Having your domain hijacked is essentially Internet identity theft. You no longer have control over the content your visitors see when they come to your website, your email, VoIP, or any other services that rely on your domain name. This is a serious threat to an organization’s brand and reputation. Your only recourse is to appeal to the registrar that lost your domain (and, if the attacker managed to transfer control of the domain to a new registrar, the one that now manages your domain) and hope they do the right thing. If that doesn’t work, your only other option is to file a legal complaint with ICANN, which can take weeks to months to process.
Cloudflare has built a free tool that helps you check the security state of your domain and registrar. Give it a try and grade your domain with the Cloudflare security checker.
Domain hijacking can occur at the registrar level when an attacker compromises a registrar account and changes the nameserver or other registration information associated with a domain. The registrar, believing that the changes originated from an authorized registrant, sends the new information up to the registry.
Registries serve as the authoritative source for the nameservers associated with all domains, so after they accept the changes from the registrar, all traffic to that domain will be rerouted to the new nameserver. In turn, this new nameserver sends visitors to an IP address of the attacker’s choosing.
Updating your ownership and authoritative nameserver information happens infrequently, and there are dangerous, long-term consequences when those updates are performed incorrectly. Therefore, changes to information in the global domain registry should be both secure and thorough.
Cloudflare Registrar is designed with this in mind. All changes to domain ownership or nameserver information are verified and executed manually.
Custom Domain Protection for Cloudflare Registrar follows a strict change control protocol for all transfer requests. The goal is to ensure that any change to your nameservers or registration data is approved by your organization as a whole. We offer the following security features:
Requiring multiple independent offline verification sources thwarts an attacker’s attempt to compromise an online registrar account.
Many mass-market registrars support registrar lock, which prevents the registry from altering information unless the lock is explicitly removed. However, if an attacker compromises your registrar account, they can unlock it and make any kind of changes they want.
Registry lock provides much more security than registrar lock. It prevents changes by any registrar (including yours) until the lock is removed. Unlocking at the registry level requires out-of-band communication with the registry operator, and is thus very manual.
Registry changes should not be confused with your operational DNS information. While altering a nameserver and registration information requires careful validation, altering the records in your nameservers should be nearly instantaneous.
Cloudflare Registrar does not require any changes to your operational DNS infrastructure. You can still update A, AAAA, MX, and all the other records you need without any additional configuration. When migrating to Cloudflare Registrar, your registry information can point to the exact same nameservers—the only difference is that it will be much harder for an attacker to change those values.
Cloudflare Registrar Custom Domain Protection safeguards domains from being hijacked at the registry, but they’re still vulnerable to DNS man-in-the-middle attacks. Universal DNSSEC adds an additional layer of security by authenticating all DNS queries for your domains with cryptographic signatures. In cases where Cloudflare is both the registrar and the DNS provider of a domain, we can seamlessly deliver DNSSEC.
If you’re an organization that manages high-value trademark domains, Cloudflare Registrar with Custom Domain Protection is designed to meet your unique security needs. Contact our sales team to learn more.
Custom Domain Protection for Cloudflare Registrar