Zoom stops zooming: Why active monitoring is essential

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the status was changed to serverHold. The disruption began around 2:40 PM EDT and lasted nearly two hours, during which users encountered “Unable to Connect” errors and were unable to log in or access the zoom.us domain.

Domain Name: zoom.us

Registry Domain ID: D1813391-US

Registrar WHOIS Server: whois.markmonitor.com

Registrar URL: www.markmonitor.com

Updated Date: 2025-04-16T18:25:44Z

Creation Date: 2002-04-24T15:03:39Z

Registry Expiry Date: 2027-04-23T23:59:59Z

Registrar: MarkMonitor, Inc.

Registrar IANA ID: 292

Registrar Abuse Contact Email: registry.admin@markmonitor.com

Registrar Abuse Contact Phone: +1.2083895740

Domain Status: serverHold https://icann.org/epp#serverHold

While Zoom resolved the issue and restored services by approximately 5 PM ET, the incident highlighted the vulnerabilities associated with domain and DNS configurations. A Reddit user suggested that the status is mainly used for fraud and legal cases, and unusual to happen to such a critical brand name.

What does serverHold mean?

serverHold is a domain status code set by the domain registry (not the registrar). When a domain is marked with serverHold, its DNS information is not published in the root zone, meaning the domain effectively disappears from the internet. No website access, no email routing, no DNS resolution—it simply stops working.

The serverHold status is typically applied for serious administrative or policy reasons. These can include:

  • Regulatory compliance failures
  • Evidence of abuse (e.g., phishing, malware)
  • Manual intervention by the registry based on terms-of-service violations
  • Court orders

Because this status is applied at the registry level, it cannot be resolved by your registrar alone—you’ll need to go through their support team to escalate the issue.

How did this happen?

You can be an expert in DNS but still be impacted by catastrophic downtime since much of what happens to your domain name is outside of your control. In this case, the domain status was blamed on the supply chain responsible for the domain name registration and the .us tld: 

“On April 16, between 2:25 P.M. ET and 4:12 P.M. ET, the domain zoom.us was not available due to a server block by GoDaddy Registry. This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.” 

There are many organizations involved in making sure that a domain is registered correctly. In this incident, it was an issue between MarkMonitor, who Zoom uses to manage their domains, and GoDaddy, who the U.S Department of Commerce contracts with to manage the .us top-level domain name.

What do domain statuses mean?

The status of the domain tells you what operations can be carried out on it and the legal and technical state of it.

There are two different types of EPP status codes: client and server codes. Client status codes are set by registrars, server by registries. If a server status code is set it’s unusual and can often mean there’s a dispute. 

A full guide can be found here, but here are some of the common statuses found on generic top-level domain names (gTLDs).

Registry codes

  • ok: It means that there aren’t any transfer locks or any other flags enabled, putting the domain at risk of hijacking via social engineering.
  • Inactive: Doesn’t resolve. 
  • autoRenewPeriod: Part of the domain name expiry cycle, it means that the domain has expired and is in a grace period.
  • pendingTransfer: The domain is being transferred from one registrar to another.
  • redemptionPeriod: A further grace period. The domain is close to being deleted, but the domain can still be renewed.
  • pendingDelete: It’s too late. The domain will be deleted and will be up for grabs soon. 

Registrar codes

  • clientHold: Generally a sign of a legal or billing dispute, it means the domain has had it’s namesever delegation removed. 
  • clientDeleteProhibited: Delete requests cannot be processed until the status is removed.
  • clientTransferProhibited: Transfer requests cannot be processed until the status is removed.
  • clientUpdateProhibited: Update requests cannot be processed until the status is removed. 
  • clientRenewProhibited: The domain cannot be renewed in its current state.

Was it preventable? 

In all likelihood, not by Zoom themselves. At this stage, the issue appears to be solely within the supply chain. The .us tld itself is commonly used and reliable, and like most enterprises, Zoom uses a well-regarded organization to manage its portfolio of domain names. 

It’s likely that this change happened so quickly that no domain checking tool would have notified Zoom of this problem before the voices of 300 million users did.

That said, it’s essential that enterprises don’t rely on their registrars to maintain an up to date inventory of their domain names and their status. Most organizations will have domain names with multiple registrars and often security teams will lack a single pane of glass that tells them about every single domain name owned and whether they are correctly registered or not. 

Active monitoring with Red Sift ASM

Red Sift ASM provides continuous discovery and monitoring of an organization’s external-facing assets, including domains and DNS configurations. By proactively identifying misconfigurations and potential vulnerabilities, Red Sift ASM enables organizations to address issues before they escalate into outages.

In the case of Zoom, Red Sift ASM could have detected anomalies in the domain registration status, allowing for timely remediation and potentially preventing the outage.​

Red Sift ASM monitoring and evaluation of Zoom Video Communications, Inc.

The Zoom outage serves as a reminder of the importance of proactive attack surface management. Implementing solutions like Red Sift ASM can help organizations maintain the integrity of their digital assets and ensure uninterrupted service for their users. If you’d like to learn more, request a demo today.

PUBLISHED BY

Billy McDiarmid

17 Apr. 2025

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

400,000 DMARC boost after Microsoft’s high-volume sender update

Jack Lilley

Microsoft’s decision to join Google and Yahoo in enforcing stricter rules for high-volume senders has triggered an immediate response across the internet. In the last 30 days alone, 406,042 new domains have deployed Domain‑based Message Authentication, Reporting & Conformance (DMARC), pushing the global total to 10.9 million. While not all domains will be exclusive Outlook users,…

Read more
DMARC

Red Sift partners with Gradian to strengthen email security through OnDMARC

Jack Lilley

Today Red Sift launches a new partnership with Gradian, a leading data protection provider, to offer its award-winning applications, including Red Sift OnDMARC, to new and existing customers. Established through Red Sift’s relationship with UK distributor E92plus, the two companies look to strengthen defences against phishing and Business Email Compromise (BEC) attacks. Allowing organisations…

Read more
Cybersecurity

DMARCbis: What are the changes and how to be ready

Jack Lilley

Executive Summary: DMARCbis, also known as DMARC 2.0, is the forthcoming update to the DMARC email authentication protocol, designed to address limitations and ambiguities in the original standard, with an expectation to be finalized and published in 2025. The update introduces clearer guidelines, a new method for determining organizational domains, and streamlined record management.…

Read more
Certificates

TLS certificates are changing: What you need to know

Jack Lilley

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more