Domain security is no joke. Losing a domain name through a 3rd party individual attack, or by simply losing control over the account or associated email, could be the worst thing that happens to your entire online company’s infrastructure. We’re talking about losing email access, web access, customer database access, and much more if your business relies entirely upon your domain name, as most companies do these days.
Cybersecurity doesn’t only involve app security, DNS attacks, cracking servers, penetration testing and social engineering techniques. There’s more to it than that, and in this latest installment of our Domain Security series, we’ll explore the top 10 ways to protect your domain names at your domain registrar, to help you guard yourself against several types of cybercrime.
Let’s start by asking — and answering — a fundamental question:
What types of attacks can be performed against my domain names that directly involve my domain registrar security?
- Registrar account hacking: This is when you lose complete control over your account at your domain registrar. It’s one of the worst scenarios possible, as your attacker can take complete control over your domain names.
- Unauthorized domain transfers: Also known as domain hijacking, this takes place when someone takes your domain away from your domain registrar, usually with methods involving false domain transfer authorizations under unlocked domain names.
- DNS spoofing: This type of attack is also known as DNS cache poisoning, and it’s essentially a technique that involves altering DNS records to redirect online traffic to a malicious/fake website.
- Phishing and spam: These are two of the most common network threats encountered in the digital era. We all know what spam is, but another type of attack with a similar scenario is phishing. Both can be directly related to your domain registrar’s security features.
Top 10 ways to protect your domain name at the domain registrar
With the above info in mind, following are our top tips for preventing domain hijacking and any other type of domain registrar-based attack to your online infrastructure.
1. Enable 2FA
This is our number-one security tip for any kind of online-based account, and if you’re using a domain registrar it’s a must. Never leave your registrar login information wide open without proper two-factor authentication enabled.
Nowadays most domain registrars allows you to set up 2FA with Google Authenticator², Authy, or alternatives like the YubiKey 2FA key-generator device.
2. Avoid password reuse
A study performed by Virginia Tech University and Dashlane¹ analysts revealed that humans inevitably reuse passwords or merely make slight changes to their original combinations, as they find it difficult to remember all the passwords they use for online services.
Your best bet is to completely avoid password reuse, for both personal and business-based domain names. This will help guard against hacking, especially after the many data breach problems we’ve seen worldwide in online services.
3. Use a strong password
Following a cue from the previous tip, using a strong password is one of the most critical elements in maintaining a secure domain registrar account. You can do it manually—by combining eight characters or more that include uppercase and lowercase letters, as well as numbers and symbols. You should also avoid using dictionary-based words.
While ‘manual-strong’ passwords are easy to generate, they aren’t always easy to remember. We recommend using a password manager application such as 1Password or Dashlane that will let you generate ‘random-strong’ passwords, and save the login details for you so the burden isn’t on you to remember them.
4. Enable DNSSEC
DNSSEC, while still not widely implemented in all domain registrars, is a modern way to protect apps and caching DNS resolvers from third party malicious data manipulations (such as DNS cache hijacking). By using DNSSEC in your domain registrar, you’ll add an additional layer of cryptographic security to your DNS records.
Make sure the registrar you use offers DNSSEC support to have all requests checked against the cryptographic signature, to detect alterations in any way. Two great examples of domain registrars that fully support DNSSEC are Cloudflare and Namecheap.
At the time of writing this article we are running a survey in our twitter account, and found that even inside the infosec community, there are lot of individuals that are adopting this, but the majority is still not adopting DNSSEC as another security layer for their domain names, and some other have totally discarded this technology.
Hey #infosec community. We’re running a small survey about #DNSSEC. Would be awesome to get your feedback 👍 👍 👍— SecurityTrails (@securitytrails) August 13, 2019
“Are you using DNSSEC to protect your domain names?”
This shouldn’t discourage you from jumping right into the DNSSEC implementation, it may take some time and configuration, but at the end your domain names will be much secure than before.
5. WHOIS protection
Enabling WHOIS protection services is another way to keep your personal information safe.
If you don’t enable WHOIS privacy at the time of your initial domain registration, details including your phone number, email, city, country, even your mailing address, could be exposed to the entire Internet.
To make matters worse, data-scraping bots scan WHOIS records throughout the Internet to use your own personal details to send you spam, and often include you in phishing campaigns.
6. Enable domain locking
There’s another thing most people forget to do once they register a domain name. That’s verifying that the domain name’s status has been set to ‘Registrar lock’ or ‘Client Transfer Prohibited.’
The registrar lock, also known as domain locking, is a security feature offered by all domain registrars that helps safeguard domain names from unauthorized changes/transfers, a common practice in domain hijacking activities.
7. Verify the domain’s associated email
One of the biggest mistakes you can make when registering a domain name is to use an old or unused email address, especially if you’re using hotmail or gmail-based addresses.
If by some reason you lose this account due to inactivity, or you have no way to recover access to the email account, then your domain name may see trouble in the future. Make sure you always have access to the email associated with your domain names.
8. Keep your contact information updated
Not only is it important to keep your email updated, but the rest of your personal or company details as well. Technical and administrative contact emails are important, as are your mailing address, first and last name, telephone number, drivers license and other pertinent information.
Remember, this information will be necessary should you ever need to verify it’s really you when contacting your domain registrar, especially in cases of domain hijacking.
9. Turn on automatic domain renewal
Even as you read this, thousands of bots are scanning WHOIS information looking for close-to-expire dates or already-expired domain names. Should you fall victim to any organization putting these bots to work, you can easily lose your domain name.
How to avoid this danger? That’s easy: turn on automatic renewal. We get it…for some people, using automatic renewal seems “dangerous” in itself because some domains can be automatically renewed even when their owners don’t use them anymore. That could cost you ten bucks in auto-renewal each year.
But to lose an active domain name because you forgot to renew it could be even more dangerous, and way more expensive for your business. After all, you’ll always have a chance to delete and disable auto-renew on domains you’re no longer going to use, but time runs shorter and shorter for domain renewal—especially if that domain renewal notification gets stuck your spam folder, as so many automatic notifications do these days.
10. Prevent cybersquatting
Cybersquatting is the act of illegally registering domain names with the intention of creating a revenue by selling them, or using them to set up phishing websites for collecting sensitive data from legal, unwitting visitors.
You can prevent cybersquatting by registering the most popular domain TLDs based on your original domain name. For example, if your company domain name is company.com, try also registering company.net, company.org, company.info, company.tv, company.io, etc.
You may also want to explore misspelled domain name combinations such as companyt.com, companyu.com, etc. This practice is known as “domain typosquatting” and it can prevent a lot of malicious domain-related activities from harming your organization.
Following these top 10 tips will help you prevent most domain hijacking and takeover attacks from a domain registrar point of view.
These measures can also prevent damaging business closures due to critical service interruptions.
And if you want to stay one step ahead of the bad guys, expand your domain knowledge beyond these registrar security tips. Go forward with a full DNS audit using our passive DNS database to find records, explore DNS values, and so much more with our free API tier.
If your business calls for an enterprise-grade solution, make your move with SurfaceBrowser™, the all-in-one platform for all your DNS, domain, IP addresses, open ports and SSL reconnaissance needs. Book a demo with our sales team today!
¹ https://people.cs.vt.edu/gangwang/pass.pdf ² https://www.google.com//landing/2step/