Before it is taken away! It's time to review your domain management method

A domain name is a critical business asset - and because of its value, it is constantly a target for attackers. Despite this, many companies remain insufficiently aware of the importance of domain management and the risks associated with it. How can organizations accurately identify domain-related threats and implement effective protections?
In this article, we explain key methods for managing domain risks and introduce practical countermeasures, including examples of our own initiatives.

Index

Risks associated with domain management
Identifying Risks
Effective measures
What to do if you get a domain name
Summary

Risks Associated with Domain Management

One of the most common risks in domain management is the practice known as domain drop catch (In this article, "domain" refers to the domain names used for websites and email addresses - for example, example.com).
Domain drop catch occurs when a domain that is no longer in active use expires, becomes unregistered, and is then acquired by a third party the moment it becomes available again.
Domains with existing page view history or prior usage records are particularly attractive targets. If such a domain is seized by a malicious third party, it can be repurposed for affiliate advertising, or in the worst case, exploited for criminal activities such as phishing, fraud, or malicious distribution.
In addition, if attackers acquire email addresses under the recovered domain, they can perform email spoofing, leading to secondary damages such as leakage of sensitive information, unauthorized instructions, or malware infection through malicious attachments.
Another major risk associated with domain drop catch is subdomain takeover.
A subdomain takeover occurs when an attacker re-claims a subdomain that remains registered in an organization's DNS records, even though the original service it pointed to has already been discontinued. The attacker then binds the subdomain to infrastructure they control, redirecting users to malicious or fraudulent content (Figure 1).
This attack method has existed for many years, but it has become significantly more common with the widespread use of cloud services and CDN (Content Delivery Network) platforms. Subdomain takeovers are particularly likely in these environments because:

Many clouds or SaaS services allow arbitrary users to request subdomains under shared domains.
Orphaned DNS records - entries pointing to decommissioned cloud resources - are easy to overlook.
Deleting DNS entries is often not part of standard offboarding or service-retirement procedures.

Unlike top level domains, which are difficult for third parties to obtain, subdomains within cloud or SaaS systems can often be recreated by anyone, making them high-risk and easy targets for takeover.

Figure 1: Principle of subdomain takeover in cloud service usage

Other Domain Related Risks

In addition to domain drop catch and subdomain takeovers, organizations must also be aware of cybersquatting and typo squatting.

Cybersquatting refers to the act of registering a domain name that contains an existing trademark or brand, then exploiting the brand's recognition to divert traffic to the attacker's site.
Typo squatting is a closely related technique where attackers register domains similar to a legitimate one to capture traffic from user typing mistakes.

Both attacks exploit the value of well-known brands and domains. If left unaddressed, they can lead to brand damage, decreased customer trust, and misuse of corporate identity.

Identifying Risks

1. Identify Domain Names Currently in Use

Organizations should maintain a complete inventory of all domains they own and establish a centralized management process for acquiring, updating, and retiring domains.
If no official domain ledger exists, tracking them can be challenging, but a partial inventory can still be created by reviewing DNS records to identify domains that are no longer actively used.
As noted earlier, subdomain takeovers often occur due to unused or orphaned DNS records, so domains that still have DNS entries but are not used in the business represent a high-risk situation.
It is therefore essential to manage both the domains themselves and their associated DNS entries appropriately.

2. Identify Domains Vulnerable to Cybersquatting and Typo squatting

Detecting third-party registration of similar or misleading domains requires more active investigation.
For this analysis, we used a tool called dnstwist (https://github.com/elceef/dnstwist) to scan for domains similar to "example.com," a reserved domain used for demonstration purposes.
dnstwist generates a list of similar domains using multiple algorithms, then queries their DNS records to determine whether they have been registered. For each detected domain, we also conducted a separate background check using public reputation services.

The algorithms used to generate similar domains include:

Adding one character
Replacing or removing a character
Changing characters to adjacent keys
Adding hyphens
Bit squatting (*1)
Changing the top-level domain (TLD) (*2)

In our analysis, 94 candidate domains were detected (Figure 2). Of these, 41 domains were classified as potentially malicious by reputation services.
Using tools that incorporate additional patterns - such as variations across multiple TLDs - enables even broader detection of suspicious domains that may pose risks to the organization.

Notes

(*1) Bit squatting:
A phenomenon where a single bit flip occurs during DNS resolution (e.g., due to hardware or transmission errors). Attackers exploit this by registering domain names that differ by one bit from legitimate domains.
(*2) Top-Level Domain (TLD):
The highest level of the domain hierarchy, such as ".com", ".jp", or ".net", which appears at the end of an internet domain name.

Figure 2: Some of the DNSTWIST detection results

Effective Measures

Based on past domain related incidents handled by NTT DATA-CERT, it has taken an average of approximately 10 months from the detection of a domain drop-catch incident to the completion of the reacquisition procedure. As this demonstrates, recovering a domain once it is taken by a third party requires significant time, cost, and effort. Therefore, the most effective approach for companies is to prevent domain drop catch before it occurs.

1. Retain Your Domains for as Long as Possible

The most reliable way to prevent domain drop catch is to retain your domains permanently. To achieve this, organizations must maintain an accurate inventory of all domains in use and establish internal policies that make long term retention mandatory.
At NTT DATA, guidelines encourage teams to use subdomains of the primary corporate domain whenever possible, instead of acquiring unnecessary new domains. When a new domain must be obtained for a project, teams are instructed to retain it for the long term if there is any possibility of future use.
That said, it is often unrealistic to track 100% of domains across a large organization. For this reason, NTT DATA also performs regular monitoring using security intelligence services to detect newly registered suspicious domains in a timely manner.
While permanent retention is ideal, maintaining every domain indefinitely can be costly. For domains that are clearly no longer needed, one practical approach is to review historical access logs and only release domains with low or no traffic.
Reference:
"Toward the End of Life of a Domain Name that Has Been Discontinued: The Story of Creating an Observation Environment"
https://engineers.ntt.com/entry/202412-enddomain-aws/entry (Japanese)

2. Preemptive Acquisition of High-Risk Similar Domains

Beyond preventing drop catch, another effective measure is the proactive acquisition of domains that include trademark terms or could plausibly be used to impersonate the organization.
This reduces the likelihood of cybersquatting, typo squatting, and fraudulent brand misuse.

What to Do If Your Domain Is Acquired by a Third Party

If a domain is hijacked via drop catch or acquired as part of cybersquatting or typo squatting, there are formal dispute resolution processes that can be used.
Under UDRP (*3) and JP-DRP (*4), you can request domain transfer or suspension if you can prove that the registration or use is unlawful. These procedures apply not only to drop-caught domains, but also to cases of cybersquatting and typo squatting.
However, for cybersquatting or typo squatting, the burden of proof may be higher.
Because the claimant often:

has no recent track record of using the domain, and
may not have direct trademark wording in the domain,

it can be more difficult to demonstrate bad-faith registration compared to domain drop catch scenarios.
Even so, it is still possible to file a claim if evidence shows malicious use - such as:

phishing or fraud conducted on the domain,
malware-distributing pages,
impersonation sites, or
intentional misuse of brand reputation.

Providing clear documentation of harmful activity strengthens the dispute claim.

Notes

(*3) UDRP (Uniform Domain Name Dispute Resolution Policy):
An international arbitration framework established by ICANN for resolving disputes over domain registrations.
(*4) JP-DRP (JP Domain Name Dispute Resolution Policy):
A dispute resolution process administered in Japan for JP-related domain names.
(Reference: "WIPO Arbitration and Mediation Center" https://www.wipo.int/amc/ja/domains/guide/index.html (Japanese))
(Reference: "Japan Network Information Center" https://www.nic.ad.jp/ja/drp/jpdrp.html (Japanese))
(*3) UDRP (Uniform Domain Name Dispute Resolution Policy): A dispute resolution policy applicable to gTLD domains.
(*4) JP-DRP: Dispute resolution policy applicable to jp domains. The Japan version of DRP has established content in accordance with the UDRP.

It costs money and effort to get a domain back after it's dropped-caught. Therefore, it is important to refrain from acquiring or abolishing domains in a disposable manner, and to take measures after considering the risks.