Expired MX or NS
Impact: Critical
Common error ID:
detectify-expired-mx-ns
detectify-expired-ns
wxa-2002
hardenize-DNS2011
What this means
The domain has an MX (Mail Exchange) or NS (name server) record that uses an expired domain, meaning it no longer points to a valid server.
Why this is a problem
Depending on the configuration of the other email or name servers, email routing and DNS queries may fail. This would cause lost communications and potential business disruptions.
More importantly, an unregistered domain can be registered at any time by a malicious third party, often at a very low cost. They can then create a simple infrastructure and intercept email or queries for the domain. For email this is sometimes referred to as SubdoMailing.
How to check if the problem is still there
Use dig to look up the MX or NS records for your domain and verify their validity.
Example
dig mx example.gov.uk +short mail.example.com mail2.expired-example.com ---------------------------------------- dig ns example.gov.uk +short ns1.example.com ns2.expired-example.com
The problem still exists if the domains used in MX or NS records are expired or invalid.
Use whois to check if the domain is registered.
whois expired-example.com No match for domain "EXPIRED-EXAMPLE.COM".
If there is no match the domain is not registered.
If the domain is registered, check the registration details and visit the domain on the web to see if the domain could be ‘parked’. This means it is registered but not in use and the owner is ready to sell it. Parked domains are still highly vulnerable.
How to fix it
Update the MX or NS records to point to valid mail servers, removing the unregistered domain from the configuration.
If the domain belongs to your organisation and has references that are difficult to remove, you may want to register and protect the domain to make sure it doesn’t fall into the hands of a malicious third party.
References
PowerdMarc Blog on subdomailing and the rise of subdomain phishing