The Hidden Connections of the .LT Web

211,486 Domains Analyzed

976,253 Subdomains Discovered

103,963 Unique IPs Resolved

80 Countries Reached

16,132 Org Clusters

1. The Map Is Not the Territory

We often think of a domain name as a digital front door. A simple address that leads to a website. But behind every .lt domain lies a web of infrastructure decisions, organizational relationships, and - often unintentionally - security exposures visible to anyone who knows where to look.

At Entryscope, we set out to map Lithuania's national domain space: every active .lt domain, its DNS infrastructure, IP addresses, hosting providers, and organizational affiliations. The result is a dataset spanning 211,486 apex domains (out of approximately 252,410 total registered .lt domains), almost a million subdomains, and over 103,000 unique IP addresses distributed across 80 countries and over 2,000 autonomous systems.

What we found goes beyond a simple directory. By cross-referencing domain registry data, shared infrastructure signals, and corporate cloud tenant identifiers, we uncovered hidden organizational clusters: groups of seemingly unrelated domains that share the same corporate ownership. For IT security professionals, this is the kind of lateral visibility that transforms asset discovery. For everyone else, it's a revealing look at how interconnected and exposed a national domain space truly is.

Why should domain owners care? Everything described in this report is available to anyone - including adversaries - through passive data collection. The techniques we used mirror those employed by threat actors during the reconnaissance phase of a cyberattack. Understanding what your infrastructure reveals to the outside world is the first step toward reducing your attack surface.

A note on scope: While this analysis focuses on the .lt domain space as a case study, the patterns, risks, and attack vectors described here are not Lithuania-specific. Any country's national domain space - whether .de, .nl, .pl, or any other ccTLD - is very likely affected by the same structural concentrations, the same organizational clustering dynamics, and the same categories of exposed services. The methodology is universally applicable, and the findings should be read as representative of systemic internet infrastructure risks, not as unique to Lithuania.

2. How We Connected the Dots

The Dataset

Our analysis covers 211,486 domains registered under Lithuania's .lt country-code top-level domain (ccTLD), representing approximately 83.8% of the total 252,410 registered .lt domains at the time of writing. For each domain, we collected:

• Registration data - registrar, registrant (anonymized), creation/expiration dates
• DNS records - A records (IP resolution), MX records, SOA (authority), nameservers
• Subdomain enumeration - almost a million subdomains mapped via passive sources
• Corporate cloud tenant identifiers - organizational identifiers resolved from public DNS and metadata sources
• IP intelligence - geolocation, ASN ownership, open ports, running services, and known vulnerabilities for 99,078 IPs enriched with data from online port scan databases

Passive and Stealth Collection Only

All data was collected exclusively from passive and stealth sources: public DNS records, WHOIS databases, certificate transparency logs, and aggregated scan data from publicly available online port scan databases. No websites were visited, no active port scanning was performed against any specific target, and no authentication boundaries were tested. The analysis relies entirely on what is already publicly visible - which, as the findings show, is considerable.

This methodology mirrors how sophisticated threat actors perform initial reconnaissance. Attackers often use tools like Bbot, Amass, Subfinder (just to name a few), and various OSINT frameworks which aggregate exactly these data sources to build target profiles before launching attacks. The difference is that we do it to help organizations understand their exposure - adversaries do it to exploit it.

Ethical note: All data in this report is aggregated and anonymized. No personally identifiable information (PII) is disclosed, and no specific organizations are named without their knowledge. The purpose is to highlight systemic patterns, not to expose individual targets. No active scanning or probing was performed against any domain or IP address in this dataset.

3. The Landscape: Who Hosts Lithuania?

Of the 211,486 domains in our dataset, 207,254 are actively resolving (98%), while 4,232 returned no DNS response for A type records (while still resolving to other DNS types, such as NS and MX).

From an attacker's perspective, even non-resolving domains are valuable targets. They represent potential candidates for subdomain takeover, dangling DNS exploitation, or future re-registration. An attacker monitoring the domain registry can identify when these domains expire and re-register them to impersonate the original brand.

The Registrar Market

Lithuania's domain market is concentrated among a handful of registrars. The top two alone - Interneto vizija (iv.lt) and Hostinger - account for over 67% of all registered .lt domains:

The remaining 108 registrars share about 20% of the market, creating a long tail of smaller providers - including international operators like Registrar.eu, Zone.eu, and NETIM serving enterprise and international clients.

Fig. 1 - Registrar market share across 211,486 .lt domains

Security Implication: Concentration as a single point of failure. With nearly half of all .lt domains managed by a single registrar, a targeted attack against that registrar - whether through social engineering of its support staff, compromise of its management panel, exploitation of N-day or 0-day vulnerabilities, or a supply-chain attack - could have cascading effects across the national domain space. A recent (2025) incident involving the widely used text editor Notepad++ reportedly saw a highly motivated actor targeting a service provider on which Lithuanian infrastructure is highly dependent. This demonstrates that with sufficient motivation, funding, and skill, even the strongest barriers can fall.

DNS Authority: Who Runs the Infrastructure?

The SOA (Start of Authority) records reveal which providers actually operate the DNS infrastructure, which is often different from the registrar. Authoritative DNS is the foundation of all domain resolution - compromising a DNS authority provider gives an attacker the ability to redirect traffic for every domain under that provider's control.

Cloudflare's position is notable: while it's not a registrar in this market, it serves as the DNS authority for over 18,700 .lt domains - roughly 8.9% of the entire namespace. This reflects the global trend of DNS and CDN centralization, where domains remain "Lithuanian" in name but are operationally governed by U.S.-based infrastructure providers.

Why centralization is a national risk: If a state-sponsored actor were to target the largest DNS provider in this ecosystem, the blast radius would encompass over 82,000 domains - nearly 40% of the entire .lt namespace. The 2016 Dyn DNS attack demonstrated how a single infrastructure provider's outage can take down major portions of the internet; on a national scale, the concentration visible here presents a similar systemic risk. Additionally, given Cloudflare's history of global outages in 2025 and 2026, it is clear that the material risk is a tangible concern for the business.

The Geography of IP Space

Where are .lt domains actually hosted? We resolved 103,963 unique IP addresses from domain and subdomain A records, spread across 80 countries. For those IPs with geolocation data available (99,033 IPs), the distribution reveals a significant dependency on foreign infrastructure:

47.1% of all geolocated IP addresses serving .lt domains are located outside Lithuania. Nearly half of the national domain space runs on foreign infrastructure.

The U.S. share is driven largely by Cloudflare (whose anycast IPs register as U.S.-based), Amazon AWS, and Microsoft Azure. Germany and the Netherlands host a significant portion of EU-hosted infrastructure through providers like Hetzner, OVH, and DigitalOcean.

4. Domain Owner Clustering: Mapping Organizational Boundaries

This is where the analysis moves from infrastructure inventory to organizational intelligence - and where the implications for security become most acute.

The Challenge of Identifying "Who Owns What"

One of the fundamental challenges in attack surface management is answering a deceptively simple question: which domains belong to the same organization? Companies acquire new brands, launch campaign microsites, maintain legacy domains from mergers, and register protective variations of their primary brand. These domains are rarely documented in a single inventory, and the connections between them are scattered across multiple registration records, DNS configurations, and infrastructure decisions.

An attacker performing reconnaissance faces the same question - in reverse. If they've identified one domain belonging to a target organization, their next step is to discover every other digital asset that shares the same corporate ownership. The weakest link in that chain becomes the entry point.

How Organization Fingerprints Emerge

By cross-referencing multiple passive data sources, we can construct organizational fingerprints that link domains to their operators:

• Domain registry correlations - shared registrant organizations, contact details, and administrative email domains
• Corporate cloud tenant identifiers - when organizations configure cloud email or identity services, unique organizational identifiers become embedded in public DNS records, creating a discoverable corporate fingerprint
• Infrastructure overlap - shared nameservers, mail exchangers, SOA records, and IP address allocation patterns
• Subdomain IP co-occurrence - when subdomains of different apex domains resolve to identical infrastructure, suggesting shared operational environments

Each signal type carries a different confidence weight. Corporate cloud identifiers and registration email addresses are strong indicators of common ownership, while shared IP addresses alone may simply indicate co-hosting. By building a graph of weighted connections and extracting transitively linked clusters, we can map organizational boundaries with high accuracy.

What We Found

Applying this multi-signal clustering approach across the .lt domain space, we identified 16,132 organizational clusters encompassing 70,199 domains - roughly a third of the entire dataset:

The numbers are striking. 3,715 organizations operate five or more distinct domains under the .lt namespace. 382 organizations maintain portfolios of 20 or more domains. And the largest organizational cluster - a single entity - operates 165 distinct .lt domains.

A single organizational cluster spanning 165 domains means one breach, one compromised admin account, or one misconfigured identity policy could affect the security posture of all 165 digital properties simultaneously. An attacker who compromises any single domain in the cluster gains a roadmap to 164 additional targets.

The Attacker's Playbook: Lateral Asset Discovery

This clustering approach mirrors established OSINT techniques used by both red teams and threat actors. The technique was documented in MITRE ATT&CK under T1596 (Search Open Technical Databases) and T1593 (Search Open Websites/Domains).

Shadow IT and the Long Tail

Perhaps most concerning is what clustering reveals about organizational awareness. When we identify 165 domains under a single organizational identity, it's worth asking: does that organization know about all 165? In our experience, the answer is almost always no.

These shadow IT domains - campaign sites registered by the marketing department, legacy domains from acquired companies, test environments set up by developers - are frequently the least maintained and most vulnerable assets in an organization's portfolio.

Fig. 2 - Cluster size distribution across 16,132 organizational clusters

5. Domain Lifecycles: Growth, Stagnation, and Digital Rot

A History in Registration Dates

The .lt domain space tells a story of Lithuania's digital evolution. The oldest domain (out of those still active) in our dataset - mii.lt - was registered on February 26, 1993, almost three years after Lithuania declared independence.

Why registration history matters to attackers: The registration date of a domain reveals its likely technology vintage. Domains registered in 2007–2013 are more likely to run legacy CMS versions with known, unpatched vulnerabilities. Attackers routinely correlate domain age with technology stacks to prioritize targets.

Fig. 3 - Currently still active .lt domain registration timeline (1993–2026)

The Expiration Clock

Domain expirations are a security event. An expired domain can be re-registered by anyone - including threat actors - enabling phishing, brand impersonation, or subdomain takeover attacks if dangling DNS records persist.

Because the vast majority of .lt domains are registered on one-year terms, the entire namespace exists in a state of perpetual renewal. At any given moment, a significant share of all registered domains is approaching expiration, sitting in a grace period, or pending deletion. This creates a continuous, rolling window of opportunity for attackers who monitor expiry feeds - domain drop-catching services that track and snap up valuable domains the moment they become available.

Risk focus: Domains registered during the 2020–2021 COVID boom are of particular concern. Many were created for short-lived projects - pop-up shops, event pages, temporary campaigns - and are now approaching their second or third renewal decision. Domains that aren't renewed but still have dangling DNS records (CNAME to decommissioned cloud resources) are prime candidates for subdomain takeover.

The Hidden Danger of Abandoned Domains

Domains that have passed their expiration date but remain in DNS - whether in a registrar grace period or simply neglected - represent active security threats through two well-documented attack vectors:

Domain Hijacking for Brand Impersonation. When a domain expires and becomes available for re-registration, an attacker can register it and replicate the original website to phish customers, partners, or employees. Because the domain was previously associated with a legitimate organization, users and even email security systems may trust it implicitly.

Account Takeover via Password Reset. If the expired domain previously hosted employee or corporate email addresses, an attacker who re-registers the domain can set up a mail server and receive password reset emails from third-party services where employees previously registered using that email address.

With 170,169 domains in our dataset configured with MX records (indicating email capability), the attack surface for this technique is significant.

6. What's Running: Services, Ports, and Attack Surface

Beyond DNS and domain registration, we enriched the dataset with service-level intelligence from publicly available online port scan databases for 99,078 of the resolved IPs. The results map out what's actually listening on the internet:

Disclaimer: Service scan data from online port scan databases is collected by third-party scanning projects on a continuous basis. We have applied filtering to remove obvious misclassifications (e.g., HTTP services erroneously labeled as RDP, or empty banner responses). Some margin of error is inherent in passive data collection.

Service Landscape

56.2% of all scanned IPs run a web server, and 91% of web-serving IPs support HTTPS - a reasonably healthy encryption adoption rate. The dominant software stack:

Exposed Administrative Services

More concerning are the services that should rarely - if ever - face the public internet. The following counts have been filtered to remove false positives:

Deep Dive: RDP - The Ransomware Gateway

The 751 IPs with exposed RDP services deserve special attention. We identified RDP services not only on the standard port 3389 (447 IPs), but also on 320 additional IPs running RDP on non-standard ports - a common practice intended to "hide" the service from automated scanners, but easily detected by modern scan databases that probe the entire port range.

RDP remains the single most exploited initial access vector for ransomware operators. According to Sophos' Active Adversary Report, compromised RDP accounts were involved in over 90% of ransomware incidents in recent years.

Deep Dive: Exposed Databases

The 4,315 IPs with internet-facing database services represent perhaps the most direct data breach risk:

The 153 Redis and 126 MongoDB instances directly exposed to the internet is concerning - these databases are frequently deployed with no authentication by default.

Fig. 4 - Administrative services exposed to the public internet across .lt infrastructure

Vulnerability Footprint

Across the 99,078 scanned IPs, online port scan databases identified 475,433 total vulnerability instances spanning 4,789 unique CVEs. 10.7% of all scanned IPs (10,556) have at least one known vulnerability associated with their running services.

7. Concentration Risk: When Thousands Share One IP

Shared hosting concentrates risk in ways that individual domain owners rarely appreciate. Our IP-to-domain mapping reveals extreme concentration:

A single IP address - 79.*.*.1 - hosts 22,296 distinct domains and over 31,000 subdomains. A successful compromise of this server, or a DDoS attack targeting it, would affect thousands of Lithuanian businesses simultaneously.

Of the 103,963 IPs in our hosting statistics, 25,260 (24.3%) belong to Cloudflare's network, which provides a layer of DDoS protection and CDN performance - but also means a quarter of all traffic flows through a single provider's infrastructure.

The fact that the top five IPs alone host over 47,000 domains means that five successful compromises could affect approximately 22% of all .lt domains. This concentration creates a systemic risk that extends beyond individual domain owners to the national digital ecosystem as a whole.

8. Key Takeaways

The .lt domain space tells a coherent story about how a modern, digitally active nation builds, maintains, and occasionally neglects its online presence:

• Infrastructure sovereignty is partial. 47.1% of IPs serving Lithuanian domains reside outside the country's borders. This is not inherently bad - cloud services offer resilience and performance - but it does mean jurisdictional complexity in incident response and data governance.
• Market concentration amplifies systemic risk. Two registrars control 67% of the domain market. A handful of IPs host tens of thousands of sites. Five IPs alone host 22% of all domains. When one link in this chain has a bad day, the blast radius is national.
• Organizational connections are discoverable. Through cross-referencing domain registry data, corporate cloud tenant identifiers, and shared infrastructure signals, we identified over 16,000 organizational clusters spanning 70,199 domains. Organizations with 10, 20, or 165 domains under one organizational fingerprint should know that this linkage is discoverable - and actionable - by anyone with access to the same passive data sources.
• The expiration cycle is a standing threat. With most .lt domains registered on one-year terms, the namespace exists in a state of perpetual renewal churn - creating persistent opportunities for domain hijacking, brand impersonation, and account takeover via password reset abuse.
• Administrative services remain overexposed. 751 RDP endpoints (including 320 on non-standard ports), 4,315 database instances, and 6,858 FTP servers face the open internet. These are the footholds that ransomware operators and initial access brokers actively seek.
• Passive data is the great equalizer. Everything in this report was discovered without actively scanning, probing, or interacting with any target infrastructure. The information asymmetry no longer favors defenders - attackers have the same view of your infrastructure that you do, often a better one.

9. Conclusion

The Lithuanian domain space is more interconnected - and more transparent - than most realize. The connections are there, embedded in DNS records, IP geolocation data, corporate cloud identifiers, and organizational metadata, visible to anyone with the right methodology.

The purpose of this analysis is not to alarm, but to demonstrate what passive intelligence reveals at scale. Every organization has a digital perimeter, and in most cases, that perimeter is larger, more distributed, and more exposed than anyone on the IT team fully appreciates.

Understanding your attack surface is the first step to defending it - and the window between when an exposure appears and when an attacker discovers it is narrowing every day.

Want to see your organization's external footprint?

Entryscope maps your domains, IPs, exposed services, and organizational connections - continuously. See what attackers see, before they act on it.

Request a Demo