.garden TLD's change to a bad neighborhood - Threat Intel - IFIN

= 40rem)" rel="stylesheet" data-target="desktop" />

= 40rem)" rel="stylesheet" data-target="discourse-reactions_desktop" /><br>= 40rem)" rel="stylesheet" data-target="poll_desktop" />

= 40rem)" rel="stylesheet" data-target="desktop_theme" data-theme-id="2" data-theme-name="discourse gifs"/><br>= 40rem)" rel="stylesheet" data-target="desktop_theme" data-theme-id="-2" data-theme-name="horizon"/>

.garden TLD's change to a bad neighborhood

Threat Intel

neurovagrant

(Ian Campbell / neurovagrant)

June 29, 2026, 4:47pm

Last Updated: (Ctrl+Shift+. for timestamp)

What’s Happening

About a month ago, Dave Piscitello from Interisle was looking for information on why the .garden TLD seemed so unfriendly. Accidentally fell off my radar, but I started looking this morning.

TLD(R) is: a voluminous increase in registrations for .garden this year, and AliDNS correlates with much higher risk scores, as nearly half the 2026 dataset. In particular, AliDNS nameservers and Dominet registration accounted for an average risk score 10 points above the average for .garden.

Of the .garden domains we’ve ingested:

During 2025, we ingested about 2.5k .garden domains with an average risk score of 55. So far in 2026, we’ve ingested 147,000 .garden domains with an average risk score of 84! That’s a heck of a change.

As much as I wanted to blame Cloudflare for this one, Cloudflare only accounted for 19k domains, risk score 81. Below average risk! In fact, excluding Cloudflare from the dataset leaves 130k-ish domains and the same risk score average - 84.

At a glance, .garden TLDs are being dragged into the gutter by the 68,000 domains with alidns[.]com nameservers, avg risk score of 87. While alidns Nameservers + Registrar Spaceship accounts for 65k domains with an average risk of 87. alidns + Registrar Dominet is only 3k domains, but the risk score shoots up to 94.

Other nameservers examined:

Spaceship[.]net - 55k domains, avg risk score 72

dnsowl[.]com - 3.5k domains, avg risk score 93

registrar-servers[.]com (namecheap) - 1k domains, avg risk score 63.

Less than 1K:

vercel-dns[.]com - avg risk score 42

dyna-ns[.]net - 66

porkbun[.]com - 49

domaincontrol[.]com (godaddy) - 60

Source: DomainTools.com

Actions

It is unlikely that there are valid business reasons for network environments to allow .garden domains; highly recommend defenders completely block the .garden top-level domain, and allowlist items as needed.

It’s also worth evaluating if your environment can block according to characteristics such as Registrar or Nameservers, and examine what the impact of blocking AliDNS-nameservered or Dominet-registered domains would be.

2 Likes

MustardFacial

June 29, 2026, 5:34pm

Added .garden to the ever growing list of abused gTLD’s. Thanks for the heads up!

1 Like

BadSamurai

(BadSamurai)

June 29, 2026, 5:56pm

I was just reviewing this TLD the other week as a potential domain for a native-plant garden that would also give a proverbial green finger to an HOA.

First-year TLDs under $2 is one of the best indicators of likely abuse. Some TLDs like .xyz are truly fighting abuse while others feign ignorance.

.garden has a first-year cost of $1.54 (PornBun), $1.99 (GoDaddy), and $1.98 (Namecheap) then renewal of $26.26, $49.99 and $33.98. But these domains are abused and burned well before the renewals, so when we’re looking at potential of abuse the first-year costs are key.

For anyone seeking a TLD along a similar vein, might I suggest .farm, which has a first-year cost of $6.72 (PorkBun), $8.99 (GoDaddy) $4.98 (Namecheap).

.farm doesn’t even make it into the top #163 of SpamHaus’ gTLD abuse list.

https://www.spamhaus.org/reputation-statistics/gtlds/domains/

Powered by Discourse, best viewed with JavaScript enabled