CaptchaLa Blog

Appearance

Domijn: The Security of Domain Registrars and the Risk of a Domain Name Takeover

Source: arXiv:2605.20984 · Published 2026-05-20 · By Koen van Hove, Jeroen van der Ham-de Vos, Roland van Rijswijk-Deij

TL;DR

This paper investigates the security posture of domain registrars and resellers with respect to the risk of domain name takeovers, focusing on the top 10 most popular agents for the .nl country code top-level domain (ccTLD). The authors highlight the critical role registrars play in safeguarding domain names, which are valuable assets linked to an organization's online presence and services. By empirically studying the registration portals, authentication mechanisms, and recovery processes of these agents, the paper reveals that although basic security practices are generally in place, there are significant shortcomings in advanced controls such as robust two-factor authentication (2FA) and protection against TOTP brute forcing. Furthermore, the authors model the impact of a domain takeover, showing it can cause damage comparable to well-known cyber threats like ransomware attacks, especially due to email interception and domain transfer capabilities. The combined likelihood and impact analysis yields a clear, nuanced cyber risk assessment for domain takeovers.

Key findings

  • Between 2% and 8% of .nl domains potentially have their passwords leaked online via breaches (Section 5.1).
  • Only 2 out of 10 top agents implemented per-account rate limiting on TOTP inputs, allowing potential brute force attacks against TOTP-based 2FA (Section 5.2, Figure 5).
  • Most registrars do not alert users of failed two-factor authentication attempts, enabling stealthy attack attempts (Section 5.2).
  • Helpdesk phone calls required identifying information but none allowed unauthorized access given the limited information available, indicating improved social engineering resistance compared to 2017 studies (Section 5.3).
  • Around 80% of the top 100K .nl domains (including major institutions) are registered at private or corporate registrars that require human interaction for signup, shifting exposure toward these organizations (Section 5.4).
  • Domain takeovers enable full control over DNS, email interception, domain transfer, and DNSSEC keys, allowing attacker capabilities such as credential theft and impersonation (Section 6).
  • The .nl Control mechanism that would add verification steps to changes is currently unsupported by popular registrars, leaving domains vulnerable to near-instantaneous changes on compromise (Section 6).
  • The impact of domain takeovers can be as high or higher than ransomware attacks when weighted using the NIST risk assessment framework (Section 6).

Threat model

The adversary is an external attacker seeking to gain unauthorized control over domain management portals by leveraging leaked credentials or performing credential brute force, combined with publicly available registrant information. The adversary cannot bypass out-of-band verification processes (such as physical mail, phone callbacks confirming identity) where implemented, nor do they have direct system-level access. The focus is on compromising the administrative interface typically used by registrars and resellers.

Methodology — deep read

  1. Threat Model: The adversary is assumed to be an external attacker attempting to take over an organization's domain by gaining unauthorized access to the registrar or reseller web portal where domains are managed. The attacker has limited background information: publicly available WHOIS/RDAP data (such as owner name, domain, registration email), open-source intelligence, and potentially leaked passwords from breaches. The attacker cannot bypass strong physical controls or overcome out-of-band verification not widely adopted.

  2. Data: The study focuses on the .nl ccTLD, considered a cybersecurity role model, for optimistic baseline validity. Using data from Cloudflare Radar (July 22-29, 2024), the authors extracted over 9,000 .nl domains and their associated registrars/resellers (agents) via RDAP. From this, they selected the top 10 automated signup agents that allow immediate domain registration via web portals, excluding those requiring manual onboarding.

  3. Experimental Setup: The authors registered domain names at each of these 10 agents using consistent, realistic identity details (a fictional person with university-associated address, new email, and phone number). They recorded the information requested during signup, availability and enforcement of two-factor authentication (especially TOTP), and recovery mechanisms.

  4. Security Tests: They systematically tested for (a) likelihood of password leakage by checking emails against 'Have I Been Pwned'; (b) effectiveness of TOTP brute-force protections by sending bursts of 100 TOTP attempts per second and observing rate limiting per account or per IP; (c) verification questions and ability to reset accounts or change associated emails by simulating helpdesk phone calls with partial info; (d) the possibility of making unauthorized domain modifications based on information accessible externally.

  5. Impact Modeling: Drawing on the NIST risk assessment framework, they modeled impact by comparing domain takeover consequences against ransomware and DDoS attacks, considering the capabilities an attacker gains upon controlling DNS, email, domain transfer, and DNSSEC keys.

  6. Ethical Considerations: All tests were conducted on domains registered and owned by the researchers to avoid harm to others. Vulnerabilities were disclosed prior to publication. The authors avoided identifying specific registrars to preserve responsible disclosure.

  7. Evaluation: The paper focuses mainly on a qualitative and empirical security posture study, augmented with quantitative breach prevalence estimates and TOTP brute force probabilities. Impact assessment is conceptual with industry standards rather than purely experimental.

One example end-to-end: The authors registered a domain at agent A, noted that their registration email appeared publicly in WHOIS, found the email leaked in a prior data breach, confirmed the availability of TOTP-based 2FA but lack of per-account rate limiting on TOTP attempts, then estimated that an attacker could brute force the TOTP with around 55% success probability in one hour under no rate limiting. They also tried a scripted helpdesk call to reset account access but were denied without additional private verification, illustrating a partially robust but imperfect security posture.

Technical innovations

  • Systematic empirical assessment of registrar and reseller web portal security controls using real domain registrations across the top agents for a major ccTLD (.nl).
  • Novel threat and impact model quantifying domain takeover risk by combining likelihood derived from attack surface metrics with an impact model inspired by NIST risk assessments and comparisons to ransomware and DDoS threats.
  • Empirical measurement of TOTP brute-force rate limiting in registrar portals revealing widespread lack of per-account throttling.
  • Integration of publicly available leaked password breach data with registrar authentication evaluation to approximate real-world domain takeover feasibility.

Datasets

  • Cloudflare Radar top 1,000,000 domains (July 22-29, 2024) — ~9,000 .nl domains extracted — public
  • Have I Been Pwned breach data checked for ~7,500 emails from .nl domain registrants — public

Baselines vs proposed

  • Chung et al. 2017 phone call social engineering tests: high success vs current study: no unauthorized access achieved
  • RFC 4226 TOTP throttling recommendations: most agents do not apply per-account rate limiting as recommended
  • NIST risk assessment scale: domain takeover impact rated equivalent to ransomware, serving as baseline for impact modeling

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2605.20984.

Fig 7

Fig 7: appeared at least once (though often several times).

Fig 8

Fig 8: The information A shows as account holder data. From top to bottom: 1) Name, 2) Street / House no., 3) Postal code /

Fig 10

Fig 10: The flowchart we use for trying to gain access to an account by calling customer service. We do not press or guilt-trip

Limitations

  • Study limited to .nl ccTLD, a cybersecurity ‘best-case’ environment; results may not generalize to less mature TLD markets.
  • Focus mostly on automated signup registrars; manually onboarded corporate/private registrars not tested in detail.
  • No live adversarial attacks conducted beyond ethically constrained TOTP brute force bursts; no testing under adversarial adaptive conditions.
  • Impact model mainly conceptual and comparative; no direct financial loss or real incident data analyzed.
  • Limited focus on social engineering vector via phone, constrained by ethical considerations.
  • Did not comprehensively evaluate downstream effects on external systems linked to domain takeover.

Open questions / follow-ons

  • How do private and corporate registrars with manual onboarding compare in security posture and likelihood of takeover?
  • What is the effectiveness of out-of-band verification techniques like .nl Control and how widely can they be deployed?
  • How resistant are registrars to targeted, adaptive social engineering attacks beyond scripted phone calls?
  • What are the economic costs and real-world incident statistics associated with domain takeovers to better quantify impact?

Why it matters for bot defense

For bot-defense engineers and CAPTCHA practitioners, this study highlights key security weaknesses in registrar authentication mechanisms, particularly the insufficient protections against automated TOTP brute force over login portals. It underscores that registrars remain a critical weak link that can enable domain takeover — an attack vector that can massively amplify the impact and scale of other cyber attacks by enabling persistent control of domains and email. Improving anti-automation protections, rate limiting, and multi-factor robust implementation at registrar portals interlock strongly with bot defenses. The paper also signals the necessity for registrars to incorporate phishing-resistant 2FA and alert users of suspicious login attempts, lessons easily translatable to CAPTCHA strategies to reduce automated abuse and credential stuffing. Finally, risk modeling demonstrating domain takeover equivalence to ransomware impacts informs threat prioritization for defenses.

Cite

bibtex
@article{arxiv2605_20984,
  title={ Domijn: The Security of Domain Registrars and the Risk of a Domain Name Takeover },
  author={ Koen van Hove and Jeroen van der Ham-de Vos and Roland van Rijswijk-Deij },
  journal={arXiv preprint arXiv:2605.20984},
  year={ 2026 },
  url={https://arxiv.org/abs/2605.20984}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa