Domains Due to Expire Within 90 Days

Expiring Domains without Autorenew lead to service downtime and signal operational risk. Expired domains can also be captured by malicious parties.

Details ¶

Our advised practice for managing domains is to ensure that all domains are set to auto-renew unless a deliberate strategic decision has been made to let them expire. If a domain is to be discontinued, this decision should be made well in advance of the expiration date to avoid unintended consequences. Allowing a domain to lapse and return to the public pool for purchase can result in significant risks including domain squatting, service downtime and reputational damage.

Domain Squatting ¶

Domain squatting occurs when third parties purchase an expired domain with the intent to exploit its previous association. These parties may demand a ransom from the original owner to regain control of the domain or use it for malicious purposes, such as impersonating businesses. Ownership of a domain grants full rights to use it for activities like email signing (DKIM, SPF), obtaining publicly trusted certificates for secure connections, and any other domain-related operations.

As so many services utilise domain managed information for identity, authentication and authorisation processes, the blast radius for a captured domain can be catastrophic. The question is less related to the number of records or hosted services on a domain, but the unknown data that is uniquely linked to a domain that can be access via the controls that the domain owner has access to.

For an understanding of what data can be indirectly captured via old domains research by Inti De Ceukelaire gives an idea of how large the blast radius for domain control can be with not much work. Our reference article summarises and links to his research and also expands on how this vulnerability can be leveraged further. However, for €850 and 48 hours plenty of data was captured with little effort.

Remediation ¶

If it is intended to keep domains it’s best to turn autorenew on. This completely prevents any domain squatting from occuring. If a domain is to be expired then there are a few checks we would recommend performing by investigating the domain records:

• If there are MX records - what email accounts are / were active? Have all accounts linked to those email accounts been migrated elsewhere including third party emails?
• If there are TXT records - what are the TXT records confirming? For example, are there Google Domain Ownership records identifying domain properties to Google?
• If there are A or AAAA records - are the services for those records migrated or scheduled to shut down?
• If there are CNAME records - are the services receiving traffic from those CNAME requests fully migrated over to a new domain? Does the traffic for that CNAME make up a substantial amount of traffic for that service?

Depending on the use of the domain the expiration of the domain can be quite complicated. The more usage a domain sees the more difficult it is to retire it safely. Get some guidance as you need!