I recently noticed this for the “.google” gTLD. https://twitter.com/jeremyheiler/status/569636501514022913
If I’m reading the post correctly, the author is guessing that someone else owns the gTLD? From what I understand, that’s not what 127.0.53.53 is used for. Instead, it’s being used–for now–to help others figure out sooner that these domains may collide with their internal networks. So, any “malicious” activity would be coming from within.