Industry experts caution that DNS-query rankings do not reflect real user traffic and call for a clear separation between legitimate human use and automated or malicious activity; some criticize Cloudflare for potentially undermining trust in the rankings.

Cloudflare CEO described the ranking as a simple measure of DNS query volume and noted the attacker’s objective may include manipulating rankings and attacking the DNS service; the company is refining the ranking to be smarter and redacting malware domains.

Cloudflare redacted Aisuru botnet domains from its Top Domains list after the botnet dominated rankings by generating a high volume of DNS queries to Cloudflare's 1.1.1.1 resolver.

The redaction was undertaken to address security, brand confusion, and privacy concerns, with Cloudflare adding a warning that the top domains list includes both legitimate and emerging malicious domains.

Experts advise monitoring for queries to domains ending in .su to detect Aisuru activity, though outright blocking .su is impractical due to legitimate use concerns.

The article references Cloudflare's documentation and Radar data, and notes prior reporting on Aisuru’s evolution and its impact on US ISPs and DNS infrastructure.

Most Aisuru control domains are or were registered in the .su TLD, with many queries traced to the United States; the botnet reportedly relies on a network of control servers and targets IoT devices across providers like AT&T, Comcast, and Verizon.

In the past week, Aisuru domains briefly topped the list, including at least one domain mimicking a Massachusetts street address, and many domains used by Aisuru imitate major cloud providers.

Aisuru is a sprawling botnet of hundreds of thousands of compromised IoT devices capable of high-power DDoS, which previously used Google DNS before switching to Cloudflare’s 1.1.1.1.