What is a TLD?

• Generic TLDs (gTLDs): Open to anyone — .com, .net, .org, .info, plus newer ones like .blog, .shop, .xyz
• Country-code TLDs (ccTLDs): Assigned to countries — .us, .uk, .de, .jp, .br. Some are used generically (e.g., .io, .co)
• Sponsored TLDs (sTLDs): Restricted to specific communities — .edu (education), .gov (government), .mil (military)
• Infrastructure TLD: .arpa — used for reverse DNS lookups and other infrastructure purposes

The DNS hierarchy works from right to left:

• Root zone: The starting point (represented by a dot). Root nameservers know where to find TLD nameservers
• TLD zone: Each TLD has its own nameservers that know where to find authoritative nameservers for domains registered under that TLD
• Domain zone: The authoritative nameserver for a specific domain (e.g., cleanbrowsing.org) provides the final answer

When CleanBrowsing's recursive resolver looks up a domain, it follows this hierarchy — querying root, TLD, and authoritative nameservers in sequence. On the authoritative side, services like NOC.org host DNS zones for domain owners.

Some TLDs have higher concentrations of malicious or unwanted content. DNS filtering can block entire TLDs when they're predominantly used for abuse:

• High-risk TLDs: Certain newer gTLDs have been associated with high rates of malware, phishing, and spam domains
• Category filtering: CleanBrowsing's Categorify engine classifies domains individually, but TLD reputation data informs the classification process
• Custom blocking: Organizations can block specific TLDs through their CleanBrowsing dashboard if those TLDs aren't relevant to their users