About a month ago, Dave Piscitello from Interisle was looking for information on why the .garden TLD seemed so unfriendly. Accidentally fell off my radar, but I started looking this morning.

TLD(R) is: a voluminous increase in registrations for .garden this year, and AliDNS correlates with much higher risk scores, as nearly half the 2026 dataset. In particular, AliDNS nameservers and Dominet registration accounted for an average risk score 10 points above the average for .garden.

Of the .garden domains we’ve ingested:

During 2025, we ingested about 2.5k .garden domains with an average risk score of 55. So far in 2026, we’ve ingested 147,000 .garden domains with an average risk score of 84! That’s a heck of a change.

As much as I wanted to blame Cloudflare for this one, Cloudflare only accounted for 19k domains, risk score 81. Below average risk! In fact, excluding Cloudflare from the dataset leaves 130k-ish domains and the same risk score average - 84.

At a glance, .garden TLDs are being dragged into the gutter by the 68,000 domains with alidns[.]com nameservers, avg risk score of 87. While alidns Nameservers + Registrar Spaceship accounts for 65k domains with an average risk of 87. alidns + Registrar Dominet is only 3k domains, but the risk score shoots up to 94.

Other nameservers examined:

Spaceship[.]net - 55k domains, avg risk score 72
dnsowl[.]com - 3.5k domains, avg risk score 93
registrar-servers[.]com (namecheap) - 1k domains, avg risk score 63.

Less than 1K:
vercel-dns[.]com - avg risk score 42
dyna-ns[.]net - 66
porkbun[.]com - 49
domaincontrol[.]com (godaddy) - 60

It is unlikely that there are valid business reasons for network environments to allow .garden domains; highly recommend defenders completely block the .garden top-level domain, and allowlist items as needed.

It’s also worth evaluating if your environment can block according to characteristics such as Registrar or Nameservers, and examine what the impact of blocking AliDNS-nameservered or Dominet-registered domains would be.