Module 7 · Lesson 5
Domain Portfolio Auditing and Optimization
⏱ 15 min
How to audit a portfolio you inherited, categorize every domain, find orphaned names and zombie nameservers, and cut costs without creating new exposure.
Domain Portfolio Auditing and Optimization
The email arrives in your inbox: "Congrats on the new role, you're now responsible for our domain portfolio." You ask for the inventory. Someone sends you a spreadsheet. It has 340 rows, 18 blank cells in the "registrar" column, and the last modification date is 2021.
Welcome to the audit.
Step 1: Build the Actual Inventory
Before you can analyze anything, you need the complete list. Start by gathering domains from every source:
Registrar accounts: Log into every registrar account you can find. Check billing emails for domain-related receipts. Ask IT, finance, marketing, and legal, each may have registered domains under their own accounts.
DNS audit: Pull your internal DNS zone files. Look for CNAMEs, A records, and MX records pointing to external domains that might be company-owned.
WHOIS sweep: For large portfolios with some known domains, tools like Whoxy API and WHOIS XML API let you query registrant organization name or email to find all domains registered under those identifiers. Search for "YourCompany, Inc." as a registrant, you'll find domains you didn't know existed.
Certificate transparency logs: Certificates.sh or crt.sh let you search for all SSL certificates ever issued for domains matching a pattern. %.yourcompany.com will show every subdomain that's had a certificate, a useful proxy for active use.
Email security headers: Check your SPF/DMARC/DKIM setup, you'll find domains you're using for mail that might not be in the main inventory.
Expect to find 10-30% more domains than the official inventory shows. This is normal.
Step 2: Categorize Every Domain
Once you have the complete list, categorize each domain:
Active (core): Domain is in active use for a primary service, website, email, app, API endpoint. This domain has direct operational value. Expiration = incident.
Active (supporting): Domain redirects to an active domain, hosts a microsite, or is used in specific campaigns. Still in active use, but not mission-critical.
Defensive: Domain is owned to prevent others from owning it. Typically has no active content, either parked, redirected to the primary domain, or simply returns a blank response. Has protection value but no operational function.
Parked (valuable): Domain has no active use but has intrinsic market value, good keyword, premium .com, valuable ccTLD. Might be monetized through parking, might be held for future use or sale.
Legacy: Domain was used for a service that no longer exists or a brand/product that's been retired. Should probably be let go, but hasn't been reviewed.
Deadweight: Domain has no current use, no defensive value, no market value, and no apparent reason to own it. These are candidates for non-renewal.
Most portfolios audit out to roughly: 20-30% active, 30-40% defensive, 20-30% legacy/deadweight. The last category is the optimization opportunity.
Step 3: The Spreadsheet Structure
For portfolios under 500 domains, a well-designed spreadsheet beats most purpose-built tools. Here's a structure that works:
| Domain | TLD | Registrar | Expiry Date | Auto-Renew | Category | Purpose | Redirects To | DNS Provider | Annual Cost | Owner/Contact | Notes |
Domain: Full domain name TLD: For sorting/filtering by extension Registrar: Account and registrar name Expiry Date: ISO format (YYYY-MM-DD) for proper sorting Auto-Renew: Boolean, plus payment method confirmation Category: Active/Defensive/Parked/Legacy/Deadweight Purpose: One-line description of why you own it Redirects To: If it redirects, where DNS Provider: May differ from registrar Annual Cost: Per domain, helps calculate total portfolio cost Owner/Contact: The business owner (not IT owner) who can authorize decisions Notes: Anything relevant, "under UDRP dispute," "acquired in 2022 acquisition," "CEO's request"
Sort by Expiry Date and you immediately see what's renewing soon. Filter by Category: Deadweight and you see your cut list. Sum the Annual Cost column and you know exactly what the portfolio costs per year.
Step 4: Find Orphaned Domains and Zombie Nameservers
Orphaned domains are registered domains with nameservers pointing to infrastructure that no longer exists. Common scenarios:
- Domain was pointing to a server that was decommissioned
- Domain was pointing to a hosting provider you left
- Domain was pointing to a third-party service (CDN, email provider) whose account was closed
The risk: a dangling nameserver or DNS record can be exploited. If campaign.yourcompany.com has an NS record pointing to a nameserver that's no longer yours, someone could register that nameserver and start serving content under your domain.
This is called a "dangling DNS" or "subdomain takeover" attack. It's real and it's well-documented.
How to find them: For each domain, resolve the nameservers. Check whether those nameservers are authoritative for your domain. For CNAMEs pointing to third-party services, check whether the target still exists. Tools like SecurityTrails and subjack help automate subdomain takeover detection.
Zombie nameservers are nameservers listed in domain records that no longer resolve, they exist in DNS but return no response. DENIC (the German ccTLD registry) actually checks for this and will reject nameserver changes if the new nameserver doesn't respond. Most registries don't check, which is why zombies persist.
Step 5: Consolidate and Optimize
With the full inventory and categories in hand, the optimization becomes a business decision:
Consolidate registrars: Move domains from your 5+ registrar accounts down to 1-2 primary providers. The transfer process takes time (see Lesson 08), so plan this over 3-6 months, not overnight.
Align renewal dates: Some registrars let you pay to extend domains to a common anniversary date. This reduces the "surprise renewal" problem and makes annual audits simpler. Not worth paying a huge premium for, but worth asking your registrar about.
Cut deadweight intentionally: For every domain in the deadweight category, make an explicit decision to not renew it. Document the decision. Set the auto-renew to off (don't just hope the payment method fails, that's a different kind of mess). Do this before the renewal fires, not after.
Calculate the savings: A typical large company portfolio audit finds 15-25% of domains that can be let go without any exposure. On a 300-domain portfolio at $15/year average, that's $675-1,125 in annual savings, not a lot, but it's also 45-75 domains worth of management overhead eliminated.
The risk calculus: Before letting any defensive domain expire, ask: if this domain were registered by a competitor or bad actor tomorrow, what would the impact be? If the answer is "significant brand confusion" or "phishing risk," keep it. If the answer is "probably nothing," let it go.
Key Takeaways
- The actual inventory is almost always larger than the official list, audit from all sources before analyzing
- Four categories cover every domain: Active, Defensive, Parked/Valuable, Legacy/Deadweight
- A well-structured spreadsheet beats a broken SaaS tool for portfolios under 500 domains
- Orphaned domains with dangling DNS records are a real attack surface, not just dead weight
- Portfolio optimization is a business decision (cost vs exposure), not just an IT cleanup task
- Cut deadweight intentionally with documentation, not by letting payment methods fail
Further Reading
- Whoxy API: whoxy.com
- WHOIS XML API: whoisxmlapi.com
- Subdomain takeover research: 0xpatrik.com/subdomain-takeover
- Can I Take Over XYZ (subdomain takeover list): github.com/EdOverflow/can-i-take-over-xyz
Up Next
Lesson 06: Legal considerations, UDRP mechanics, the three-part test, when to file vs negotiate vs buy, and when you actually need a lawyer.