Understanding the Domain Risk Score
The risk score is separate from the health score — it measures how vulnerable a domain is to future problems, hijacking, and reputation damage.
Understanding the Domain Risk Score
Every domain in ElasticDomain has two scores: a health score and a risk score. They measure different things.
- Health score — current state: is everything working correctly right now?
- Risk score — future vulnerability: how exposed is this domain to attacks, accidents, or reputation damage?
A domain can be perfectly healthy today but still carry high risk. Understanding the difference helps you prioritize correctly.
What Contributes to the Risk Score
Subdomain Takeover Risk
If any subdomain has a dangling CNAME — pointing to a decommissioned GitHub Pages project, Heroku app, S3 bucket, or similar service — an attacker can claim that external service and serve malicious content from your domain. This is a high risk finding.
Nameserver Concentration
If all your nameservers are from the same provider, a single provider outage takes down all your DNS. Diversified nameservers reduce this risk.
Registrar Lock Status
A domain without transfer lock (clientTransferProhibited) is at higher risk of unauthorized transfer. Domains with registrar locks score lower risk.
DNSSEC Status
Domains without DNSSEC are vulnerable to DNS cache poisoning. A domain with valid DNSSEC scores lower risk on this dimension.
SSL Configuration Weaknesses
- Old TLS versions accepted (TLS 1.0 or 1.1 still enabled)
- Weak cipher suites available
- SHA-1 signature algorithm still in use
- No HSTS header
These contribute to risk even if the certificate itself is valid.
Domain Age
Newly registered domains (under 6 months) score higher risk due to lower trust signals. This is informational, not actionable.
WHOIS Privacy Gaps
Domains with registrant contact information exposed (not privacy-protected) can be targeted for social engineering against the registrant.
Blacklist History
Being recently delisted from a blacklist still raises risk score temporarily — it signals the domain has a history of spam or malware association.
Hijack Risk Indicators
Certain combinations of signals increase hijack risk:
- Nameserver recently changed
- Registrar recently changed
- Domain expiry is close (under 30 days)
- Registrar lock is absent
Risk Score vs Health Score — Side by Side
| Scenario | Health Score | Risk Score |
|---|---|---|
| Valid SSL, expiry > 90 days, all headers present | High | Depends on DNSSEC, lock status |
| Expired SSL | Low | Low (not risky, just broken) |
| Valid SSL, dangling CNAME subdomain | High | High (takeover risk) |
| No HSTS, TLS 1.0 enabled, no DNSSEC | Moderate | High |
| Domain expiring in 5 days, no lock | High | Very High |
How to Reduce Your Risk Score
| Risk Factor | Fix |
|---|---|
| Dangling CNAMEs | Remove unused DNS records or reclaim the target service |
| Single nameserver provider | Add secondary DNS with a different provider |
| No registrar lock | Enable clientTransferProhibited at your registrar |
| No DNSSEC | Enable DNSSEC in your DNS provider settings |
| Old TLS versions | Disable TLS 1.0 and TLS 1.1 in your server config |
| No HSTS | Add Strict-Transport-Security header |
Setting Up Risk Alerts
- Domain detail → Alerts → Create Alert Rule
- Trigger: Hijack Risk or Security Threat
- These fire when the risk score increases significantly or a specific high-risk signal is detected