Dead Domains are an often overlooked, yet impactful bug class that can lead to significant security vulnerabilities, including Cross-Site Scripting, Information Disclosure, and even Remote Code Execution. Attackers can exploit these vulnerabilities by registering expired or unregistered domains that were previously owned by legitimate entities.

But: How can security researchers and penetration testers efficiently identify these dead domains?

Some time ago, I stumbled over Süleyman Çelikarslan’s (@slymn_clkrsln) tweets about second order domain takeover vulnerabilities. This inspired me to create two tools that can help identify dead domains:

• Dead Domain Discovery - Chrome Extension
• Dead Domain Discovery DNS - UDP DNS Forwarder

Both tools aim to assist security researchers and penetration testers in discovering expired or unregistered domains on the fly. After achieving good results with the Chrome extension, I noticed that the “right” place to catch dead domains would probably be at the DNS level. Hence, I developed the UDP DNS forwarder.

Dead Domain Discovery - Chrome Extension

The Chromium extensions aims to identify abandoned domains that are referenced by a website for instance within an iFrame, as script or as CSS source. The extension adds a small content script to each visited page that scans for such references using a call to dns.google.com. If a domain appears to be unregistered or expired, a notification is shown to the user using Chrome’s notification API. The extension uses manifest version 3 and is open source.

The recommended path for installation is via the Chrome Web Store.

Alternatively, you can also install the extension manually by following the instructions in the GitHub repository.

Dead Domain Discovery DNS - DNS Forwarder

The Dead Domain Discovery DNS tool is a lightweight UDP DNS forwarder that highlights potentially expired or unregistered domains by watching for unanswered lookups. The server retries queries against secondary upstream resolvers, keeps a cooldown window to avoid noisy alerts, and reports findings through multiple channels.

The tool is built in Python makes use of the dnslib library for DNS packet handling. It can be easily integrated into existing penetration testing setups or used as a standalone service. I use it as my primary DNS server in my home setup to catch dead domains while browsing the web or performing security assessments. It is leightweight and efficient, making it suitable for continuous monitoring. I would recommend to run it on a Raspberry Pi or similar low-power devices.

You can find the repository and installation instructions on GitHub.

If you have any comments or questions, please feel free to reach out via Mastodon, Twitter or LinkedIn. 🙂