If you care about your brand, you should care about the security of your domain. Much as your legal team remains vigilant against trademark infringements and counterfeit merchandise, your IT team needs to harden your domain name from virtual threats. Insecure domain and registrar practices allow attackers to hijack your site and redirect your visitors to any server they want.
When you purchase a domain name, your registrar passes along your registration information up to the global registry, which serves as the authoritative source for domain resolution.
If an attacker were to compromise your registrar account, they could point your domain to a nameserver under their control. The registry, believing that the updates came from an authorized source, would accept the changes without question.
Registry Lock is a special flag in the registry (not your registrar) that prevents anybody from making changes to your domain without out-of-band communication with the registry. In other words, to transfer your domain or update your nameservers, your registrar needs to pick up the phone, call the global registry, authorize with a verbal passphrase, and tell them to remove the registry lock.
This kind of strong verification protects against compromise of the registrar’s servers and from someone compromising your account. Even if an attacker has access to your email account and your 2-factor authentication codes, it’s still not enough to hijack a registry-locked domain.
Registry Lock is the gold standard of domain security, and it’s only offered through security-conscious registrars. Note that Registry Lock is only available for .com, .net, and a few other top-level domains.
Every time you want to update your domain’s information in the global registry, you need to provide a unique domain authorization code (Auth Code) to prove that you own the domain. Without this code, the registry will reject any attempts to change a domain.
Auth Codes only offer basic protection against domain hijacking via unauthorized domain transfers. If an attacker were to intercept your Auth Code (e.g., by hacking your email account, snooping on an insecure Internet connection, or compromising the registrar itself), they could effectively steal your domain name.
Registrar Lock (not to be confused with Registry Lock) prevents this kind of domain hijacking by requiring more than just an Auth Code to change information in the global registry. Before the registry allows the domain to be updated, the registrar must remove the lock. This means that an attacker would also need access to your registrar account, not just your domain’s Auth Code.
If your domain uses Registry Lock, Registrar Lock is actually redundant, as any domain hijacking attempts at the registrar would already be prevented. Registrar Lock, is, however, the bare minimum necessary to secure your domain. Most registrars provide Registrar Lock capabilities.
When you register a domain, you need to populate the global registry with administrative and nameserver information. This is what makes it your domain. The problem is, the global registry is publicly accessible, and anything you put in there is available to the entire Internet.
Many organizations register domains to individual employees—often someone in the IT department or, in the case of startups, a founder or contractor. This means that every time someone looks up your domain’s Whois record, they’ll find the full name and email address of a real person in your organization.
Revealing personally identifiable information in a public database is a serious security problem. It enables would-be attackers to single out employees in your organization with targeted phishing emails and social engineering tactics. Registering domains to individual employees also makes for complicated situations when those people leave your organization.
Security-concious organizations avoid leaking this kind of private
information by using role accounts to register their domain names. For
example, if you look up
cloudflare.com in the Whois
database, you’ll find that it’s registered to the abstract
Cloudflare Hostmaster whose email address is
Role accounts protect the individuals in your organization from being targeted by attackers. They’re a domain security best practice that every high-profile brand should be following.
Keeping track of your domain’s expiration date is a simple but critical part of securing your domain. If your domain expires there’s typically a short grace period where you can renew it without penalty. However, once that grace period ends, your registrar will put your domain back on the market.
Automated tools constantly monitor the Whois database for newly expiring domains with the intention of ransoming them back to their original owners. This is called “domain drop catching” or “domain sniping,” and it’s a common scheme for hijacking domains.
For brand name organizations, accidentally losing your domain due to a renewal lapse is front-page news, and there shouldn’t even be a remote possibility of this ever happening.
We recommend at least a 6-month expiration window for high-profile domains. This is enough leeway to deal with unforeseen complications like an employee that owned the domain leaving the company (again, this is a good reason to use Role Accounts).
Ideally, high-profile companies should have a registrar that automatically renews their domain so that its expiration window is never less than 6 months.
Registry Lock, Registrar Lock, Role Accounts, and Domain Expiration all have to do with securing your domain at the registry/registrar. However, there’s another type of domain hijacking attack that can affect your domain even it’s completely locked down at the registry level.
DNS cache poisoning occurs when an attacker tricks a recursive DNS server into caching a fake record. In turn, this fake record is passed on to website visitors when they try to resolve your domain. This allows an attacker to hijack traffic to your website and direct visitors to a web server of their choosing.
DNSSEC eliminates the threat of DNS cache poisoning by authenticating all DNS queries with cryptographic signatures. Instead of blindly caching DNS records, DNS servers will reject unauthenticated responses.
Combined with secure registrar practices, DNSSEC guarantees that those visiting your domain see your website and not the content on somebody else’s web server. You can learn more about DNSSEC here.