by Ross Oliver, Senior Technical Consultant at Taos
The Internet domain name is the heart of your organization’s Internet identity. However, domain registration has become commoditized and inexpensive, so many organizations fail to adequately protect their most important Internet asset. Internet domains can fall victim to a number of events that can cause severe operational disruption, including:
- Failure to renew registration
- Unauthorized transfer to another party
- Hacking of registrar account
- Hacking of registration contact email account
- Corruption or alteration of DNS data
Organizations can prevent most problems by establishing a set of standard practices for domain registration, maintenance and monitoring.
Selecting a Domain Registrar
Too many organizations select a domain registrar based primarily on price of registration. However, you should also consider the registrar’s reliability and security offerings. Some useful functions include:
- Locks against changes to contact information, intra-registrar transfers
- Multiple user accounts for a single organization
- Activity monitoring and logging
- Automatic notification of changes
- Multi-factor authentication
- Strong password reset practices
- Fine-grained control over account access (e.g. time scheduled, limited by IP address or geolocation)
- A designated account representative
- 24-hour support service availability
- Designated response times for support requests
The registrar’s standard public facing web site may not describe all available offerings, so contact the registrar directly for additional information. Review the registrar’s offerings and procedures on a regular basis.
Protect Domain Registrar Accounts
Your domain registration accounts are prime targets for malicious actors, and yet many organizations treat them with less concern than even standard internal user accounts, e.g. inadequate passwords, widespread account sharing, lack of record keeping. These accounts should be subject to the same policies and controls that apply to your organization’s standard user accounts.
Avoid relying on individuals to store account credentials in email boxes, on laptops, etc. Record and store account credentials in the same manner as other critical organization data. Include domain registrar accounts in business continuity and disaster recovery plans.
Limit access to a specific set of designated individuals, and maintain a list of authorized individuals. The group should be as small as practical, but never less than two individuals. Ensure the accounts are included in your organization’s termination process.
Sharing a single domain registrar account is a common but ill-advised practice. Just as with your organization’s internal accounts, sharing reduces accountability and interferes with the ability to log and audit activity. Each authorized individual should have a separate account.
Some registrar’s are now offering two-factor authentication. Making use of this function greatly reduces the risk of account compromise due to poor password management or brute force attacks. Requesting automatic activity logging and notification from the registrar can reduce this risk further.
To prevent problems caused by failure to renew the domain name, make use of the registrar’s automatic renewal function, but always include verification in your own operational procedures. Review contact, billing and payment information quarterly for accuracy so renewals are processed smoothly.
Protect Domain Names from Unauthorized Changes
Use role-based accounts or email aliases for the domain contacts, rather than individual email addresses. This will reduce the risk of a domain hijacking through hacking of an individual’s email account, and the risk of a single individual making unauthorized changes. Use separate addresses for technical, administrative, and billing contacts.
Attackers may attempt to disrupt an organization’s communications infrastructure such as email servers and web sites to delay or prevent receipt of alerts or change notifications from the registrar. Smaller organizations might consider including a trusted external party as one of the domain contacts, such as an ISP, law firm or accounting firm. If this approach is used, ensure sufficient procedures are in place to ensure any notices are acted upon in a timely manner.
Consider using email addresses in separate domains as the domain contact addresses. This will reduce the risk of an attacker interfering with the ability of the legitimate domain owner to receive notifications from the registrar. Using domains registered with a different registrar can further reduce this risk, but at a cost of added complexity of management and monitoring.
In the event of any unauthorized changes, it may be necessary to show your organization’s legitimate claim to a domain name. Organizations should maintain sufficient documentation to show domain ownership. Inquire with your registrar about what documentation they consider valid to establish the claim. In absence of any guidance, key documents should include:
- Copies of actual domain registrations
- Any invoices, billing records, etc. showing payments for the domain
- Logs and audit records that associate the domain to your organization
- Legal documents, tax records, business licenses, trademarks that show the domain associated with your organization.
- Copies of correspondence with the registrar or other entities regarding the domain
Monitor for Any Changes
Domain registration and DNS data should be included in your standard operational monitoring. Monitored items should include:
- DNS server names and IP addresses
- WHOIS registration information
- All key DNS records, such as top-level domains, wildcards, SOA, and MX records
Frequency of monitoring should be based on the propagation speed and potential for disruption. For example, daily monitoring of domain registration, and 5-minute monitoring of DNS records.
Early detection of corruption or unauthorized changes affords the best opportunity to correct to minimize disruptions to operation and reputation.
Internet domain registrations may seem insignificant because of their low cost and minimal effort required, but they are the keystone of your organization’s Internet identity and reputation. Be sure you are protecting the keystone of your Internet presence.