Defensive domain registration: what to buy and what to skip

TL;DR

• 1Register the highest-risk variants yourself: top 5-10 typos, the .co/.io/.net/.app of your .com, common combosquats (your-brand-login).
• 2A practical 15-20 domain portfolio costs $150-250/year at wholesale registrar pricing — far less than one phishing incident.
• 3Configure defensive domains with no MX, no website, and a 301 redirect to your real domain so they cannot be weaponized against you.

What to register vs what to just monitor

Defensive registration is the cheapest brand-protection control: a domain you own cannot be used to phish your customers. But the variant space for any brand is huge (thousands of plausible permutations); you can't register all of them, and trying produces a registrar bill larger than any reasonable security budget.

The job is to register the highest-risk subset — variants attackers actually use — and monitor the long tail. The criterion: would a real user plausibly type or click this? Top typos (single-letter substitutions of common keys), TLD swaps of your primary, and combosquats with attack-anchor words (login, secure, verify, support, billing) make the cut. Single-character homoglyphs at the end of the domain do not.

Treat defensive registration as a portfolio decision: 15-20 domains for under $250/year covers the lookalikes that actually convert phishing victims. Anything beyond that is diminishing returns vs continuous monitoring + fast takedown.

How to build the portfolio

1. 1

   List the obvious typos. Drop one letter, swap two adjacent characters, add a doubled letter, substitute the most common adjacent-key typo. For a brand of length 6-10, this is 15-30 candidates; pick the 5-10 a non-careful user would actually type.

2. 2

   List the TLD swaps. If your primary is .com, register .co (single-letter typo), .io, .net, .app, .ai if relevant to your space. Skip ccTLDs unless you operate in that geo or have a real local presence.

3. 3

   List the combosquats. Your-brand-login, your-brand-secure, your-brand-account, your-brand-support, your-brand-pay. These are the variants attackers use in phishing emails ("please verify on yourbrand-login.com"). 3-5 of these per brand.

4. 4

   Register them at a wholesale registrar. Cloudflare Registrar, Namecheap, Porkbun. Skip the consumer registrars (GoDaddy, etc.) where prices are 2-3x higher and the upsells obscure renewal costs.

5. 5

   Configure each to be unweaponizable. No MX records (cannot send mail as the domain), no website at all OR a 301 redirect to your real domain, registrar-lock + 2FA on the registrar account. Worst case if someone hijacks the domain: it still doesn't send mail.

6. 6

   Add auto-renew + a calendar reminder. A lapsed defensive registration is worse than no registration: when it drops, an attacker can register it knowing you found it valuable enough to defend.

Common pitfalls

• Defensive registration as the ONLY control. Even a 50-domain portfolio leaves thousands of variants unregistered. Continuous monitoring catches what defensive registration can't.

• Forgetting subdomain combosquats. An attacker who can't get yourbrand.io might register secure-login.yourbrand-portal.com on a host they control. Watch for combosquats on registered domains, not just your apex.

• Skipping registrar-lock + 2FA. A registrar account takeover undoes the entire defensive portfolio. Lock every domain at the registrar, enable 2FA on the account, set a domain transfer auth password you don't reuse.

• Letting defensive domains expire. A drop-catch service grabs expired domains within minutes. If you ever decide a domain isn't worth keeping, set its DNS to NXDOMAIN for 6 months before letting it lapse so search engines unindex you first.

• Pointing the redirect to your apex with HTTP, not HTTPS. Some defensive domains never get a TLS cert; a 301 from http to https://yourbrand.com is fine, but make sure the redirect happens BEFORE any HTML response, otherwise mixed-content warnings make the redirect look broken.

Related tools & guides