Inside North Korea's 28-Domain Internet: A DNS Zone Transfer That Exposed an Entire Nation's Digital Infrastructure

Hook

In September 2016, North Korea's entire internet—all 28 registered domains—accidentally leaked through a misconfigured DNS server for anyone in the world to capture.

Context

Most countries have millions of registered domains. The United States has over 150 million. China has tens of millions. But in September 2016, when North Korea's ns2.kptc.kp nameserver was briefly misconfigured to allow unrestricted zone transfers, it revealed something extraordinary: the Democratic People's Republic of Korea's entire public internet presence consisted of just 28 domains.

This repository preserves that moment in time. The mandatoryprogrammer/NorthKoreaDNSLeak project contains the complete zone file snapshots captured by the TLDR Project—an automated system that continuously probes top-level domain (TLD) nameservers for misconfigurations. What makes this significant isn't just the geopolitical curiosity of seeing inside one of the world's most secretive nations' digital infrastructure, but what it teaches us about DNS security, zone transfer vulnerabilities, and the operational reality of running a nationally isolated internet. For security professionals, this represents a textbook case of why DNS misconfigurations matter. For researchers, it's a rare glimpse into extreme network centralization. For developers, it's a reminder that even nation-states make configuration mistakes.

Technical Insight

DNS zone transfers use the AXFR protocol, originally designed to replicate DNS records between primary and secondary nameservers. In a properly configured DNS infrastructure, zone transfers should only be permitted between authorized nameservers—typically using IP whitelisting or TSIG (Transaction Signature) authentication. North Korea's ns2.kptc.kp server temporarily allowed transfers from any source IP, effectively publishing their complete DNS database to anyone who asked.

The zone transfer mechanism itself is straightforward. Any system can request a full zone transfer using standard DNS tools:

# Standard AXFR zone transfer request
dig @ns2.kptc.kp kp AXFR

# Using host command
host -t AXFR kp ns2.kptc.kp

# Python implementation
import dns.query
import dns.zone

zone = dns.zone.from_xfr(
    dns.query.xfr('ns2.kptc.kp', 'kp')
)
for name, node in zone.nodes.items():
    print(zone[name].to_text(name))

The captured zone files reveal a highly centralized architecture. Nearly all domains pointed to IP addresses in the 175.45.176.0/24 range, suggesting North Korea's entire public-facing internet infrastructure operates from a single Class C network block. The zone hierarchy follows standard TLD conventions with subdomains like .com.kp (commercial), .edu.kp (educational), .gov.kp (government), and .org.kp (organizational), but the sparseness is striking—most subdomains had zero or only one registered domain.

Looking at the actual zone file structure, you can see the SOA (Start of Authority) record and the nameserver configurations:

kp.                 IN SOA  ns1.kptc.kp. postmaster.kptc.kp. (
                                2016091201 ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                    IN NS   ns1.kptc.kp.
                    IN NS   ns2.kptc.kp.

ns1.kptc.kp.       IN A    175.45.176.68
ns2.kptc.kp.       IN A    175.45.179.68

The serial number format (YYYYMMDDNN) indicates this zone was last updated on September 12, 2016. The TTL values are conservative—24-hour minimums suggest North Korea prioritizes stability over rapid DNS changes, which makes sense for such tightly controlled infrastructure.

What's particularly revealing is the mail server architecture. The MX records show most North Korean domains route email through a single mail server at mail.star.co.kp or rely on mail.gnu.rep.kp, indicating centralized email filtering and monitoring capabilities. This architectural choice reflects both resource constraints and deliberate information control:

air.koryo.com.kp.   IN MX   10 mail.star.co.kp.
star.co.kp.         IN MX   10 mail.star.co.kp.
star-di.net.kp.     IN MX   10 mail.star.co.kp.

The TLDR Project that captured this data operates on a simple but effective principle: continuously attempt zone transfers against all known TLD nameservers and log successful responses. It's essentially a cron job running dig commands against a list of targets. The beauty lies in its persistence—by checking repeatedly, it catches temporary misconfigurations during maintenance windows, operator errors, or configuration rollbacks. This incident demonstrates why continuous security monitoring matters even for rare events.

From a DNS security perspective, this leak exemplifies why zone transfer restrictions are considered baseline security hygiene. Modern DNS servers like BIND, PowerDNS, and Microsoft DNS all support access control lists for zone transfers. A proper configuration would look like this:

# BIND named.conf configuration
zone "kp" {
    type master;
    file "kp.zone";
    allow-transfer { 
        175.45.179.68;  # ns2 only
    };
    allow-query { any; };
};

The misconfiguration likely resulted from either setting allow-transfer { any; }; during testing or accidentally exposing the secondary nameserver without proper ACLs. It's the kind of mistake that happens in every organization—the difference is that most domain zone leaks don't make international news.

Gotcha

This repository is purely historical documentation with significant limitations. The data is from September 2016 and cannot be updated or verified—the vulnerability was patched within days of discovery. North Korea's DNS infrastructure has almost certainly changed since then, with reports suggesting the domain count has grown, though the country remains one of the least-connected nations globally. You can't use this data to understand current North Korean internet architecture or active security postures.

Moreover, there are no analysis tools, scripts, or utilities included. It's raw zone file dumps with basic documentation. If you want to analyze the data, you'll need to write your own parsing scripts or import the zone files into DNS analysis tools. There's also limited context about what these domains actually hosted—DNS records tell you where domains point, not what content they served or whether sites were actually accessible. Many domains may have been placeholders or internal-only services never intended for external access. The repository doesn't address whether these domains were reachable from outside North Korea's network or what happened when you actually tried to visit them. It's a DNS snapshot, not a comprehensive internet survey.

Verdict

Use if: You're researching internet censorship, national network architectures, or comparative internet infrastructure studies. You're teaching DNS security and want a real-world case study of zone transfer vulnerabilities with geopolitical significance. You're analyzing historical internet connectivity patterns or building datasets about TLD adoption and country-code domain usage. You want to understand what extreme network centralization looks like at the DNS level. Skip if: You need current data about North Korean internet infrastructure—this snapshot is eight years old and dramatically outdated. You're looking for active DNS monitoring tools or zone transfer testing utilities—this is archived data, not software. You want detailed information about what these domains actually hosted or their accessibility—DNS records don't tell you about content or network reachability. You're seeking practical security testing resources rather than historical documentation.