Deep-dive references for every technical aspect of domain management β from DNS record types to HTTP error diagnostics and the secondary domain market.
The Domain Name System (DNS) is the backbone of the internet β translating human-readable names into machine-readable IP addresses. DNS zones contain resource records that define how a domain behaves.
A DNS zone is a distinct portion of the domain namespace. It is managed by a specific organization using a zone file β a text file that maps domain names to IP addresses and other resources.
| Record | Full Name | Purpose | Example Value | TTL Typical |
|---|---|---|---|---|
| A | Address | Maps a hostname to an IPv4 address | 93.184.216.34 | 3600s |
| AAAA | IPv6 Address | Maps a hostname to an IPv6 address | 2606:2800:220:1:248:1893:25c8:1946 | 3600s |
| CNAME | Canonical Name | Alias β points one domain to another | example.com. | 3600s |
| MX | Mail Exchange | Directs email to mail servers | 10 mail.example.com. | 3600s |
| TXT | Text | Holds arbitrary text β SPF, DKIM, verification | v=spf1 include:_spf.google.com ~all | 3600s |
| NS | Name Server | Delegates a domain to name servers | ns1.example.com. | 86400s |
| SOA | Start of Authority | Primary info about a DNS zone | ns1 admin 2024010101 3600 900β¦ | 86400s |
| PTR | Pointer | Reverse DNS β maps IP to hostname | example.com. | 3600s |
| SRV | Service | Defines location of servers for specific services | 10 5 443 sip.example.com. | 3600s |
| CAA | Certification Authority Authorization | Restricts which CAs can issue SSL certs | 0 issue "letsencrypt.org" | 3600s |
| DKIM | DomainKeys Identified Mail | Email authentication via cryptographic signatures | v=DKIM1; k=rsa; p=MIGf⦠| 3600s |
| DMARC | Domain Message Auth | Email policy: reject/quarantine unauthenticated mail | v=DMARC1; p=reject; rua=mailto:β¦ | 3600s |
| DS | Delegation Signer | DNSSEC β delegates signing authority | 12345 8 2 [hash] | 86400s |
| NAPTR | Name Authority Pointer | Used in VoIP/ENUM for number mapping | 100 10 "u" "E2U+sip" β¦ | 3600s |
To receive email, set MX records pointing to your mail server. Add a TXT record with SPF policy. Configure DKIM via your mail provider's TXT record. Add DMARC to enforce policy.
Point your root domain (@) with an A record to your server IP. Use a CNAME for www to point to your root domain or CDN. Never use CNAME at the root β use A records or ALIAS.
Use NS records to delegate a subdomain (e.g. shop.example.com) to a completely separate DNS zone and nameservers β useful for separating infrastructure.
DNSSEC uses cryptographic signatures (RRSIG, DS, DNSKEY) to prevent DNS spoofing and cache poisoning attacks. Enable it at your registrar and DNS provider simultaneously.
HTTP status codes are 3-digit numbers returned by a server in response to a client request. They indicate whether a request was successful, redirected, or failed β and why.
| Code | Name | Description |
|---|---|---|
| 100 | Continue | Server has received the request headers; client should proceed to send the body. |
| 101 | Switching Protocols | Server is switching protocols as requested (e.g. upgrading to WebSocket). |
| 102 | Processing | Request received; no response available yet (WebDAV). |
| 103 | Early Hints | Used to preload resources while the server prepares a response. |
| Code | Name | Description |
|---|---|---|
| 200 | OK | Standard successful response. The request has succeeded. |
| 201 | Created | Request succeeded and a new resource was created. |
| 202 | Accepted | Request received but not yet acted upon (async processing). |
| 203 | Non-Authoritative Information | Response is from a proxy and may differ from the origin server's response. |
| 204 | No Content | Request succeeded but there's no content to return. |
| 205 | Reset Content | Client should reset the document view. |
| 206 | Partial Content | Server is delivering only part of the resource (range request). |
| 207 | Multi-Status | Multiple resources with multiple statuses (WebDAV). |
| 208 | Already Reported | Members of a DAV binding already enumerated in a previous reply. |
| 226 | IM Used | Server fulfilled a GET request using instance manipulation. |
| Code | Name | Description | SEO Impact |
|---|---|---|---|
| 301 | Moved Permanently | Resource has permanently moved. Clients should use the new URL. | Passes link equity β |
| 302 | Found | Temporary redirect. Client should continue using original URL. | Does not pass equity β οΈ |
| 303 | See Other | Response to a POST request β redirect to a GET resource. | N/A |
| 304 | Not Modified | Resource hasn't changed since cached version β use cache. | N/A (caching) |
| 307 | Temporary Redirect | Same as 302 but method must not change (POST stays POST). | Minimal equity β οΈ |
| 308 | Permanent Redirect | Same as 301 but method must not change. | Passes link equity β |
| Code | Name | Description | Common Cause |
|---|---|---|---|
| 400 | Bad Request | Server cannot process the request due to client error. | Malformed syntax, invalid framing |
| 401 | Unauthorized | Authentication is required and has failed or not been provided. | Missing/invalid credentials |
| 402 | Payment Required | Reserved for future use; used by some APIs for payment paywalls. | Subscription required |
| 403 | Forbidden | Server understood the request but refuses to authorize it. | Insufficient permissions |
| 404 | Not Found | Server cannot find the requested resource. | Wrong URL, deleted page |
| 405 | Method Not Allowed | HTTP method not supported for this endpoint. | POST to a GET-only endpoint |
| 406 | Not Acceptable | Server cannot produce a response matching Accept headers. | Content negotiation failure |
| 407 | Proxy Auth Required | Authentication required with a proxy server. | Corporate proxy misconfiguration |
| 408 | Request Timeout | Server timed out waiting for the request. | Slow network, large payload |
| 409 | Conflict | Request conflicts with the current state of the server. | Edit conflicts, duplicate resource |
| 410 | Gone | Resource no longer exists and won't return. | Permanently deleted content |
| 411 | Length Required | Server requires Content-Length header. | Missing Content-Length |
| 412 | Precondition Failed | Condition in the request headers evaluated to false. | If-Match / If-None-Match failed |
| 413 | Content Too Large | Request body exceeds server limit. | File upload too large |
| 414 | URI Too Long | Request URI is longer than the server is willing to process. | Very long query strings |
| 415 | Unsupported Media Type | Media format not supported. | Wrong Content-Type header |
| 416 | Range Not Satisfiable | Range specified by Range header cannot be fulfilled. | Invalid byte range in request |
| 417 | Expectation Failed | Expect request header cannot be met by server. | Expect: 100-continue failure |
| 418 | I'm a Teapot | April Fools' joke in RFC 2324 β server refuses to brew coffee with a teapot. | Easter egg / humor |
| 421 | Misdirected Request | Request directed at server not able to produce a response. | Misconfigured reverse proxy |
| 422 | Unprocessable Content | Request well-formed but unable to be followed due to semantic errors. | Validation errors in API |
| 423 | Locked | Resource is locked (WebDAV). | File locking collision |
| 424 | Failed Dependency | Request failed because a dependency failed (WebDAV). | Dependent operation failed |
| 425 | Too Early | Server unwilling to risk processing a request that might be replayed. | TLS early data replay attack |
| 426 | Upgrade Required | Client should switch to a different protocol. | HTTP/1.1 β HTTP/2 upgrade |
| 428 | Precondition Required | Origin server requires conditional request. | Missing If-Match header |
| 429 | Too Many Requests | User has sent too many requests in a given time (rate limiting). | API rate limit exceeded |
| 431 | Headers Too Large | Server unwilling to process request because headers are too large. | Too many/large cookies |
| 451 | Unavailable For Legal Reasons | Resource unavailable due to legal demands (censorship, GDPR, DMCA). | Government takedown notice |
| Code | Name | Description | Fix |
|---|---|---|---|
| 500 | Internal Server Error | Generic catch-all. The server encountered an unexpected condition. | Check server logs, fix application bugs |
| 501 | Not Implemented | Server doesn't support the functionality required to fulfill the request. | Upgrade server software |
| 502 | Bad Gateway | Gateway received an invalid response from upstream server. | Check upstream server / backend |
| 503 | Service Unavailable | Server temporarily unable to handle requests (overloaded or maintenance). | Scale server, check maintenance mode |
| 504 | Gateway Timeout | Gateway did not receive a timely response from upstream. | Increase timeout, fix slow backend |
| 505 | HTTP Version Not Supported | Server does not support the HTTP version used in the request. | Update server configuration |
| 506 | Variant Also Negotiates | Server has a configuration error in content negotiation. | Fix server content negotiation setup |
| 507 | Insufficient Storage | Server unable to store the representation to complete request (WebDAV). | Free up disk space |
| 508 | Loop Detected | Server detected an infinite loop while processing the request. | Fix redirect or WebDAV loop |
| 510 | Not Extended | Server requires further extensions to fulfill the request. | Implement required extensions |
| 511 | Network Auth Required | Client needs to authenticate to gain network access (captive portals). | Log into captive portal (e.g. hotel WiFi) |
After making DNS changes, the new records must spread across all DNS servers worldwide β a process called DNS propagation.
You update a DNS record at your registrar or DNS provider. The change is applied to the authoritative nameserver.
Resolvers cache records for the TTL (Time To Live) duration. Until TTL expires, cached values remain. Lower TTL = faster propagation.
When cached records expire, resolvers query authoritative nameservers and fetch new values.
Eventually (24β48 hours typical), all resolvers worldwide serve the new record. You can check progress with tools like whatsmydns.net.
Best practices for minimizing propagation time and issues:
ipconfig /flushdns (Win) or sudo dscacheutil -flushcache (Mac)Every time you see a padlock π in your browser's address bar, there is an SSL/TLS certificate at work. Understanding what it is and how it works is fundamental for anyone managing a domain or website.
SSL (Secure Sockets Layer) is a cryptographic protocol originally developed by Netscape in the 1990s to secure communications over the internet. It creates an encrypted link between a web server and a browser, ensuring that all data passed between them remains private.
SSL has since been deprecated and replaced by TLS (Transport Layer Security), which is the modern, more secure version of the same protocol. Despite this, the term "SSL" is still widely used in everyday language, even when referring to TLS.
When a website uses SSL/TLS, its URL begins with https:// instead of http:// β the "S" standing for "Secure".
When your browser connects to a secure website, it initiates a "TLS handshake." The server presents its SSL certificate, which contains its public key and identity information issued by a trusted Certificate Authority (CA).
Your browser checks the certificate against a built-in list of trusted CAs. If the certificate is valid, signed by a trusted CA, and has not expired, the connection proceeds. Otherwise, you see a browser warning.
Browser and server agree on a shared encryption key using asymmetric cryptography (public/private keys). This session key is used for all subsequent communication.
All data exchanged β passwords, form submissions, payment details, personal data β is encrypted using the shared session key. Even if intercepted, it appears as random, unreadable data.
The most basic type. The Certificate Authority simply verifies that you control the domain. Issued automatically, often within minutes. Suitable for personal websites, blogs, and informational pages.
The CA verifies both your domain ownership and your organization's legal identity. Takes days. The company name appears in the certificate. Suitable for businesses, e-commerce, and organizations that want to prove legitimacy.
The most rigorous validation process. The CA thoroughly vets the legal, operational, and physical existence of the entity. Used by banks, financial institutions, large corporations, and government sites.
| Type | Covers | Example | Best For |
|---|---|---|---|
| Single Domain | One specific domain | example.com | Simple sites with one domain |
| Wildcard | All subdomains of a domain | *.example.com | Sites with many subdomains |
| Multi-Domain (SAN) | Multiple different domains | example.com, example.net, shop.example.org | Organizations managing many domains |
| Unified Communications | Microsoft Exchange/Lync environments | mail.example.com, autodiscover.example.com | Enterprise email infrastructure |
A Certificate Authority is a trusted organization that issues SSL certificates after verifying the applicant's identity. Browsers ship with a built-in list of trusted CAs.
| CA | Type | Notable For |
|---|---|---|
| Let's Encrypt | DV only | Free, automated via the ACME protocol. Backed by Mozilla, EFF, and others. Revolutionized HTTPS adoption. |
| DigiCert | DV, OV, EV | Enterprise-grade authority; widely trusted across all major browsers and operating systems. |
| Sectigo (Comodo) | DV, OV, EV | One of the largest volume issuers worldwide; strong brand recognition. |
| GlobalSign | DV, OV, EV | Strong presence in enterprise and Internet of Things (IoT) certificate management. |
| Entrust | DV, OV, EV | Trusted by government agencies and financial institutions for decades. |
| ZeroSSL | DV only | ACME-compatible free alternative to Let's Encrypt with a user-friendly dashboard. |
The vast majority of short, memorable, keyword-rich domain names were registered years ago. When someone needs one, they can't go to a standard registrar β they must buy it from its current owner. This is the domain aftermarket: a global secondary market for previously registered domain names, with annual transaction volumes running into the billions of dollars.
Understanding how it works β the acquisition models, valuation logic, and major platforms β is essential for anyone building a brand, investing in digital assets, or managing a domain portfolio.
Every domain name is unique. Once a name is registered, no one else can register the same string under the same TLD β as long as the owner keeps renewing it. Over 350 million domains are currently registered worldwide, and the most desirable namespace (short words, common nouns, .com) was exhausted in the early 2000s.
This scarcity creates genuine secondary market value. A domain like insurance.com or voice.com is not just a URL β it is a branded, traffic-generating digital asset with measurable commercial value.
There are four distinct routes to acquiring a domain that is already registered.
The owner lists the domain at a set price on a marketplace. The buyer pays and the domain transfers immediately. This is the fastest model. Platforms like Sedo, Afternic, and Dan.com host millions of fixed-price listings. Prices range from a few hundred dollars to millions.
The domain is listed for a competitive bidding period (typically 7β30 days). The highest bid at close wins. Two main types exist: standard auctions (seller initiates) and expiry auctions, where a domain about to be deleted is automatically auctioned by the registry or a partner platform.
A domain broker acts as an intermediary β approaching the owner confidentially, negotiating on your behalf, and managing the transfer logistics. This is ideal when the owner is unknown, the domain has no listed price, or discretion is required to avoid driving up the asking price.
When a domain expires and is not renewed, it enters the deletion pipeline before being released back to the public. "Backordering" a domain means instructing a specialized service to attempt to register it the instant it drops β often within milliseconds. Platforms like SnapNames, NameJet, and registrar backorder services compete in this space.
Each platform has a different focus, fee structure, and buyer pool. Sellers should consider listing on multiple platforms to maximize exposure.
| Platform | Model | Commission | Known For | Best For |
|---|---|---|---|---|
| Sedo | Fixed price, Auction, Broker, Lease | 10β15% (buyer pays) | Largest global marketplace; 19M+ listed domains; multilingual | International buyers and sellers; premium listings |
| Afternic / GoDaddy | Fixed price, Auction, BIN | 15β20% | Distributed network across 100+ registrar partners; massive reach | Sellers wanting exposure at point-of-registration searches |
| Dan.com | Fixed price, Lease-to-own, Offer | 9% (integrated with Afternic) | Clean buyer UX; lease-to-own financing; now part of GoDaddy | Mid-market sales ($500β$20k); easy seller setup |
| Namecheap Marketplace | Fixed price, Auction | 7.5β15% | Lower fees; integrated with Namecheap registrar customers | Sellers already on Namecheap; budget-conscious buyers |
| Flippa | Auction, Fixed price | 5β10% + listing fee | Also lists websites and apps; strong startup and investor community | Domains with existing traffic or revenue; startup-ready names |
| NameJet | Expiry auction, Backorder | ~$69 flat (backorder) | Premium expiry auctions; Network Solutions & Web.com drop feed | Drop-catching expiring domains from major registrars |
| SnapNames | Expiry auction, Backorder | ~$69 flat (backorder) | One of the oldest drop-catching networks; merged with NameJet | Experienced domain investors targeting expiry lists |
| NamePros | Peer-to-peer forum marketplace | None (free P2P) | Largest domain investor community; buy/sell threads; due diligence advice | Community-driven deals; research; networking with investors |
Domain valuation is part data, part brand judgement. No algorithm fully captures value, but these factors drive the vast majority of pricing decisions.
Shorter is almost always more valuable. Single-word .com domains command premiums. Under 6 characters is considered premium. Three-letter .com domains (LLL.com) are rare commodities β virtually all are owned and most cost $10k+.
Domains matching high-volume commercial search terms (e.g. loans, insurance, travel) carry intrinsic SEO value. Type-in traffic β visitors who type the domain directly into the browser β directly translates to revenue potential.
.com dominates β the same keyword in .com vs .net can differ by an order of magnitude in price. Country-code TLDs (.de, .co.uk) command strong premiums in their home markets. New gTLDs (.shop, .app) are generally valued lower but growing.
Invented, pronounceable single words (like Zoom, Stripe, Canva) command high prices because they are trademark-friendly, easy to recall, and versatile across markets. Pure keyword domains can be commoditized; distinctive brand names are scarce.
Older domains may carry existing backlink profiles, domain authority, or search engine trust. However, a domain with a history of spam, blacklisting, or UDRP disputes can be a liability β always audit a domain's history before purchasing.
A domain with verifiable type-in traffic or parking revenue is valued as an income-generating asset. Buyers apply revenue multiples (typically 12β36Γ monthly revenue) similar to website acquisitions. Verify traffic independently using tools like Ahrefs or SimilarWeb.
Run a WHOIS lookup to find the registrant or their proxy. Check if the domain is listed on any marketplace. If unlisted, you'll need a broker or a cold outreach via WHOIS email.
Use the Wayback Machine (web.archive.org) to review historical content. Check Ahrefs or Moz for backlink profile. Search for any past UDRP decisions. Verify it is not blacklisted by Google Safe Browsing.
Make an offer through the marketplace or directly. Be aware that opening too low can offend the seller; opening with a reasoned, researched number signals seriousness. Counter-offers are normal β most deals take 2β5 rounds.
Never send payment directly to an unknown seller. Use a reputable escrow service β Escrow.com is the industry standard. The buyer deposits funds; the seller transfers the domain; funds are released only after transfer is confirmed.
The seller unlocks the domain, provides the EPP/AuthInfo code, and the buyer initiates transfer at their registrar. Standard gTLD transfers take 5β7 days. After transfer, update DNS settings and confirm WHOIS data.
Research comparable sales on DNJournal.com (publishes weekly sales charts) and NameBio.com (searchable database of 2M+ historical sales). Price based on data, not hope. Overpriced domains sit unsold for years.
Submit to Sedo, Afternic/GoDaddy, and Dan.com simultaneously β this is legal and standard practice. Ensure all listings have the same price. Activate the Afternic Fast Transfer network for registrar-level distribution.
Point the domain to a simple "This domain is for sale" page (Sedo and Dan.com offer free hosted landers). This converts type-in traffic into inbound inquiries from motivated buyers already familiar with the name.
For high-value sales, consider a written purchase agreement. At minimum, ensure the platform's transaction record documents the agreed price, domain, and both parties. Verbal-only deals with anonymous buyers have no legal standing.
Offering a lease-to-own (LTO) structure lets buyers pay monthly installments while using the domain, with ownership transferring upon final payment. Platforms like Dan.com automate this. It expands your buyer pool significantly for $5k+ names.
Cybersquatting is the bad-faith registration of a domain identical or confusingly similar to a trademark, with intent to profit from the trademark owner's goodwill. ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP) allows trademark owners to challenge and recover such domains without going to court. Panels have awarded hundreds of thousands of domains to complainants. Buying a domain that infringes on a registered trademark β even from a third party β can expose you to immediate UDRP proceedings and domain loss without compensation.
Before completing any significant aftermarket purchase, search the USPTO Trademark Electronic Search System (TESS) and the EUIPO eSearch database to verify the domain does not correspond to an active registered trademark in your target markets. Generic dictionary words are generally safe; invented words or proper nouns require careful review. When in doubt, consult an intellectual property attorney before proceeding with high-value acquisitions.
A domain previously used for spam, phishing, or malware may be on email blacklists (check MXToolbox) or flagged in Google Safe Browsing. Even if cleared from blacklists, a history of low-quality content can suppress SEO performance for months. Use the Wayback Machine to review all historical content. Ask the seller for documentation of any previous use. A $500 due diligence investment can prevent a costly mistake on a $50,000 domain.
Domain fraud is common. Fake escrow sites mimic the Escrow.com interface but steal funds. Scammers also pose as sellers of domains they do not own. Always verify you are on the official Escrow.com (check SSL certificate and URL carefully). Never accept "custom escrow" suggested by an unknown seller. For transactions over $5,000, insist on using a platform's integrated escrow or Escrow.com β never wire funds to a private bank account.