Exploring The Swedish Domain Name Space
Do you remember phone books? The massive, heavy books full of the names of everyone in a certain city or area and their phone numbers? I certainly do, and while phone books are a thing of the past, today I am going to take you on a journey through the corridors of Domain Name System (DNS), the phone book of the internet.
Our devices make thousands (or more) of DNS requests as we use them through the day. We don't see these requests, we often forget about them, but without functioning DNS servers, our lives would get complicated very fast. You are viewing this blog on a web browser on your computer or phone, before it could show you the content, your browser/device used DNS to find the IP Address of the server where I host my blog. This same flow happens whenever you visit a website, open a mobile app, or refresh a widget on your mobile phone home screen.
According to the Domain Name Industry Brief (DNIB), by the end of Q2 2025, there were 371.7 million domain across all top-level TLDs, around 1.4 million of these are domain names registered under the .se TLD.
The sheer number of domains, the never-ending threats, and the potential for hilarious findings made exploring domain names a constant idea, sitting at the back of my brain, ignored but never forgotten. Well, I finally got around to exploring the Swedish domain name space because why not?
Are you ready to learn more about .se domains? Well, it's a rhetorical question, your only options are to either read the reminder of this post or close the page, I hope you chose the first option. Let's get to it, first step is to find and prepare our data.
1. Fetching & Preparing The Data
Getting the data for this fun exploration is –surprisingly– the easiest part. All you need is a terminal and dig[^ dig(1) - Linux Man Page: https://linux.die.net/man/1/dig] installed. Once you have summited this unimaginable barrier, execute the following command on your terminal, wait a few seconds (or minutes depending on your internet speed), and voilà, you have a copy of se.zone.txt.
dig @zonedata.iis.se se AXFR > se.zone.txtWasn't that easy? Like a walk in the park, eh? Well, turns out our park has some hills we need to die on before we can start digging for any meaningful insights. Running wc -l se.zone.txt on the terminal will inform us that the file has a staggering 8,033,518 lines.
For reference, Sweden's population in 2025 is around 10.6 million people[^ Sweden Population: https://www.worldometers.info/world-population/sweden-population/], the ratio of domain names to Swedish residents is approx 0.759.
Except –and I hate to be the bearer of bad news– that ratio isn't even close to accurate. While the zone file contains 8033518 lines, the data is not unique meaning the same domain name shows up in multiple lines (I mean honestly, we should have expected that, after all, it's how DNS Zone files are structured). Don't worry, it's an easy fix. Using jq, we can run the following command to grab the first string in each line, remove the trailing dot, sort the data into unique items, and output it into a new file. Using wc -l on the new file reveals a count of 1,401,227 domain names, much better, eh?
jq -Rr 'try (match("^[ ^\\s]+").string | sub("\\.$"; "")) catch empty' se.zone.txt | sort -u > uniq.txtThat number is much closer to the official statistics published by The Swedish Internet Foundation[^ Growth .se: https://internetstiftelsen.se/en/domains/domain-statistics/growth-se/?chart=active], we are only missing around 39587 domains, but for the purposes of this activity, I am not strongly motivated to figure out where these missing domains went. 1.4 million domains is more than enough for some analysis and security experimentation.
At this point, you might be shouting at your monitor and wondering about where did the SQLite database came from, and what on god's great earth is the Python import script. I apologize, I skipped a couple of steps that I did before I started writing this post, so let me catch you up. The zone file we got from that first command is in an unpleasant format that's not conducive to analysis and number crunching.
So, as any brilliant engineer would do, I asked ChatGPT to write a simple Python Script that parses the zone file and dumps the data into an SQLite database. In case you have a few hours to waste, and decide you want to replicate the whimsical shenanigans I will be committing during the reminder of this post (why, seriously, why?), you can use your favourite LLM to generate a similar Python script.
At this point, we have our zone file, and a nice SQLite database with all the information we need for further digging, so, buckle up and get ready to explore the Swedish domain name space.
2. Let The Exploration Begin …
How Long Can A Domain Name Be?
The answer is absurdly long, or at least longer than any normal person would guess. A domain label (anything before the TLD) can have up to 63 characters, a domain can have multiple labels, and each domain can have a max of 254 characters across all labels (and not counting the TLD). The Swedish TLD has an understandable distribution (see graph below), with most domain names having 13–19 characters, with the remainder of domain names mostly on the longer side of the scale.
Believe it or not, there are more domains with my first names in them than one-letter first-level domains, of which the dataset has 13. We have X.se where X is a number between 0-9, and then we have j.se, q.se, and v.se. The remainder of one character domains are registered but inactive. On the other hand, the longest domain names are a six-way tie, with one of them being nothing short of a deliberate and brilliant joke (63 Zs in a row).
Let's Talk About Names
There are fourteen (14) domain names that have my own first name (Ahmed) in them, one of which I am going to report to the registrar because what the actual hell? To the person who owns ahmed.se, I envy you, and to the person who has ahmedsson.se, you are too damn funny, and I respect your genius thinking even though you parked this precious domain. To my dismay, no domains contained my last name, what a shame, it's a great name.
Musaad (noun.) A Sudanese gem straight out of the Arabic dictionary. The name comes from the root word sa‘ada, which means “to help,” so technically, I am walking around like a human Swiss Army knife, always ready to assist, whether it’s lifting furniture or debugging DNS zones. The name is common in Sudan and across the Arab world, and it screams reliability so loudly that if names were job titles, Musaad would be the CEO of Problem-Solving, Inc.
While talking about names, what about Swedish names? The Swedish Tax Agency tracks the names given to newborn children in Sweden. According to the data, Noah and Alma (for boys or girls respectively) are the most popular names given to newborn children nowadays. The following graph shows how many times the top 10 most popular names for both boys and girls show up in domain names.
How Common Are Popular Words?
There are probably hundreds of top 100 or top 1000 Swedish words out there, many of them share most of the words (not particularly surprising) with a few outliers here and there. Regardless, I wanted to see how popular are these top words are, so I grabbed a list of top 100 Swedish words that five characters or longer, ran some Python scripts and got the following results. Surprisingly, the word that showed up the most was ingen (4148) meaning no one, none, or nobody. The least used word honour goes to dessutom (1) meaning besides or, moreover, or in addition.
Let's take things one level lower, aren't we all curious about the frequency distribution of letters across the domain name space? Well, I did some data crunching and came up with the graph below. The clear winner is A with 2802448 appearances across the 1.4 unique domain names. Q on the other hand shows up the least number of times, 45112 instances across all domain names. This is interesting because while Q is indeed one of (if not) the least frequent letter in both English and Swedish languages, E is the most used letter, no A.
Finally, let's look at the occurrence frequency of 15 popular character triplets in the Swedish language (e.g. ing, det, ska, etc.) The analysis is once again simple, my Python script is becoming quite handy at this point. A few seconds of computing, and we get the following results.
Punycode For Your Thoughts?
The vast majority of domain names use English letters only, but there is a subset of Swedish domain names that incorporates Swedish or Danish special letters into the name. Whenever a domain includes such a special character, the name is represented using Punycode to replace the special letter, so our browsers can still visit the correct website.
For example, the domain name zävvy.se when encoded using Punycode transforms into xn--zvvy-loa.se. Out of our 1.4M+ unique domain names, 75,899 are represented in Punycode format, meaning they include one or more special Nordic letter. The following graph shows the usage statistics of such special letters across all domain names.
What About Rankings?
Many service and project keep track of websites on the internet, some provide their ranking data for free, while others might ask for your kidney in exchange. As this is more of a fun activity, I wasn't interested in paying for ranking data, but turns out, there is no need. While searching for free or open ranking data, I came upon the top-1m-domains[^ Top 1M Domains Repository: https://github.com/PeterDaveHello/top-1m-domains] repository maintained by PeterDaveHello. In that repository, there is a list of numerous accessible ranking dataset that you can download, I went with Tranco[^ Tranco 1M List: https://tranco-list.eu/] list. I chose this list because it's regularly updating, includes data from multiple sources, and incorporates some protection against manipulation.
Of the 1,401,227 domains at hand, 2306 domains are in the top 1M list and rank all over the place. Seventeen (17) domains are in the top 10,000 sites. The most popular Swedish site according to Tranco is aftonbladet.se (1433), followed by toyhou.se (1822), com.se (2348), haxx.se (4444), and curl.se (4821). The worst ranking domain name is nobicon.se, ranked at 999,910.
While churning the ranking data, I became curious about how popular Swedish companies rank in the top 1M domains, to satisfy that curiosity, I found the Forbes' Global 2000 [^ Forbes - The Global 2000 Companies - 2025 :https://www.kaggle.com/datasets/ellimaaac/forbes-the-global-2000-companies-2025] list and looked for Swedish companies. Out of the 2000 companies, 27 are Swedish, and only 6 have a .se domain. Using data from both the Forbes list (I selected the top 20 Swedish companies) and Tranco's ranking list, I found the answer to my question, apparently, popular Swedish companies don't rank that high, so, yeah, I am slightly disappointed.
Surprisingly, H&M - Hennes & Mauritz has the best domain ranking among the top 20 Swedish companies (ranked at 880), while Skanska has the worst ranking (ranked at 348,434). Two companies (Alfa Laval, and Investor AB) weren't in the top 1M list and had no ranking at all when I looked them up on Cloudflare Radar Domain Information service.
There are more insights and funny anecdotes that can be gleaned from sifting through the domain data, but now is time to switch gears and try to answer some questions relating to the Domain Name Service (DNS) ecosystem itself.
Who's The Name Keeper?
Name Server (NS) records are vital to any domain, without a valid NS record, websites pointing to it, email services configured to use it, and many other web services would simply not function. Most people prefer to keep things simple and manage their DNS records using whatever system or tool their Registrar provides, some are more adventurous and opt for Cloudflare, deSEC, or any of the numerous services providing DNS management tools.
Looking at the data from our zone file, it's rather obvious that most people who register .se domains tend to stick with the popular registrars. Loopia (represented by both the name servers under loopia.se and loopiagroup.com) accounts for the majority of NS records documented in the zone file (848,174 NS assignments across the unique domains). one.com Group AB comes next, with around 524,744 NS assignments. While there are more smaller providers playing in this space, it seems Loopia and One.com took the lion share.
The Swedish Internet Foundation publishes (and constantly updates) the number of newly registered domains in the last 90 days grouped per registrar on their website[^ Registrars .se: https://internetstiftelsen.se/en/domains/domain-statistics/registrars-se/]. If you ventured a guess that Loopia, One.com, and the other providers shown in the previous graph also dominate the domain registration space in Sweden, you would be 100% correct.
While working on this blog post and digging into various datasets to piece together the answers I was looking for, I came upon this dataset from Felix Wotschofsky [^ 171 Million Domain Names (WHOIS, DNS, DNSSEC): https://www.kaggle.com/datasets/wotschofsky/171-million-domain-names-whois-dns-dnssec]. The 25 GB CSV file contains registrar information, DNSSEC status, registration dates, and numerous DNS records for around 171 million domains names. The dataset contains information for 691,849 Swedish domains, not full coverage of our 1.4 million domains but enough to offer some comparison opportunities. For example, querying the registrar information from the new dataset gives us the following graph:
At this point, a good portion of my curiosity has been satisfied, and while we can keep digging out interesting patterns and data for days to no end, let's switch gears and dig into security-related topics starting with DNSSEC adoption. Let's jump right into it.
Domain Name System Security Extensions (DNSSEC) Adoption
Felix Wotschofsky's dataset provides us with one more intriguing vector, DNSSEC status for all 171M domains, including the 691,849 .se domain names. Before showing you the graph representing DNSSEC status for .se domains, what is DNSSEC? Why does it matter, and why is it a big deal when domains don't enable it?
DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack. [^ How does DNSSEC work?: https://www.cloudflare.com/en-gb/learning/dns/dnssec/how-dnssec-works/]
Simply put, DNS queries still pass through networks, and thus are vulnerable to several attacks that can result in fake or malicious answers being returned to the client, which can result in all types of disastrous consequences. The Google Vietnam page was targeted in a DNS Hijacking attack back in 2015 that resulted in users accessing the service being greeted with a picture of a man taking a selfie instead of the usual search box[^ Google Vietnam Targeted in DNS Hijacking Attack: https://www.securityweek.com/google-vietnam-targeted-dns-hijacking-attack/].
The topic of DNSSEC and DNS attacks is a lengthy one, and I won't attempt to cover it in any detailed manner, but if you are curious and want to learn more, have a look at these wonderful resources [^ How does DNSSEC work?: https://www.cloudflare.com/en-gb/learning/dns/dnssec/how-dnssec-works/] [^ DNSSEC Basics: https://www.internetsociety.org/deploy360/dnssec/basics/] [^ RFC 9364 DNS Security Extensions (DNSSEC): https://www.rfc-editor.org/rfc/rfc9364.html] [^ What Are DNS Attacks?: https://www.paloaltonetworks.com/cyberpedia/what-is-a-dns-attack]. Now that we have got the basics out of the way, let's look at how Swedish domains are faring when it comes to enabling DNSSEC.
Querying Felix Wotschofsky's dataset for .se domains before crunching the numbers for DNSSEC status across all 691,849 domains gives us the following graph. The good news? More domains have DNSSEC enabled (440,240 domains, 63.64%). The bad news? There is still a considerable number of domains (251,609 domains, 36.36%) missing the crucial protection of DNSSEC.
SPF, DKIM, and DMARC
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC)[^ What are DMARC, DKIM, and SPF?: https://www.cloudflare.com/en-gb/learning/email-security/dmarc-dkim-spf/][^ DKIM, SPF and DMARC Guide: https://www.mimecast.com/content/dkim-spf-dmarc-explained/] are authentication methods that protect your domain names when configured to send emails.
They are crucial for preventing spam, phishing, and other malicious use of email capability, they protect your email service from people trying to misuse it for their shenanigans or nefarious purposes. If you have an email service configured for your domain, you need these three DNS records configured correctly. I collected the DNS records required to check the status of SPF, DKIM, and DMARC configurations for the top 50 Swedish domain names based on Tranco ranking list.
You can breathe out and relax, the top 50 ranked .se domains are doing well when it comes to setting SPF, DKIM, and DMARC records. Out of the 50 domains, only 2 don't have SPF records. Things are slightly worse with DKIM, with 9 domains not having any DKIM records set. Finally, only 5 domains are still missing DMARC records. Overall, a solid posture, though I do wonder if this trend extends across the entire domain space. Oh well, maybe a task for another day.
With that last bit of data, it's time to wrap this adventure and table any left questions or ideas for the future. Next, I will tell you a bit about these plans and then some final thoughts, bear with me, we are almost done, I promise.
4. Future Work & Epilogue
It took me about two weeks to finish writing this post because I kept putting it aside to do other things, or spent decent time debugging some of my scripts and queries. Most of the exploring work done in this post was rather passive, we have data files, and I used various tools to analyse the data, come up with answers, and create some graphs. While useful, passive exploring has its limits, there aren't that many comprehensive datasets covering security aspects of the web technologies. Thus (I feel so fancy using thus now and then), I do have a couple of items logged for future exploration of the Swedish domain space, these include:
- Collecting TLS/SSL data for all 1.4 million domain names.
- Scanning and collecting information about technologies used, server locations, subdomains, and CDNs.
- Enumerating subdomains and detecting subdomain takeovers and other security misconfigurations.
- And some other random plans.
I thoroughly enjoyed writing this post, it helped me learn a lot about zone files, DNS records, Parquet, DuckDB, and was a good refresher for my Python and SQL skills. It was fun finding answers to all these questions that were in the back of my brain for a long time, and I had many laughs at some of the things I came across.
There is more to be done, more fun to be had, and more hidden hilarious titbits to be found, perhaps you are now too curious yourself and will dig into some of these areas. If you do, please share your findings with me, I look forward to learning new and strange facts about DNS zones. Remember, it's almost always DNS's fault.