I wrote a piece over on the Oh Dear blog about a failure mode that most uptime monitoring quietly gets wrong: a domain gets pulled from its registry’s zone, but its authoritative nameservers keep answering, and cached resolvers happily serve the stale delegation for days. Your monitoring says green. The domain is gone.
The site looks fine. It isn’t.
The fix isn’t glamorous: a local Unbound resolver on each worker, a shorter cache TTL so stale nameserver records expire in an hour instead of a day, and hardened referral-path checking to revalidate the delegation as we resolve.
We’re not going to “fix DNS.” What we can do is narrow the window where a stale delegation goes unnoticed.
Source: The ghost domain problem in DNS, and what we’re doing about it