← Level 3 Tech Support for Businesses Without an IT Team

The Domain and DNS Disasters Nobody Plans For

Your domain registration, DNS settings, and SSL certificates can take your business offline in ways you won't see coming. Here's the prevention layer that costs $0 and prevents most of them.

📅 · ⏱️ 6 min read

The category of business problem nobody plans for: domain and DNS disasters. They're rare. They're devastating when they happen. They're entirely preventable with 30 minutes of setup. And yet I see them at SMBs constantly, because the prevention setup is in the gap between "things my web designer handles" and "things my IT person handles" — neither group thinks it's their job.

This article is about what goes wrong, who actually owns it, and the prevention layer that takes a half-day to set up and prevents almost every common disaster.

The five ways it breaks

In rough order of how often I see them at SMBs:

1. Domain expires while nobody is looking

The classic. Your yourbusiness.com was registered five years ago by a former employee, freelancer, or agency. The renewal was on their credit card. They're long gone. The domain quietly expires. Your website goes down. Your email stops working. Customers can't find you.

Recovery: depending on how long ago expiry was, ranges from "easy renewal" (within 30 days, just pay extra) to "30-day registrar redemption period at $80–200" to "auction" (if a domain squatter has caught it) to "lost" (if a competitor has bought it). The whole spectrum costs days to weeks of business disruption.

2. Domain registrar account locked out

You can't access the account where your domain is registered because:

  • The email address tied to the account no longer exists
  • The 2FA is on a phone number that's been disconnected
  • The original registrar account belongs to someone who's left the company
  • The recovery email is set to an address you can't access

The domain still works. You just can't manage it. You can't update DNS, can't renew, can't transfer to another registrar. Recovery takes weeks of identity verification with the registrar.

3. DNS records changed without documentation

Someone (you don't know who) changed an MX record, or an A record, or a CNAME six months ago. Email stopped working. The website moved to the wrong server. A subdomain points to nothing. Nobody remembers why the change was made or what the original value was supposed to be.

Recovery: digital archeology. Trying to recreate the correct records from email backups, chat logs, and old documentation. Sometimes impossible without DNS history.

4. SSL certificate fails to auto-renew

Your SSL certificate (the https:// lock icon) auto-renews every 90 days for Let's Encrypt, or annually for paid certificates. Sometimes renewal fails — DNS misconfiguration, hosting account issues, or a one-off failure that nobody noticed.

The certificate expires. Browsers show a giant red warning to every visitor. "Your connection is not private." Visitors leave. SEO drops. Customer trust evaporates.

Recovery: usually fast (30 minutes to manually renew), but only if you notice quickly. Many SMBs go 6–48 hours before someone reports the warning.

5. Email forwarding silently breaks

You set up info@yourbusiness.com to forward to your personal Gmail. It worked for years. Then it stopped — usually because the forwarding configuration violates SPF rules introduced after the original setup. Customer emails to info@ vanish. You don't notice for weeks because customers don't complain — they just stop emailing.

Recovery: switch to direct email instead of forwarding, or migrate to a proper email service. Lost time is lost.

Who actually owns this

A specific question every SMB should be able to answer: "Who owns the domain registration for yourbusiness.com?"

Not "who manages it." Not "who logs into the registrar account." Who is the legal owner?

Common SMB answers:

  • "Our web designer set it up. I think it's in their account."
  • "It was registered by an employee who left in 2022."
  • "The agency set it up. I'm not sure who registered it."
  • "We have a GoDaddy account. I'm not sure who created it."

In each case, the business doesn't actually own its domain — someone else does, on the business's behalf, in a casual arrangement that worked until it didn't.

The fix: the domain should be registered in the business's name (not an individual's), with a business email address as the contact (not an individual's), with a business credit card on file (not an individual's), with 2FA set up on a business-controlled phone or app.

If your domain isn't set up this way, the work to fix it is 1–2 hours and prevents the entire "domain registrar account locked out" category of disaster.

The prevention layer (do this in a half-day)

Specific actions, in order:

Action 1: Audit current ownership

For your main domain and any business-critical subdomains:

  • Who's the registered owner (the WHOIS record)?
  • What email is the registrar account under?
  • Who has the password?
  • Is 2FA enabled? On whose phone?
  • Is the credit card on file business or personal?
  • When does the domain expire?

A 30-minute investigation. The findings are nearly always "we have problems."

Action 2: Move ownership to the business

If the registrar account isn't in the business's name, transfer it:

  1. Create a new registrar account using a business email address (e.g. domains@yourbusiness.com) and a business credit card.
  2. Initiate a transfer of the domain from the old registrar to the new account. Most registrars support this within their own platform; otherwise initiate a transfer via the standard ICANN transfer process (60-day cooldown applies).
  3. Set up 2FA using a business-owned phone number or an authenticator app whose backup codes are stored in the business password manager.
  4. Document the recovery email and security questions in the business password manager.

Action 3: Set up auto-renewal with payment redundancy

In the registrar account:

  • Enable auto-renewal for the domain.
  • Set the renewal period to maximum (3, 5, or 10 years if available — domains are cheaper per year when paid in bulk).
  • Add at least two payment methods (primary credit card + backup credit card, or primary card + ACH).
  • Verify auto-renewal succeeds at least once before assuming it works.

Action 4: Document DNS state

Export your current DNS configuration to a text file. Most registrars and DNS providers (Cloudflare, AWS Route53, Google Cloud DNS) support exporting zone files.

Store this text file in your business documentation (Notion, Confluence, Google Drive). Update whenever DNS changes.

This serves two purposes: disaster recovery (rebuild DNS if everything is lost) and change tracking (if someone changes a record, you can compare to the documented baseline).

Action 5: Set up monitoring

Three monitoring tools, all free or cheap:

  • UptimeRobot (free tier): pings your website every 5 minutes, alerts you if it's down. Catches "site went down because something broke" faster than waiting for customer complaints.
  • Let's Monitor or your registrar's built-in expiry alerts: alerts 30, 14, 7 days before any domain or SSL certificate expires.
  • DNS change monitoring via Cloudflare's audit logs (if Cloudflare is your DNS provider) or via DNSchecker periodic spot-checks of critical records.

Total monitoring cost: $0–$15/month. Setup: 1 hour.

When you're already locked out

If the disaster has already happened:

Domain expired in last 30 days

Most registrars hold expired domains for 30 days. You can usually renew during this period — sometimes at standard pricing, sometimes with a "redemption fee" of $80–200. Log into the registrar (or contact support if the account is also locked) and renew immediately.

Domain expired more than 30 days ago

The domain enters "redemption period" (30–80 days depending on registrar), where the original owner can still recover it but at much higher cost. After redemption, the domain enters auction. After auction, it's available to anyone.

If you're past 30 days, contact the registrar urgently — the redemption fee is steep but recovery is still possible. Past 90 days, the domain may be lost; your best bet is a domain broker to try to recover it from the new owner, which is expensive and uncertain.

Locked out of registrar account

Most registrars have account recovery processes that involve identity verification — sometimes by email, sometimes by mail to the registered address, sometimes by court order in extreme cases. The process takes 1–4 weeks.

Best practice during recovery: don't change DNS or anything else until access is restored. Some registrars will lock the domain during disputed access.

If recovery fails (rare but possible), you may need legal help — particularly if the original account holder is a former employee or vendor who's actively obstructive. ICANN has a transfer-dispute process but it's slow.

SSL expired

Fastest fix: log into your hosting provider (Vercel, Render, Netlify, or your custom host) and trigger manual renewal. Most modern hosts handle this within 5 minutes.

If your SSL is provided by a third party (Let's Encrypt manually configured, or a paid certificate from DigiCert/GoDaddy/etc.), renewal requires accessing the issuer's account and re-issuing.

While the cert is expired, traffic continues to work for users who bypass the warning, but conversion rates drop dramatically. Fix urgency is high.

DNS records broken

If you have your DNS state documented (Action 4 above), restore from documentation. Apply changes one at a time, verify each. Total recovery time: 30 minutes to 2 hours including DNS propagation.

If you don't have it documented, recovery becomes detective work. Look at:

  • Email signatures and old documentation for the original A and MX records
  • Web hosting account dashboards for what they expected DNS to be
  • Wayback Machine for historical traffic patterns
  • Third-party tools like DNS History for past DNS records

This can take days. The lesson: document DNS now, while everything works.

When to hire help

Domain and DNS work is mostly self-service for SMBs willing to spend a half-day on setup. When to bring in help:

  • You have multiple domains, complex DNS (with many records, subdomains, and integrations), and you're not confident you understand the current state.
  • You're locked out of accounts and the recovery process is stuck.
  • You're migrating between DNS providers and want zero-downtime.
  • You need to set up advanced DNS features (DNSSEC, sophisticated routing, geographic distribution).
  • You suspect ongoing problems but can't diagnose them.

For these, a few hours of L3 help is enough. The Lead Steer monthly retainer covers DNS work as part of ongoing L3 support.

What to do next

The companion articles cover the other recurring L3 problems:

---

Part of the Level 3 Tech Support pillar guide.

Need something built, fixed, or run?

Aussie native English. Remote from the Philippines. Available for Q3 projects.

Send a request 🚀