Skip to content
Tech News
← Back to articles

The ghost domain problem in DNS, and what we're doing about it

2026-06-12 | original
read original get DNS Ghost Domain Detection Tool → more articles
Why This Matters

The ghost domain problem highlights a critical gap in DNS monitoring, where domains removed by registries can still appear active to users and uptime checkers for days. Addressing this issue is vital for improving domain reliability, security, and accurate DNS status reporting, which benefits both industry stakeholders and consumers. By understanding and mitigating this edge case, the tech industry can enhance trust and transparency in domain management and DNS infrastructure.

Key Takeaways

There's a DNS edge case that even people who know DNS well tend not to have run into: a domain pulled by its registry can keep appearing healthy to uptime checkers for days after it's gone. The .de zone triggers it when contact verification fails, and other registries have their own versions. We don't always catch it, and most other monitoring services don't either.

It's called the ghost domain problem. It's documented in DNS research circles and has an active IETF draft (draft-ietf-dnsop-ns-revalidation), but it's niche enough that an uptime product can run for years without anyone noticing it. This post is about why, and the small set of changes we're making on our end.

How it shows up #

The .de zone has a strict holder-data verification policy. If the registrant's details aren't verified within DENIC's deadline, DENIC first removes the domain from the .de zone and deletes it later. And .de is far from alone. EURid suspends a .eu domain and, if the data still isn't verified, moves it to a withdrawn (no longer registered) state. AFNIC runs an eligibility and contactability check on .fr holders and can suspend, then eventually delete, a domain whose holder doesn't correct or substantiate their data.

And across ICANN gTLDs like .com, .net, and .org, the 2013 WHOIS Accuracy Program requires the registrar (not the registry) to suspend, terminate, or place a domain on clientHold after more than 15 days without a response to a verification request, which pulls it from zone publication. Failed verification, expired registration, registrar disputes, abuse takedowns: the names differ, the shape doesn't. The registry or registrar pulls the name from the parent zone, but the domain's own authoritative nameservers keep answering as if nothing changed.

For anyone whose resolver no longer holds the child-side records, that means NXDOMAIN (RCODE 3, "name does not exist"). A fat error in the address bar, no site. For an uptime checker sitting behind a long-lived recursive resolver cache that does still hold them, it can mean nothing at all. The difference isn't browser versus checker, it's a cold cache versus a warm one. The site looks fine. It isn't.

Where the bug lives #

This was the DNS chain we had on one of our uptime workers (Frankfurt, in this case):

PHP/curl → glibc nsswitch (files dns) → /etc/resolv.conf (127.0.0.53) → systemd-resolved stub → upstream recursive resolver (shared, run by the hosting provider) → authoritative nameservers (the domain's DNS provider)

I'll spare you the full diagnostic. The summary: systemd-resolved is a local caching stub. The real resolution work happens in a recursive resolver upstream, and that's where the bug lives. Not on our box, and not on yours. This is inherent to how recursive DNS works, no matter who runs the resolver: the caching layer that makes DNS fast is the same layer that can keep a dead delegation warm.

... continue reading

Explore topics: dns ghost domain denic whois registry
Related:
Windows Server is getting new network safety capabilities with DNS over HTTPS
DNS Is for People – Not for IT Infrastructure
AI Agents Get Their Own Directory Built Atop DNS
Babylist built a $750 million registry empire. Now it’s betting on ‘Trump accounts’ for kids
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD

© 2026 GoKawiil

About | Editorial Policy | Contact