​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the status was changed to serverHold. The disruption began around 2:40 PM EDT and lasted nearly two hours, during which users encountered “Unable to Connect” errors and were unable to log in or access the zoom.us domain.

While Zoom resolved the issue and restored services by approximately 5 PM ET, the incident highlighted the vulnerabilities associated with domain and DNS configurations. A Reddit user suggested that the status is mainly used for fraud and legal cases, and unusual to happen to such a critical brand name.

What does serverHold mean?

serverHold is a domain status code set by the domain registry (not the registrar). When a domain is marked with serverHold, its DNS information is not published in the root zone, meaning the domain effectively disappears from the internet. No website access, no email routing, no DNS resolution—it simply stops working.

The serverHold status is typically applied for serious administrative or policy reasons. These can include:

• Regulatory compliance failures
• Evidence of abuse (e.g., phishing, malware)
• Manual intervention by the registry based on terms-of-service violations
• Court orders

Because this status is applied at the registry level, it cannot be resolved by your registrar alone—you’ll need to go through their support team to escalate the issue.

How did this happen?

You can be an expert in DNS but still be impacted by catastrophic downtime since much of what happens to your domain name is outside of your control. In this case, the domain status was blamed on the supply chain responsible for the domain name registration and the .us tld: 

There are many organizations involved in making sure that a domain is registered correctly. In this incident, it was an issue between MarkMonitor, who Zoom uses to manage their domains, and GoDaddy, who the U.S Department of Commerce contracts with to manage the .us top-level domain name.

What do domain statuses mean?

The status of the domain tells you what operations can be carried out on it and the legal and technical state of it.

There are two different types of EPP status codes: client and server codes. Client status codes are set by registrars, server by registries. If a server status code is set it’s unusual and can often mean there’s a dispute. 

A full guide can be found here, but here are some of the common statuses found on generic top-level domain names (gTLDs).

Registry codes

• ok: It means that there aren’t any transfer locks or any other flags enabled, putting the domain at risk of hijacking via social engineering.
• Inactive: Doesn’t resolve. 
• autoRenewPeriod: Part of the domain name expiry cycle, it means that the domain has expired and is in a grace period.
• pendingTransfer: The domain is being transferred from one registrar to another.
• redemptionPeriod: A further grace period. The domain is close to being deleted, but the domain can still be renewed.
• pendingDelete: It’s too late. The domain will be deleted and will be up for grabs soon. 

Registrar codes

• clientHold: Generally a sign of a legal or billing dispute, it means the domain has had it’s namesever delegation removed. 
• clientDeleteProhibited: Delete requests cannot be processed until the status is removed.
• clientTransferProhibited: Transfer requests cannot be processed until the status is removed.
• clientUpdateProhibited: Update requests cannot be processed until the status is removed. 
• clientRenewProhibited: The domain cannot be renewed in its current state.

Was it preventable? 

In all likelihood, not by Zoom themselves. At this stage, the issue appears to be solely within the supply chain. The .us tld itself is commonly used and reliable, and like most enterprises, Zoom uses a well-regarded organization to manage its portfolio of domain names. 

It’s likely that this change happened so quickly that no domain checking tool would have notified Zoom of this problem before the voices of 300 million users did.

That said, it’s essential that enterprises don’t rely on their registrars to maintain an up to date inventory of their domain names and their status. Most organizations will have domain names with multiple registrars and often security teams will lack a single pane of glass that tells them about every single domain name owned and whether they are correctly registered or not. 

Active monitoring with Red Sift ASM

Red Sift ASM provides continuous discovery and monitoring of an organization’s external-facing assets, including domains and DNS configurations. By proactively identifying misconfigurations and potential vulnerabilities, Red Sift ASM enables organizations to address issues before they escalate into outages.

In the case of Zoom, Red Sift ASM could have detected anomalies in the domain registration status, allowing for timely remediation and potentially preventing the outage.​

The Zoom outage serves as a reminder of the importance of proactive attack surface management. Implementing solutions like Red Sift ASM can help organizations maintain the integrity of their digital assets and ensure uninterrupted service for their users. If you’d like to learn more, request a demo today.