🔗 Link Rot Forensics

What is link rot and why does it matter?

Link rot (or "link decay") is the gradual process by which hyperlinks cease to function as the target resource is moved, deleted, or the domain expires. Studies estimate that over 66% of links on the web become broken within a decade. For OSINT, dead links are signals: they reveal defunct partner companies, removed content that someone wanted hidden, expired domains available for registration, and abandoned social profiles.

How does this tool detect takeover opportunities?

When a domain expires but other websites still link to it, an attacker can register that domain and inherit the trust signals (backlinks, brand association). This tool checks DNS resolution for every unique external domain found in archived pages. Domains returning NXDOMAIN (non-existent) may be available for registration. CNAME records pointing to cloud services (GitHub Pages, Heroku, S3, Azure) where the service has been deprovisioned represent subdomain takeover vulnerabilities.

Key Terminology

Link Rot

The gradual breakdown of hyperlinks as target pages are moved, deleted, or domains expire. A natural process of the web's evolution that preserves forensic evidence in archives.

NXDOMAIN

A DNS response indicating the queried domain does not exist. May indicate an expired, unregistered, or never-registered domain — potentially available for takeover.

Subdomain Takeover

A vulnerability where an attacker claims an abandoned external service (GitHub Pages, Heroku, S3) that a target's DNS CNAME still points to, allowing content injection on the victim's subdomain.

Dangling CNAME

A DNS CNAME record pointing to a service that no longer exists, creating the precondition for subdomain takeover.