Security researcher Dave Piscitello of Interisle flagged a surge in .garden registrations after noticing unusually hostile behavior. In 2025 the TLD hosted roughly 2,500 domains with an average risk rating of 55. By mid‑2026 that figure exploded to 147,000 domains and a mean risk score 84, indicating a sharp degradation in trust and raising concerns for enterprise security teams.

Analysis shows Ali DNS nameservers and Dominet registrar dominate the problem. About 68,000 .garden zones point to alidns.com servers, pulling an average risk of 87. The combined Ali DNS + Spaceship pair accounts for 65,000 domains at the same risk level, while the smaller Ali + Dominet set of 3,000 domains spikes to a 94 rating. Cloudflare hosts only 19,000 domains with a lower score of 81.

Given the concentration of high‑risk nameservers, defenders are urged to block the entire .garden TLD by default and whitelist legitimate services as needed. Filtering by registrar or nameserver—particularly excluding alidns.com and Dominet—can reduce exposure without crippling normal traffic. The data suggests that unchecked .garden traffic poses a measurable threat to network hygiene for both cloud and on‑prem environments today.