- Your one source for DNS related tools! > Research > Inside the DOJ's domain name graveyards

Inside the DOJ’s domain name graveyards
Added June 01, 2011 @ 7:40 pm

Between November 2010 and May 2011, the US Department of Justice (DOJ), under many banners including the U.S. Immigration and Customs Enforcement (ICE) and the Federal Bureau of Investigations (FBI), seized over 140 domain names from sites allegedly engaged in the "illegal sale and distribution of counterfeit goods and copyrighted works" or other illegal activities.

But what exactly happens when domains are seized in such a manner? How is it done, and where do they end up? This article provides insight into the takedown process as well as providing a unique look into the DOJ’s domain name graveyard.

How is it done?

In order to take down a domain name, the United States Government needs to take in rem action against the domain names. This basically means that they are applying to seize property (the domain name) that is directly used in criminal activities.

Once this order is obtained, the authorities must send a request to the registrar responsible for the top level domain (TLD) in question to take specific actions against the domain names in question. In most of the cases seen to date, this registrar has been VeriSign. The registrar is then compelled to take the documented action against the domain names.

This actions taken by the registrar is as follows:

1. Set the following flags on all domain names to prevent the owner or the registry’s from modifying the domain’s details:
  • Status: clientDeleteProhibited
  • Status: clientTransferProhibited
  • Status: clientUpdateProhibited
  • Status: serverDeleteProhibited
  • Status: serverTransferProhibited
  • Status: serverUpdateProhibited
2. Update the name servers of the domain to the name server specified by the relevant authority in the takedown request.

To date, the name servers that have been identified on seized domains have been either one of the following combinations:
  • NS1.CIRFU.NET and NS2.CIRFU.NET – Name servers for the FBI’s Cyber Initiative and Resource Fusion Unit.
  • NS1.SEIZEDSERVERS.COM and NS2.SEIZEDSERVERS.COM – These name servers appear to be managed by government contractor ‘immixGroup IT solutions’ on servers hosted with ‘CaroNet Managed Hosting’.
Or alternatively, name servers are registered as ns1.<seized-domain>.com and ns2.<seized-domain>.com that point to a server under the control of ‘’, an organization whose mission is to "help put a stop to high stakes cybercrime in the information age".

Once these name server changes are in place, these domains will start to resolve to one of two servers controlled by the parties above:

Inside the DOJ’s domain name graveyards

As we now know the IP addresses of the servers used to store these seized domains and ultimately display the seizure notice, using’s Reverse IP Lookup tool it is possible to take a peek inside the final resting place for these domains. This tool shows all domain names hosted on a given IP address.

Below is the output of this tool for the first of the IP addresses listed above.

Sample output of Reverse IP Lookup for  Click to view the live data.

View full Reverse IP Lookup for
View full Reverse IP Lookup for

Thanks to the unique view provided by the Reverse IP Lookup tool, it is possible to shed some light on the true scale of activity currently being undertaken by the DOJ to stamp out illegal activities online, as well as view a definitive list of domains now in the control of the DOJ.

Data from this tool is constantly updated and is arguably one of the best single views of the domains that have been seized by the DOJ. Keep checking these IP addresses for new additions, you might just catch the latest seized domain before the media!

Do you have an idea for other research that can be conducted using tools provided by Please send in your ideas!

All content © 2019
Feedback / Suggestions / Contact Us   Become an Affiliate