Of course. I'm a bit confused on this emphasis... Does the post make it seem as though you can take over an active site? The point of this attack is merely to take control of many domain names and doesn't make any point about taking over live websites (at least, this was not my intention). You are taking over control of the DNS of these domains, just because they are not actively hosting something doesn't make this less true.

The idea would be that a user has simply deleted/released the zone for a specific domain under their account. This could have happened because they plan on moving it later or because a lack of payment/service termination has occurred. This allows an attacker to obtain thousands of fresh domains easily with very little effort and likely no payment at all which can be used in malware campaigns/etc. Some common things I saw were indeed older unused domains, domain portfolio's of domain resellers/squatters, and even domains in restricted TLD spaces such as .gov, .edu, etc. These would certainly have value despite no longer being used.

Let me know if I've been unclear or am missing something here.

The author specified that his source for finding the domains in the first place was the .com and .net zone files. This means that the domains were actively pointing to Google/DO/Rackspace's nameservers.

The author would therefore have complete control over the orphaned domains after the takeover.

The reason for the emphasis is that the article isn't clear on two points.

- By definition, his method of finding domains only finds domains that aren't in active use. (domain servers in the ns records return fail/refused).

- It uses the terminology "taking over", and you're saying "complete control". However, if the real owner of the domain wanted control back, they would simply log into their registrar and change the NS records...very low effort.