Protecting Internet Domains and DNS
Thousands of domain names across hundreds of customers
MSPs overseeing thousands of domain names and DNS records across hundreds of customers face a daunting task. But before we dive into managing at scale, we'll discuss some of the basics that MSPs should know and share with their customers. The following are terms, acronyms, and basic operational controls that need to be in place to ensure the availability and security of customer Internet Domains. Also, check out our MSP Insights refresher on why it's so important to protect customer Internet Domains and DNS.
Ensure Domain Ownership and Protect Registrar Login
First, of course, is securing access to your customers' domain registrar and maintaining proper ownership. If the account used to purchase a domain name has a weak password, you can bet that someone's going to try and break in to take control of it altogether. Even worse, once a domain is hijacked, malicious actors can repoint and modify the DNS records to point to malware sites. Multi-factor authentication (MFA) is extremely useful for securing access to domain registrars.
Tracking Domain Expirations
Aside from securing registrar logins, it's important to make sure customers continuously retain ownership of their domains. Domain ownership is not permanent, and most registrars require annual renewals at a minimum. Often the renewal reminders will go to a contact email address that may be neglected, or the recipient is simply no longer be with the company. Just ask Dell what can happen if renewal is lapsed on a key domain name. To prevent similar disasters and unnecessary interruption of business, you will want to make certain that domain expirations are tracked and that contact information is documented and checked to maintain ownership.
Domain Privacy Guard
Next, you may want to consider advising your customers to purchase a privacy guard service from their domain registrar and regularly review the information available about the domain. Every domain on the Internet has registration information about it in a large WHOIS (pronounced "who-is") database. The WHOIS database contains the physical address, phone number, email address, and other potentially private information about the person who owns every domain on the Internet, and it's all publicly available. You can check the WHOIS database for any domain at a major registrar's website or directly from ICANN. Privacy guard services provided by most domain registrars will enter generic information into the WHOIS database to protect critical details about the company or individual who owns the domain name.
Implementing Domain Security
Finally, you will want to implement domain security techniques like SPF, DKIM, DMARC, and DNSSEC. Stay with us here, as we sip the alphabet soup:
- SPF Records (Sender Policy Framework) and DKIM (DomainKey Identified Email) are security records managed in DNS that are designed to grant administrators the ability to explicitly declare which servers can send email using their domain names. This eliminates basic email spoofing from bad actors from sending a fraudulent malware-laced email that could look like it came from the CEO to the intern that just joined the company.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) is an enhanced method for preventing email spoofing that combines SPF and DKIM techniques. The email sending and receiving organizations share information with one another to ensure that details they know about one another are consistent and agree on rules for handling the email.
- DNSSEC (Domain Name System Security Extensions) is a security technique that improves the security of DNS lookups by digitally "signing" DNS responses with a digital certificate. The digital signature allows clients to verify that a DNS server's response is authentic and authorized. This, in turn, makes it much more difficult for attackers to hijack DNS and redirect users to unauthorized servers.
These 4 security techniques reduce the likelihood that a customer's domain could be used in some way without permission. If SPF, DKIM, DMARC, and DNSSEC are configured correctly, spam filters can quickly block phishing attacks and client systems will be able to verify that DNS records are correct. This significantly reduces the amount of harm that can be done using your customer's domain names.