Domains have a lifecycle. They are created, they are used for a time, and they expire. But for many domains, life doesn’t end there. Domain names can be revived, resurrected, and repurposed after living a full life and the lifecycle repeats itself. Sometimes the owner doesn’t have any use for a domain and they let it expire. But many times when domains expire it’s not intentional, and the owner just missed the deadline to renew.

Even when they aren’t re-registered, the memory of a dead domain name can live on. In their lifetimes, domains accrue a reputation, are used to host services, and sometimes are used to confirm identity. After they expire, these services can no longer be active, but links, memories, and references are not erased.

These hollowed out husks can be harvested and reanimated by anyone willing and able to pay the price of registration. Such scavengers then take advantage of traffic still routed to or reputation still accorded to the domain from its past life, oftentimes just to monetize that traffic, sometimes to take advantage of desperate former domain owners, and on rare occasions to divert traffic or subvert domain reputation for less ethical even illegal activities.

This is our guide to the domain name afterlife.

What happens when a domain expires?

The first stage in the end of a domain’s life is expiration. Domains get registered in yearly increments, and once that registration is up, the domain then expires.

ICANN—the non-profit organization charged with administering the internet, including the top level of the domain name system—has long had measures in place to prevent domains from expiring and getting re-registered against the wishes of their owners.

Registrars are required to notify domain owners two months, one month, and fifteen days before the expiration date of a domain name and then once again one day after the expiration of the domain name.

There are other ways to tell whether a domain is expiring soon, of course, like the domain registrar’s user account, which generally makes this information noticeable.

As a part of the process ICANN requires for domain name expiration, the first thing a domain name does when it expires is it stays right where it is. The registrar puts it in a “hold” status for 45 days. With a domain on “hold,” the owner stays the same but the DNS stops resolving. That is, the domain just stops working.

At this point, the owner can still revive their domain name. All it takes is for them to renew their domain with their registrar. At the end of the 45 days, the domain name is deleted in the registrar’s database and passes into the “redemption grace period,” an additional 30 days in which the domain remains in the registry’s database. During this “redemption grace period,” domain owners can restore their domains for a higher fee than a normal renewal.

Despite this ample opportunity for owners to bring their domains back from the dead, sometimes domains still get “dropped,” meaning they expire for good and return to the pool of available, unregistered domain names.

Why do domains expire and get dropped?

Most of the time when a domain expires, it’s because the owner of the domain wanted it to expire. When domain owners legitimately don’t want their domains any more, they let them expire, don’t renew or restore them, and let them pass on into general availability.

But domains still expire and can even get dropped inadvertantly as well. If a domain doesn’t have automatic renewal activated, when a domain owner misses a renewal notification, the domain can expire without them noticing. That can happen for a couple of reasons.

First, inaccurate or invalid contact information on a domain can mean notifications about domain name expirations are sent to the wrong email address or even to a non-existent email address. This is why it’s important for domain owners to ensure they use an email address at which they can be reached to register their domain names.

Similarly, since after domain names expire they stop working, if a domain name is “tucked”, meaning it has a contact email address that is @ the domain name in question, the final warning of the domain having expired might not be delivered.

Even if a domain owner doesn’t receive or misses the renewal notifications, usually they catch that their domain has expired because their website or email or other service stops working.

The main reason domains are inadvertently dropped by domain owners following expiration is simple neglect.

Missing the notifications and not noticing in a 75 day period that a domain name—including any websites, email, or other services associated with it—isn’t working is hard if the domain is being used regularly, though it can and does happen.

It’s a little easier to miss, of course, when domains are not being actively used by their owner, whether they’re holding onto them to sell later, or they just haven’t gotten around to using it for the project they registered it for.

What a dead domain leaves behind

It’s sometimes hard to appreciate the myriad ways in which a domain name’s shadow stretches across the net until the domain itself is gone and only the shade is left.

When a domain name dies, it is survived not only by its former owner, but by links and browser bookmarks, websites and email accounts, software and spam filters. These, in turn, send traffic to dead domains that despite never returning any signs of life, can linger on for quite some time.

1. Websites

Most obviously, domains live on as the recorded addresses of websites.

Anywhere a website is linked to, the associated domain name is part of that link. That includes social media profiles and posts, blog posts, emails, or even business cards and billboards. A domain could also be saved in browser bookmarks or it might just be particularly memorable and stuck in the heads of internet users.

The more links that exist out there, the more web traffic still heads to that site even after the domain dies. So long as the domain doesn’t exist, most people trying to go to the domain will see nothing—just an error message saying their domain does not exist.

Third parties often capture—and monetize—this traffic for themselves by registering a previously expired domain name.

2. Email

Domain names are not just used to host websites, though. They’re also used to host email. And another way that a domain lives on even after it expires is in email addresses @ that domain.

These email addresses may not belong to the owner of the domain name or its technical administrator, so it may come as a surprise when an employee, friend, or customer’s email address suddenly stops working due to the domain having expired.

But email addresses don’t just live on in the memories of their owners. Services online frequently use email addresses to sign up users.

One night in May 2003, a major US defense contractor lost control of a block of the IP addresses they owned for use in their network. It had been hijacked and was being used to send spam email and got the IP addresses listed on both the SpamHaus and SPEWS blacklists

When attackers pulled a similar move in 2018 in order to hijack a cryptocurrency website, they had to get access to BGP routers at major ISPs. In the case of this large defense contractor, the spammers got that access through the front door, so to speak.

IP address blocks are registered using email addresses, and proving access to the email address used to register an IP address block was enough to get ISPs change the BGP route on them.

They got access to this email address by simply registering the domain name the email address was attached to when it expired. Despite being a major defense contractor, it still took the company two months to recover their IP address block.

A similar thing happened to a Russian Internet Service Provider. The 2008 financial crisis had brought their company to the brink of bankruptcy and in the intervening years their domain had expired. Then, in 2011, a new investor saved the company from the brink only for the company’s representatives to find that the ISP’s entire network had been hijacked.

In turned out that just six hours after the registration expired, someone had re-registered their domain name and used it to gain total control of their network by emailing another ISP from the email address the IP block was registered to. Once the problem was noticed, it took the ISP three months to fully recover.

Email addresses are used for more than registering IP address blocks, though.

Social media profiles like Facebook and Twitter are linked to email addresses, as are some financial institutions. Aside from personal accounts, email addresses can be linked to accounts that manage online assets like (other, non-expired) domain names.

When a person or an online service (sometimes automatically) tries to send an email to a domain name hosted on it and the domain no longer exists, the email will bounce.

As a result, when a domain name expires, it also becomes attractive for the email potentially sent to it. A catch-all email address set up on a re-registered expired domain can capture any emails, and could give someone access to social media profiles, bank accounts, domain names, and IP address blocks.

3. DNS

Websites and email are not the only services that can be hosted on a domain name. Domain names can themselves be used to host domain name servers. A domain name expiring that’s used for domain name servers could impact another domain name simply using that domain for its DNS servers.

In 2012, a top-ranked private Catholic university in the Midwest was using its own domain to host primary DNS name servers while its secondary name servers were hosted on a .com domain outside of their control. DNS name servers are used to connect a domain name to a service, specifically a website or email @ that domain.

In late Fall of that year, though, something strange started to happen when people were trying to reach the university’s website: website visitors were being intermittently forwarded to a purely advertising website that had nothing to do with their university. Most of the time, though, the university’s webpage loaded like normal.

It turns out that the .com domain name used as the secondary name server on the domain had expired. The primary name server still worked fine, though, and so as the .com domain had gone through the late renewal grace period, and the redemption grace period, no changes were noticed, DNS is robust enough to mitigate the effects of temporary outages.

It wasn’t until an SEO company re-registered the .com as a re-tread domain that the put a wildcard record in the .com‘s zone file and ended up redirecting a portion of traffic for the entire university’s infrastructure—potentially including student logins, email, and other legally sensitive data—to their own servers that anyone started to take notice.

If a domain expires that’s used to host DNS name servers, and someone else registers it, they can start serving arbitrary zone data for other domains that rely on those name servers. If the affected domains don’t use DNSSEC, traffic to services on these could be diverted.

More recently, in 2016, Matt Bryant, a security researcher, who also reported a couple of unrelated vulnerabilities to us, was able to find a rare .int domain name—normally reserved for international treaty organizations—with nameservers assigned to an expired .be domain name. Registering the .be domain name gave Matt control over the domain.

He wrote a script called TrustTrees that produces DNS trust graphs and can verify whether domain names used for the nameservers of entire registries are available for registration.

In 2018, this script alerted him that four of the seven domains used for the authoritative nameservers for the entire .io TLD (top-level domain) expired and were available for registration. To his surprise, he was able to re-register the expired nameserver domains, which would have allowed him to take control over the entire .io TLD (he quickly reported the issue to the registry and the domain registrations were revoked by their registrar partner).

4. SSL certificates

SSL certificates are the cornerstone of web security. They’re used to bind cryptographic material to a trusted organization, in order to ensure that a website is legitimate, and that traffic to it is properly encrypted and confidential. Whenever HTTPS appears in front of a web address, the page is using an SSL certificate.

The problem is that an SSL certificate can be purchased for periods of time independent of domain name registration. The purchaser must only prove that they own and have control of a domain name at the time that the certificate is issued. It’s completely possible, then, for an SSL certificate to outlive the domain name it’s associated with. This kind of SSL certificate is called BygoneSSL.

When a popular payment processor launched in 2010, it acquired its domain name from a domain parking service. The domain changed owners without issue, however the previous year, in 2009, the domain parking service had purchased a two-year SSL certificate covering the domain until 2011 which had not been revoked during the one year it was still valid. The previous owner of the domain name could have used this certificate to intercept website traffic and no one would be the wiser. The same risk applies for expired domain names.

It is, however, possible for domain name owners to request that CAs (Certificate Authorities, who issue certificates) revoke previous certificates for domain names they purchase, whether ownership is transferred or just expired and re-registered.

What complicates things even more is that certificates can be issued for more than one domain name. Some certificates—often issued by CDNs (content delivery networks)—can have hundreds of domains completely unrelated to one another. If just one of those domain names expires, someone could re-register it and legitimately request the revocation of the multi-domain certificate, breaking HTTPS on potentially hundreds of sites.

5. Software

Another way a domain name lives on even after it’s gone is in various references made to it in software.

For example, manufacturers of internet routers and other internet-connected devices commonly use domain names they own as a way to access a device’s configuration page. This makes it easy to publish set-up instructions by telling users to go to a particular domain name that can resolve thanks to the device’s internal configuration even before it has an internet connection and be used to change the device’s configuration later on.

If that domain name expires, it could still work without issue when a device doesn’t have an internet connection, but when it does, it could use DNS to resolve the configuration domain name that may have been registered to someone else.

In 2016, two domains owned by a popular manufacturer of home internet routers that were at one point used for just this purpose expired and were re-registered by an unknown third party, who listed it for auction at $2.5 million.

While the company had stopped using the domains for new products since 2014, at the time one of the two domains in question was still getting almost 4.5 million visitors per month. In the three years since, as of September 2019, that’s slowed down to just over 550,000 visitors per month. In the meantime, the pressures were apparently too great and the router manufacturer has since bought the domain back.

Another example is “stale” JavaScript inclusions. Some websites include remote JavaScript scripts on domain names that are not related directly to their own site. Obviously it’s best for site administrators to routinely check their sites for errors, which would catch such instances, but even on some of the internet’s most popular websites, remote JavaScript scripts to expired domains get included. These are called “stale inclusions.”

In 2012, a study found 47 out of Alexa’s top 10,000 websites included JavaScript scripts for domains that were expired at the time the study checked. It’s a small proportion but these domains could be resurrected to run malicious JavaScript scripts on these websites.

W3C now recommends the use of Subresource Integrity (SRI). SRI ensures the integrity of injected scripts and resources. Not only does using SRI protect against the vast majority of stale inclusions, but also against threats such as CDN takeover.

That said, most third party scripts are just a gateway to dynamically included, regularly updated scripts, so this may not apply to many scenarios.

Similarly, Content Security Policy (CSP) ensures that the script or resource in question is loaded through trusted sources.

CSP may be easier to implement, provided that third party scripts and resources do not load content for changing or unknown origins as part of their normal functioning.

But it’s not just in JavaScript scripts that expired domain names live on in software. Plugins installed in internet browsers will load their settings and content by referencing domain names and when these domain names expire, these browser plugins may continue to try to contact them automatically when browsers start up.

This similarly would allow someone registering an expired domain to impact browser settings on users’ computers remotely.

Debian is popular free, open-source operating system for PCs and an independent developer used to publish a repository of multimedia packages for use with Debian on the domain name debian-multimedia.org. Even though it wasn’t officially associated with Debian, it was a popular repository that many blogs and how-to articles linked to and many Debian users had debian-multimedia.org referenced in their version of the file Debian’s package manager uses for automatically installing or removing software. When the owner of the repository subsequently moved it to deb-multimedia.org, the old domain (debian-multimedia.org) expired and was registered by an unknown third-party.

The Debian maintainers did their due diligence and warned Debian users to remove debian-multimedia.org, and Debian packages are cryptographically signed by maintainers, so a normal Debian set up should not trust domains alone.

In 2015, a less severe incident took place when the domain name of a popular open source image editing tool expired. Users of the tool alerted the owners of the domain before it was too late to recover the domain name, but if it had expired and gotten re-registered, the new owner could have potentially pushed corrupted versions of the tool to unwitting users as an update. As in the Debian case above, users who didn’t accept unsigned packages (which is standard) were not at risk.

6. Domain reputation

Finally, a domain name isn’t just remembered for what it was used for, but also how it was used. Domain names have reputations that are used for either clearing traffic to and from them or blocking it. Domain name blacklisting is a tool that’s used to stop the spread of spam on the internet. Domains that are known for abusive or spamming behaviors get added to blacklists to prevent users from being victimized.

The inverse of domain name blacklisting is domain name whitelisting, where email coming from certain domains bypass spam filters and get delivered no matter what.

Expired domains that are on whitelists are obviously appealing for spammers to re-register, since it would give them a backdoor around spam filters.

As mentioned above, the links and redirections to a domain name remain scattered across the internet. The strength and relevance of these links build a site’s SEO during life, and that SEO can carry over into the next life. Services like Domcop let users search for expired domains with good SEO rankings. As of last July 2018, the SEO industry was an almost $80 billion industry.

Registering a domain that already has had the hard work put into it to optimize search-engine ranking can be a useful shortcut.

All of these different ways a domain lives on after expiration, in turn, can make these dead domains attractive candidates for bringing back to life.

The domain name afterlife

Domain names can and do expire, and despite the best efforts of registrars, registries, and ICANN to prevent it, they can also end up getting deleted completely. But what they were used for in life can still have an impact—and can even be a route to compromise key resources—even after the domain is gone.

Join us next week when we continue our journey through the land of dead domains and discuss how to avoid the accidental loss of your domain name.