域名所在实体，以及域名背后的IP所在实体，可得结论：Verisign跪掉，世界互联网将接近瘫痪，GoDaddy、Cloudflare也控制这互联网大块的基础设施。

在介绍本篇文章之前，需要复习一下域名注册流程以及简单的域名解析流程，见下图一图二；整篇文章的数据发生在下图的②和③步骤；

But thinking about this distribution a bit more quickly makes you realize that there isn't really an even distribution in the gTLD, since not all domains have the same footprint. As you may guess, the .com zone has more records than some of the other zones. More specifically, .com has over 164 million NS records, making up 73% of all the NS records in all the gTLDs.

但是，在思考一下这种分布你会发现，在gTLD中不同域名后缀的权重也有所不同， .com 后缀要比其他后缀有更多的域名，在具体一点，在1166个TLD里面有223893594条NS记录，其中 .com 后缀就有1.64亿条NS记录，占了整个gTLD里包含NS域名的73%。

The NS records for .com are in the gtld-servers.net domain, but so are e.g., .net's; similarly, the NS records for .org and .info are in the same domain, so we can flatten this data a little bit more:

.com 本身的NS在gtld-servers.net下， .net的也是，同样的，.org 和 .info 的授权NS也是在同一域名下，所以，我们可以把数据继续展开看下；

In other words, almost 80% of all NS records across all gTLDs are under the gtld-servers.net domain, and thus the control of Verisign -- the same Verisign that also operates two roots.

换句话说，所有通用顶级域名中几乎80%的NS记录都在gtld-servers.net 域名下，因此由Verisign控制，这个Verisign还运营着两个根。

Ok, so this is the representation of the NS records for the gTLDs within the root zone, but what about the NS records for all the second-level domains within the gTLDs? Parsing all 1,168 zone files, we end up with 2,699,827 unique name servers that we can group under 1,063,092 domains:

Ok,这就是根区域内通用顶级域名NS的记录展示，那么，通用顶级域内所有二级域名的NS记录呢？分析所有1,168个Zone文件，我们得到了2,699,827个去重后的域名服务器，我们可以将其归纳到1,063,092个域名里，如下：

This shows a notable centralization of the NS records found in all gTLD zones, with domaincontrol.com accounting for roughly 20% alone.

这表明，在所有通用顶级域名发现的NS记录有明显的中心化特性，仅domaincontrol.com 就占了大概20%；译者按：这个图的意思就是domaincontrol.com 这个域名下的171个NS记录，被100,864,743个二级域名授权；占了所有二级域名的20%左右；

Another thing that seems interesting here is that some of the cloud companies offering DNS services are choosing to use a larger number of NS records even across, in the case of AWS, thousands of second-level domains in several TLDs:

还有一件很有意思是事情是，那些提供DNS服务的云计算公司选择使用更多的NS记录，以AWS举例，使用了近千的二级域名去做授权；

$ grep awsdns- domain-counts.full | head
52221 awsdns-02.org.
49614 awsdns-23.net.
49264 awsdns-49.com.
48276 awsdns-05.co.uk.
46392 awsdns-35.org.
45955 awsdns-53.com.
45593 awsdns-19.net.
44409 awsdns-25.com.
44176 awsdns-22.co.uk.
44140 awsdns-45.org.
$ grep -c awsdns- domain-counts.full 
978

The data now show that out of the over 534 million NS records across a little over 1 million domains:

43% of all NS records (roughly 230 million) are served by only 165 name servers found in just 10 domains
52% (~ 278 million) are served by 255 name servers in just 20 domains
75% (~ 401 million) are served by 1,580 name servers in just 100 domains
99% (~ 529 million) are served by 345,000 name servers in 6,000 domains

现在的数据显示，约5.34亿的域名NS到了大概100多万个域名上。

43% 的域名NS记录（大概2.3亿个二级域名）由10个域名中的165个权威服务器提供服务；

52%的域名NS记录（约2.78亿个二级域名）由20个域名中的255个权威服务器提供服务；

75%的域名NS记录（约4.01亿个二级域名）由100个域名中的1580个权威服务器提供服务；

99%的域名NS记录（约5.29亿个二级域名）由6000个域名中的345,000个权威服务器提供服务；

Let's look at these 20 domains and see who controls them, and thus over half of all the domains in all the gTLDs. They are:

让我们看看控制了52%的域名NS记录的20个域名都由谁来控制。

1. domaincontrol.com is Wild West Domains GoDaddy ?? (AS44273)
2. googledomains.com is Google ?? (AS15169)
3. cloudflare.com is Cloudflare ?? (AS13335)
4. ui-dns.* is IONOS United Internet AG ?? (AS8560)
5. registrar-servers.com is Namecheap ?? (AS397213)
6. wixdns.net is Wix.com Ltd. ?? (AS15169)
7. hichina.com is Alibaba Cloud Computing ?? (AS37963)
8. dns.com is Comodo Xcitum ?? (AS21859, AS133775 ??)
9. awsdns-* is Amazon Web Services ?? (AS16509)
10. nsone.net is NS1 ?? (AS62597)
11. namebrightdns.com is NameBright Turn Commerce Inc. ?? (AS14618)
12. gname-dns.com is Gname ?? (AS13335)
13. name-services.com is Enom ?? / ?? (AS15348)
14. dnsowl.com is NameSilo ?? (AS13335)
15. squarespacedns.com is Squarespace ?? (AS63911)
16. worldnic.com is Network Solutions LLC ?? (AS13335)
17. bluehost.com is Newfold Digital, Inc ?? (AS13335)
18. name.com is Donuts Inc Identity Digital ?? (AS62597)
19. myhostadmin.net ?? (AS38283)
20. wordpress.(org|com) is Automattic Inc. ?? (AS2635)

You may notice that of these 20 organizations, 15 are US entities, 2 Chinese, 1 German, 1 Israeli, and one from Singapore, giving you an idea what governments could -- in theory, at least -- exert control over what percentage of the internet.

可以注意到的是，在这20个组织中，（译者按，这里原作者分析有误，其实是3个中国；后面按照实际的来翻），14个美国，3个中国，1个德国，1个以色列，还有1个来自新加坡，让我们知道理论上哪些政府对互联网的控制占比大概是多少。

Another interesting thing to point out here is that even though the domains are registered by different organizations, the name servers in use may actually be operated from a different entity's networks. In particular, it looks like several of the name servers in these domains are running out of, fronted by, or otherwise utilizing Cloudflare's network, while Wix seems to be using Google Cloud (I'm guessing) to run their name servers.

另一件需要说明的事情是，即便这些域名是由不同的公司机构去注册，但所有提供NS服务的这些服务器可能是运行在少数的网络实体内。特别是这20个域名里，很多域名的NS服务器是在Cloudflare直接或间接的运行，Wixdns就好像使用Google Cloud（我猜的）去运行他们的权威解析服务；

name.com is owned by Identity Digital, the rebranding of the merged Donuts and Afilias (previously discussed here) registries, which also operates a significant number of TLD domains.

name.com 这个域名被Identity Digital拥有，该公司是由Donuts和Afilias合并而来，也维护着大量的顶级域名。

All in all a sign that perhaps we should take a look at the Autonomous System (AS) numbers the various name servers are in, and so, a few thousand lookups later:

总而言之，也许我们应该看一下每个名称服务器所在的网络自治域（AS）号，来看下是否运行在几个网络实体里，因此，经过几千次的查询后：

That's right: around 34% of the majority of NS records are resolving to IP addresses in Cloudflare's AS13335, and over half of all are ultimately served from only four Autonomous Systems: Cloudflare (AS13335), Alibaba (AS37963), GoDaddy (AS44273), and IONOS (AS8560) (hinting at the other big load-bearing infrastructure pillar that also remains largely insecure by default.

果然，大约34%的NS记录解析到Cloudflare的AS13335 IP里，超过一半的记录最终由四个网络自治域提供服务。Cloudflare（AS13335）、阿里巴巴（AS37963）、GoDaddy（AS44273）和IONOS（AS8560）（这也带出了另一个大的关键基础设施，这些云计算服务也基本上不太安全）

And while that is interesting by itself, just as before when we looked at the name servers serving the gTLD domains themselves and we tried to weigh them against how many domains they support, perhaps we should also look at not only the NS diversity in the raw gTLDs; after all, control of google.com or facebook.com surely counts more than, say, monkeyjungle.com.

虽然这些数据都很有趣，但是像我们对支持了不同域名数量级的顶级域名分权重一样，也许我们应该看一下原始的通用顶级域名中权重较高的NS的去中心化多样性，毕竟，拥有 google.com 或者 facebook.com 的意义是要比拥有 monkeyjungle.com.这样的域名更大一些。

So what do people do when they want to look at popular domains? They go for the "Alexa Top 1 Million Domains" list, of course! Only... Alexa was bought by Amazon, and in a sign of "who controls the internet", Amazon promptly shut it down. (As of November 8th, 2022, the actual list was still available, but it looks like it has since been restricted.) Of course there are other, similar lists (like e.g., the Cisco Umbrella or the Majestic Million), all of which intersect to some degree but remain distinct based on the heuristics used by the data collection mechanisms used. For this reason, researchers provide a normalized Top 1 Million list (see their paper for more details), which I've used for this project here.

那么，我们如何去区分权重更高的域名，通过“Alexa前100万个域名”来看好了，不过，Alexa被亚马逊收购了，作为“谁控制了互联网”的标志，亚马逊已经将Alexa服务做了限制，(截至2022年11月8日，实际列表仍然可用，但看起来它已经被限制了），当然，还有其他类似的排名（如思科的Cisco Umbrella或Majestic Million），这些排名在某种程度存在交集，不同机构的标准不侧重点不同，基于此，研究人员提供了一个规范化的“前一百万”域名列表，（研究详情可以看这个）所以我用这份数据继续分析了下；

Iterating over that full list and looking up the NS records for 1 million domains then yields a breakdown of 2,636,294 total NS records in 119,291 domains, as well as the insight that spreadsheets are surprisingly bad at handling large data sets even of simple text data:

遍历这个完整的列表并查找这100万个域名的NS记录，然后得出119,291个域名的2,636,294条总NS记录的明细，电子表格在处理大型数据集方面出奇的糟糕，即使是简单的文本数据。

So we see a very similar distribution to our analysis of all of the NS records in all of the gTLDs here in the top 1 million domains, too: More than half of the NS records used by the top one million domains are found in just 20 of the 120K domains, served by only 1,740 NS records.

因此，我们看到，在前100万个域名中，我们对所有通用顶级域名中的所有NS记录分析，也有非常类似的分布。前100万个域名所使用的NS记录中，有一半以上是授权到12万个NS域名，1740个NS记录，分布在20个二级域名。

The top ten NS record domains is represented by the usual suspects (Cloudflare, Amazon, GoDaddy, Akamai, DigiCert, Google, Microsoft, Alibaba, Network Solutions, and Namecheap), although not identical to those we observed for all of the gTLD records.

排名前十的NS域名属于这十个众所周知的公司，(Cloudflare, Amazon, GoDaddy, Akamai, DigiCert, Google, Microsoft, Alibaba, Network Solutions, and Namecheap),尽管与我们对全部域名分析的结论不完全相同。

Also noteworthy is that the distribution across NS domains shifts somewhat when you look at the top 100 domains (Azure, AWS, Google, Akamai), the top 1,000 domains (AWS, Akamai, NS1, Google), the top 10K domains (AWS, AKamai, Cloudflare, NS1) and the full top 1 million (Cloudflare, Amazon, GoDaddy, Akamai), suggesting that more of the less popular sites use Cloudflare than do the higher ranked sites.

同样比较有趣的是，当你看这些排名比较靠前的NS域名所在公司的分布，前100个域名（Azure、AWS、Google、Akamai）、前1000个域名（AWS、Akamai、NS1、Google）、前10K个域名（AWS、AKamai、Cloudflare、NS1）和全部前100万个域名（Cloudflare、Amazon、GoDaddy、Akamai）时，整个NS域名的分布会发生一些变化，这表明，与排名高的网站相比，更多不是很知名的小流量的网站会选择Cloudflare。

At the same time, when we do the same breakdown by AS number as before (with many thanks to our friends at Team Cymru), we notice an even increased centralization:

同时，当我们像之前一样按AS号码进行细分时（非常感谢我们在Team Cymru的朋友），我们注意到集中化程度甚至有所提高。

Out of almost 10,000 IP addresses covering 75% of the top one million domains' NS records, over 40% again land in Cloudflare's AS13335, with most of the others being mere "also-ran"s.

在覆盖前100万个域名的75%的NS记录的近10,000个IP地址中，超过40%再次落入Cloudflare的AS13335中，其他大多数只是 "陪跑"。

Ok, so that's a whole lot of pie charts, and learning that there is indeed a fair bit of centralization at the gTLD level of the DNS will not come as a surprise to many. However, crunching those numbers still provides for some useful insights. So if we wanted to answer the question "Who controls the internet?", then I think that we may find multiple answers:

总结一下，这里讲了一大堆的饼状图，我们可以了解到在DNS的通用顶级域名层面确实有相当多的中心化、集中化，这对许多人来说并不奇怪。然而，通过分析这些数字可以提供给我们更有帮助的视角。因此，如果我们想回答 "谁控制了互联网？"这个问题，那么我认为我们可能会找到多种答案。

1. Verisign -- In addition to operating two of the DNS root authorities, Verisign also controls the gtld-servers.net domain, which we've seen above is home to a whopping 80% of all gTLD NS records! Take out Verisign, and the internet's going to have a bad day.

1. Verisign --除了维护两个DNS根机构外，威瑞信还控制着gtld-servers.net域名，我们在上面看到，该域名拥有高达80%的通用顶级域名NS记录！如果把Verisign干掉，互联网就会变得糟糕。拿掉Verisign，互联网就会有一个糟糕的一天。

2. A handful of large companies -- i.e., the usual suspects. With 43% of all NS records in all gTLDs and 44% of those in the Top 1M in a combined 14 domains, any one of those could exert significant control over large chunks of the internet. But amongst those companies, a few stand out:

2. 少数大公司--即被我们熟知的那些。在所有通用顶级域名中,43% 的域名NS记录（大概2.3亿个二级域名）由10个域名；44%的前100万个域名由14个NS域名进行控制，其中任何一个公司都可以对互联网的大块区域进行控制。但在这些公司中，有几家比较突出。

3. GoDaddy -- owner of the aptly named domaincontrol.com domain is responsible for 20% of all NS records in all gTLDs alone.

3. GoDaddy --拥有的domaincontrol.com域名在所有的顶级域名中，占比20%的NS记录；

4. Cloudflare -- responsible for 20% of NS records in the top one million domains, Cloudflare also provides the IP space home to a total 40% of those NS records.

4. Cloudflare -- 互联网前100万的域名里，20%的域名的NS记录在Cloudflare上，Cloudflare还为这些NS记录中约40%的IP提供计算资源。

What this centralization means in practice and whether, for example, the US government could realistically exert control over the root operators and companies discussed here, is a different story altogether. But no matter how you look at it, the internet seems less distributed or decentralized than one might wish, as many businesses and organizations appear to concentrate in a handful of registries and cloud service providers.

这种中心化在现实中意味着什么，例如，美国政府是否可以在现实里对根分区的运营商和这些公司进行控制，这完全是另一回事。但无论你怎么看，互联网似乎没有人们所希望的那样分布式或去中心化，因为许多企业和组织似乎都集中在少数几个注册局和云服务提供商。

We don't have a single point of failure just yet, but I do see multiple points of calamity with increasing blast radius...

现在还没有发生单点故障，但确实看到了多个可能发生灾难的地方，爆炸半径也越来越大......

November 15th, 2022

2022.11.15