How Resilient Are Government DNS Services?

E-government public services, such as taxation, are essential for every country’s citizens. Each of these services relies on resilient authoritative Domain Name System (DNS) infrastructure—which serves as the single source of truth for domain-to-IP resolution—to prevent fraud and cyberattacks and keep these services available and operating efficiently during network outages.

In this post, I discuss highlights from our recent paper accepted to ACM SIGMETRICS 2026 (preprint version), which systematically models and assesses the network operational resilience of authoritative DNS infrastructure for federal-level government domain names in six countries.

Infrastructure Hierarchy and Operational Process of Authoritative DNS

An authoritative DNS infrastructure of a domain name (Figure 1) has two roles: primary and authoritative.

The primary name server (for example, mainNS.domain.gov.<CC>) holds the only zone file for the domain name, which is fetched by authoritative name servers (for example, ns1.domain.gov.<CC>) that directly answer client queries on the Internet. Each server, whether primary or authoritative, is identified by its unique name and can be assigned to one or many IP addresses, each mapped to a physical or virtual cloud instance.

Each instance can be managed by an organization as a state-owned enterprise, an international cloud provider, a local private company, or a foreign private company; deployed locally or at a foreign location; accessible only via a fixed location on the Internet, or with flexibility.

Resilience Results for Australia, Brazil, France, Indonesia, the U.K., and the U.S.

Using public data sources accessed in November 2025, we assessed the authoritative DNS resilience for federal government domains in six countries (Australia, Brazil, France, Indonesia, the United Kingdom, and the United States). We scored attributes across three phases: infrastructure placement, service configuration, and data dispatch.

If we look at the overall resilience score per domain across the six countries (Figure 2.a), the federal government domains in the U.S. have the best overall resilience, followed by Brazil, which only has two domain names. Australia, France, and the UK exhibit several clusters for their overall resilience status, each mapped to a certain pattern in domain operations.

When we look at each operational phase in Figures 2 (b), (c), and (d), infrastructure placement, which is mostly driven by administrative decisions, is the most resilient across all countries. However, when it comes to more technical phases, including (network) service configurations and DNS data dispatch, the resilience status is less optimal and sometimes has clustered diversity within each country.

Compared with the U.S., most Australian government domains, including the Australian Taxation Office (ATO), lack strong resilience, especially in the delivery of authoritative data, due to the absence of DNSSEC, leaving their clients vulnerable to manipulated/faked DNS data.

If we zoom in on the scores for resilience attributes within each domain, we can dive deeper into the root causes of the (not) resilient domains in Australia (Figure 3) and the U.S. (Figure 4). Most U.S. e-government domains are strong in resilience, except for redundancy. For example, the U.S. Centers for Disease Control and Prevention (CDC) has nearly full scores for placement and data dispatch, but only 2.25/5 for redundancy configuration.

Compared with the U.S., most Australian government domains, including the Australian Taxation Office (ATO), lack strong resilience, especially in the delivery of authoritative data functions due to the absence of DNSSEC, leaving its clients vulnerable to manipulated/faked DNS data.

We acknowledge that budget, capacity, and priorities make it not always possible for a government domain to have a perfectly resilient DNS infrastructure. However, with our tools, government and administrative agencies can have a systematic view of what’s missing or can be improved when the time is right.

Minzhao Lyu is a lecturer at the University of New South Wales. His research primarily focuses on developing network measurement technologies for the security and performance of the Internet, telecommunications networks, and networked critical infrastructures.

Contributors: Agung Septiadi, Hassan Habibi Gharakheili, and Vijay Sivaraman