Your domain name is the entry point for your entire business identity on the internet. It’s how you offer services and products, communicate with customers and vendors, and how your employees get their jobs done. If someone malicious can subvert your domain name and/or prevent anyone from accessing it, you cease to exist on the Internet. So how do you protect this vital resource?
Getting a domain name
When your company, “Example, Inc”, decides to register a domain name like “example.com”, you usually register it with a registrar, like GoDaddy, Namecheap, Tucows, etc. With your first domain name, you need to set up a registrar account with that registrar.
One of the things you’ll need to decide when you register your domain name is who will be publishing the information about your company (like where to send email, how to reach the web site) to other computers on the Internet. The servers that do this are called Authoritative Nameservers, and they map the human readable addresses, like example.com to the underlying computer readable numerical addresses. The process uses a protocol called the Domain Name System (DNS). Your nameservers could be supplied by your registrar, they might be supplied by your cloud provider as part of setting up a cloud infrastructure (like AWS, Azure, Google Cloud), or be run by your Content Delivery Network (CDN) provider as part of a content/load-balancer/DDoS protection service, like Akamai, CloudFront, Azure CDN, Cloudflare.
Picking authoritative nameservers
What you care about most when picking nameservers are how secure they are and how robust they are in the face of large network failures or attacks. You should ask:
Does the provider have diverse, redundant servers to reduce the likelihood of a disruption (it may be done via anycast)?
What kind of Distributed Denial of Service (DDoS) protection do they offer?
What kind of Service Level Agreements (SLAs) or guarantees of uptime do they provide?
Protecting your domain name
Malicious actors tend to either try to deny anyone access to your nameservers such that no one can reach any of your servers, or they try to impersonate your servers, called masquerading, to provide false information, steal login credentials or redirect internet traffic. Denial of service is something you need your nameserver provider to deal with for you.
Most masquerading attacks involve getting access to your registrar account and changing the nameservers used or the Domain Name System (DNS) data served, such that users go to a fake site run by the attackers, not your legitimate servers. It is important to protect your registrar account credentials in much the same way you secure any privileged accounts:
Use strong passwords
Never use the same password on your registrar account that you have used anywhere else
Use a password manager
Use multifactor authentication
Only give the permissions necessary for each person to do their job
Phishing training for staff
Use role or company only emails for recovery emails
Regularly audit access and accounts
Use registrar and registry locks to prevent domain transfers or changing your authoritative servers, if they are available from your registrar
Beyond that, on your servers, do what you do for any critical service:
Actively monitor your domain for changes to your authoritative servers
Monitor key records/services, such as web and email
Set up alerts for critical or unexpected changes
Monitor web certificates to see if any servers you don’t recognize have a certificate for your domain name
Summary
By picking a robust operator to run your nameservers and keeping your registrar accounts secure, you can prevent malicious actors from “stealing” your online presence.
Additional reading
You can find links to more articles from Paul over at his company's website, Layer 9 Technologies.
Do you have questions about this topic? You probably aren’t alone! Use the buttons at the top right corner of the page to connect with us on social media or join us as a caller on a future episode of The Mindful Business Security Show and ask your questions on the podcast!