Custom Domain Protection for Cloudflare Registrar

The Highest Level of Registrar Security

Custom Domain Protection for Cloudflare Registrar, available on the Enterprise Plan, protects your organization from domain hijacking with exclusively out-of-band verification of any changes to your Registrar account. Cloudflare is an ICANN accredited registrar providing secure domain registration for high-profile domains.

What Is Domain Hijacking?

Having your domain hijacked is essentially Internet identity theft. You no longer have control over the content your visitors see when they come to your website, your email, VoIP, or any other services that rely on your domain name. This is a serious threat to an organization’s brand and reputation. Your only recourse is to appeal to the registrar that lost your domain (and, if the attacker managed to transfer control of the domain to a new registrar, the one that now manages your domain) and hope they do the right thing. If that doesn’t work, your only other option is to file a legal complaint with ICANN, which can take weeks to months to process.

Cloudflare has built a free tool that helps you check the security state of your domain and registrar. Give it a try and grade your domain with the Cloudflare security checker.

  • Registries maintain the global list of domains.

  • Registrars sell domains to registrants and upload domain information to registries.

  • Registrants purchase and manage domains through their registrar account.

Domain hijacking can occur at the registrar level when an attacker compromises a registrar account and changes the nameserver or other registration information associated with a domain. The registrar, believing that the changes originated from an authorized registrant, sends the new information up to the registry.

Registries serve as the authoritative source for the nameservers associated with all domains, so after they accept the changes from the registrar, all traffic to that domain will be rerouted to the new nameserver. In turn, this new nameserver sends visitors to an IP address of the attacker’s choosing.

Registry Changes Should Be Authenticated and Strongly Validated

Updating your ownership and authoritative nameserver information happens infrequently, and there are dangerous, long-term consequences when those updates are performed incorrectly. Therefore, changes to information in the global domain registry should be both secure and thorough.

Cloudflare Registrar is designed with this in mind. All changes to domain ownership or nameserver information are verified and executed manually.

Securing Domains with Custom Domain Protection

Custom Domain Protection for Cloudflare Registrar follows a strict change control protocol for all transfer requests. The goal is to ensure that any change to your nameservers or registration data is approved by your organization as a whole. We offer the following security features:

  • Multi-user, offline confirmation for all change requests

  • Consistent use of registrar lock

  • Consistent use of registry lock

  • Two-factor authentication enforced for all registrant accounts

  • Customizable authorization process

  • Plausibility check

Requiring multiple independent offline verification sources thwarts an attacker’s attempt to compromise an online registrar account.

Many mass-market registrars support registrar lock, which prevents the registry from altering information unless the lock is explicitly removed. However, if an attacker compromises your registrar account, they can unlock it and make any kind of changes they want.

Registry lock provides much more security than registrar lock. It prevents changes by any registrar (including yours) until the lock is removed. Unlocking at the registry level requires out-of-band communication with the registry operator, and is thus very manual.

No Operational Changes Required

Registry changes should not be confused with your operational DNS information. While altering a nameserver and registration information requires careful validation, altering the records in your nameservers should be nearly instantaneous.

Cloudflare Registrar does not require any changes to your operational DNS infrastructure. You can still update A, AAAA, MX, and all the other records you need without any additional configuration. When migrating to Cloudflare Registrar, your registry information can point to the exact same nameservers—the only difference is that it will be much harder for an attacker to change those values.

Layered Defense with Universal DNSSEC

Cloudflare Registrar Custom Domain Protection safeguards domains from being hijacked at the registry, but they’re still vulnerable to DNS on-path attacks. Universal DNSSEC adds an additional layer of security by authenticating all DNS queries for your domains with cryptographic signatures. In cases where Cloudflare is both the registrar and the DNS provider of a domain, we can seamlessly deliver DNSSEC.

Make The Switch to Cloudflare Registrar