This article looks at some of the basic domain name security best practices.
Domain name security should be one of the top priorities for any organisation with an online presence. There are some basic and inexpensive steps that will ensure that your domain names are not impacted by threats and risks associated with domain names.
- Auto-renew your domain names. Most Registrars provide this function with differing layers of sophistication. It is simple, free, and means that if you take your eyes off your domain names they are not going to expire.
- Activate Multi Factor Authentication (MFA). Another free function is MFA. All users should have this set up. Depending on the Registrar, this can be activated at log in, when DNS changes are made, when transfer requests are made etc.
- Use a unique password. Always ensure that your domain name account uses a unique and complex password. Never use a password that you use for a different device or application. We also recommend using apps like 1password and other vaults to store unique and important password information.
- Approval Processes for DNS edits: We recommend using a hierarchical approval system to ensure your collaborative business-critical processes are guarded with self-configured approval settings, preventing actions until all stakeholders have indicated approval. A good domain name portal should have this inherently built into it.
- Review and Limit User Permissions: Ensure that staff have the appropriate level of access. not all staff, for example, need to see all domains or have domain name edit permissions. Utilize fine-grain permissions at a user level as per your business model requirements.
- Lock your domain names. Another free service most Registrars provide is a product called “Transfer Lock”. This means that 3rd parties can not transfer domain names without this lock being removed. The next level is to implement a Registry lock. This ensures that Name Servers can only be changed through a very specific Registry protocol and prevents domain name hijacking through a compromised portal.
- Ensure your domain name is registered to the correct entity. If the domain name is not in the correct business entity, you run the risk of another party being entitled to transfer it away. If the domain name is registered to an individual and they leave the business, you may find that renewing it is a very difficult and complex task.
- Ensure that your email associated with the domain name is correct. Important notices often get sent to this email from the Registry and Registrar. In some cases, if these emails are not actioned domain names could be suspended or important renewal notices missed.
- Manage your account users. Have a clear policy on how to deal with staff changes and ensure that when staff leaves their login details are immediately suspended.
- Advanced DNS. We recommend that critical digital assets use Anycast DNS over an open-bind or unicast DNS solution. Dedicated Anycast DNS networks provide scalability and added protection against network DDoS attacks.
Brandsec is a corporate domain name management and brand protection company that look after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.
Contact us today for a free consultation.