At this point we're probably going to go ahead and pre-load a few inidividual hostnames in `wikimedia.org` that are more-critical while the longer process plays out for the rest of it. We can't touch `donate` due to ongoing issues to resolve there. My short-list to get the most-important ones locked down would be just these:
`meta` - This gets hit a ton during browser access to other wikis, for things like banner campaigns, gadgets, etc
`login` - To protect CentralAutoLogin -related hits here
`commons` - Because it's a major wiki and again indirectly referenced a lot
`payments` - Doesn't even have an HTTP listener on port 80 and fairly critical
The first three all have `.m.` variants in DNS, although `login.m` doesn't seem to get real traffic in practice? Could just remove that one instead of pointlessly preloading it if so.
We'll need to address the bad `www` subdomains in meta and commons first as well ( T102826 )