Return from the land of the dead (domains)

Nov 14, 2019  - written by  in Domain names

When a domain name expires and is dropped, what it leaves behind can make them appealing to re-register and while resurrecting dead domains can be done for nefarious purposes, by itself, re-registering dead domains is not necessarily a dark art.

There are three categories of re-registered domain names.

Domains re-registered in “pre-release” are those that change owners before the registrar deletes the domain. “Drop-catch” is a type of domain re-registration that takes place immediately after (or sometimes even before) domains are dropped by the registry. After the initial drop, though, domains that are re-registered can be considered “retreads.” The difference is timing, and oftentimes, the price paid.

Pre-release

A domain’s afterlife can actually start even before the end of the process outlined above. Some registrars re-sell expired domains before they are even “released” to the registry. As a domain approaches the end of the initial 45-day grace period, these registrars put domain names up for auction before the domain hits the “redemption period.” If someone buys it, instead of releasing the domain to the registry, the registrar changes the registration of the domain over to the winner of the auction as though the domain had simply changed owners.

For domains registered at registrars that do not follow this practice or those domains that don’t get auctioned off, there’s first the drop.

The drop and drop-catch

After a domain expires, is deleted by the registrar, and comes to the end of the “redemption” grace period, the final step is that the registry schedules the domain for deletion. Usually after about five days, the registry deletes expired domains in a daily batch known as “the drop.”

Some registries, like Verisign (the registry for .com domains), release daily lists of domains that are going to drop, which gets poured over by a community of domain name salvagers who vie for desirable and possibly valuable domain names getting dropped.

Registering a domain name immediately when it drops is called “drop-catch” registration. Not only are their domain registrants who specialize in seeking out the best dropped domains, but there are drop-catch registrars who cater to this niche market.

As the drop starts to take place, drop-catch registrars flood the registry with registration requests. Competition is so fierce that this has been called “the world’s largest legal denial of service attack.” Similar to Wall Street style high-frequency trading, drop-catch registrars position their servers geographically close to registries in order to ensure their registration requests get in first.

While some registries, like Nominet (the registry for .uk domains), try to discourage this behavior by penalizing registrars for unsuccessful registration requests, at least 80% of domain creation attempts are drop-catch registration requests.

Drop-catch represents a sizable chunk of domains—10% of all .coms that expire and are deleted—get re-registered immediately on deletion.

Analysis shows that most re-registered drop-catch domains don’t point to any website but instead to parking pages and monetized advertisements.

This suggests that domains brought back to life in the first few moments after they drop are often resurrected either to monetize residual web traffic to those domains, or to speculate on desirable domains, possibly even to hold the previous owner ransom if they want their domain back.

Retread

The ~90% of domain names that expire and get deleted at both the registrar and the registry and aren’t registered directly after they drop don’t necessarily rest in peace either. The longer time frame makes it harder to measure and quantify than drop-catch domains but nonetheless, a non-trivial number of domains get re-registered at some point after the initial drop. And about 50% of those that are, get re-registered in the first year.

Some of these re-registrations are just the original owner of a domain name who missed the late renewal and redemption periods and recovered their domain name as a re-registration. This is the last-ditch resort for domain owners to avoid losing the trust and the services they’ve built up with their expired domain name.

Some, as with drop-catch and pre-release domains, are registered to monetize residual traffic still being directed to them.

Research has demonstrated a preference amongst spammers for retread domains over registering new domains and especially over drop-catch domains. This fate only befalls about 1.4% of retread domains, though that rises significantly to 7.7% of domains re-registered in the first 90 days.

It seems the reason is that spammers prefer a domain name with a clean history, but a history nonetheless, and they trawl the public lists of domain names being dropped to look for domains to re-register and possibly thereby break through some spam filters.

Defense against the dark arts

The necromancy of bringing domains back from the dead is not a dark art per se and its more often than not done legitimately and with no ill intentions.

However, if you don’t want your domain to die in the first place—much less be used for less-than-desirable purposes in the afterlife—there are some simple steps you can do to avoid such a fate for your beloved domain:

1. Monitor the services you have attached to your domain

The truth is, not everyone is going to be on top of remembering their domain’s expiration date. And while we’d like to think you’re logging into your control panel regularly, it could happen that your domain’s expiration date slips by. If that happens, there will still be a 45 day gap before your domain gets deleted by your registrar in which you can renew your domain and prevent it from dying an untimely death.

The best way to avoid this is to keep a watch on the services you have attached to your domain. If you have a website, chances are you have someone using it regularly. If you’re not regularly administering your website, get in the habit now! You could be experiencing downtime that has nothing to do with your domain expiring and missing out on visitors.

2. Activate automatic renewal

Similarly, you don’t have to remember to renew your domain if you can renew it automatically. Most registrars let you set up an automatic renewal option that renews your domain name automatically from a credit card on file. This is pretty simple to activate at Gandi, and you can easily do it from your list of domains in your control panel. Set up a credit card for automatic payment from your account’s settings.

Credit cards expire too or get declined and things go wrong, so auto-renew is not foolproof.

If all of this does fail, you can consider using a drop-catch service to try to get your domain back once it gets dropped, or you can wait it out and re-register it for the standard price.

3. Don’t trust a domain name

Many of the attacks described in part one of our guide [ link to part 1] are possible when services rely too heavily on trusting domain names alone. Because domains can and do expire, on purpose and on accident, they can’t be solely relied on.

But there are ways to establish trust that go beyond simply using a domain name. Using DNSSEC can avoid DNS traffic getting hijacked and two-factor authentication on any login accounts avoids anyone with access to an abandoned email address hijacking your accounts.

Cryptographic package signatures allow your system to verify the source of software updates and avoid exposing your system.

4. Notify your users before you let your domain expire

Maybe it’s time for your domain to die, though, and you want to send it off to the afterlife safely. If you host anything on your domain name—whether websites, email addresses, or DNS servers—and you intend to let your domain name expire, it’s a good idea to notify your users. You can put a warning on your website months ahead of time, create auto-reply messages for anyone trying to reach you at an email address you’re going to abandon.

Back to the land of the living

When domain names expire and get dropped by the registry, they become available for anyone to register. A sizable proportion of these are swooped up by drop-catchers who are mostly looking to monetize domains (though some are trying to gain the domains for other uses), but most are not even re-registered in the first few moments after they become available again, if at all.

There are, nonetheless, some security concerns with domain names that die without being properly prepared. The domains may be gone but the memory lives on, and while it does, re-registering them can be a way to gain access to internet traffic or resources, sometimes for illicit purposes.

To avoid this, domain name owners can take steps to avoid the untimely loss of their domains and plan ahead for the end of life of the domains they want to let go.

As we end our tour of the domain name afterlife, there are some areas we’ve left untouched. We’ve mostly focused on what can happen when your domain or a domain you use expires and is re-registered by someone else who may not have the best intentions. A lot of these have to do with the residual trust a domain name leaves behind. What we haven’t talked about is the ways someone could register a domain name, let it expire, and exploit the same residual trust when someone else unsuspectingly re-registers it. For now, we’ll have to save that for another time.

Leave a Reply