Protecting and Securing your Domain Name

Number: IN14-003
Date: 15 December 2014

Purpose

CCIRC, in collaboration with the Canadian Internet Registration Authority (CIRA), has developed this Information Note to provide best practices and advice on securing your domain.

Assessment

Having a domain is an integral part of business today and care should be taken to protect it. Malicious attackers may be interested in your domain for a variety of reasons and CCIRC has recently observed a number of attacks using Domain Name System (DNS) & domain hijacking, and cybersquatting.

DNS & Domain Hijacking
Domain hijacking occurs when the registration of a domain name is changed without the permission of the owner. Attackers can use personal information obtained through social engineering to impersonate and then persuade the domain registrar to change DNS information or transfer the domain to another registrant.  This can lead to visitors who are intending to visit your website are instead being delivered to content controlled by the malicious actor.  Examples of this malicious content can include credential phishing, malware delivery, and brand/website defacement.

Another reason for attackers to hijack DNS and domain information could be to take control of the domain and associated email addresses in order to monitor traffic and capture data.  Analysis of captured traffic could provide a malicious actor with sensitive information, including usernames and passwords.  The malicious attackers could also submit and intercept password reset requests from cloud applications to hijack personal accounts.

Cybersquatting
Cybersquatting occurs when a registered domain expires, either intentionally or by mistake, and someone other than the original owner is able to gain ownership of it. This usually results in the new owner attempting to extort payment from the original owner. 

Impact
The loss or unauthorized modification of a domain could result in data compromise and service downtime.  This can lead to the loss of brand reputation, customers and revenue.

Past domain related attacks have involved high profile, high traffic websites including the Huffington Post, New York Times and Twitter. In those cases, reports indicate that DNS information was modified so that the domains were pointing to servers controlled by the attackers.

Suggested Action

CCIRC strongly encourages information technology owners and operators to select a domain registrar which support the following security products:

Registry Lock – Enabling Registry Lock helps ensure that attributes of the domain are unchangeable and no transfer or deletion transactions can be processed against the domain name (with the exception of renewals) unless authorized. Registry Lock is a service offered by CIRA through certified registrars, whereas a registrar lock is offered by a registrar only.
http://www.cira.ca/ca-websites/enhancing-the-security-of-ca/ca-registry-lock/

DNSSEC – Enabling DNSSEC with your domain registrar and DNS host help to prevent sophisticated malicious attacks including DNS hijacking and spoofing.
http://www.cira.ca/ca-websites/enhancing-the-security-of-ca/dnssec/

Domain owners should review the following domain name portfolio management best practices:

• Perform audits of your domain name portfolio on a regular basis. This includes monitoring for unauthorized changes to domain contact and DNS information; and for awareness of domain registration expiry dates.
• Ensure your domain contact information is being regularly monitored and updated with your registrar to help ensure that any changes made to the domain are being performed by the domain owner or an authorized person. Keeping this information both accurate and complete is crucial.
• Ensure you are able to receive communications from your domain registrar by adding them to your email whitelist.
• Incorporate domain name hijacking into incident response and business continuity planning. Develop a strategy to quickly restore your domain names and DNS configuration in case of attack.

Additionally, domain owners should review the following best practices for domain registry user accounts and any email addresses listed in your domain contact information:

• Use strong passwords which are unique from other passwords you may currently use elsewhere, or have used in the past.
• Avoid using publicly available details (e.g., information that may be found on social media) as answers to password hints and password reset identity verification questions.
• Enable multi-factor authentication.
• Add your registrar’s domain name to your email spam filter’s approved list to ensure that you receive communication and notifications from your domain registrar and/or registry.

References:

• Enhancing the Security of .CA
  http://cira.ca/ca-websites/enhancing-the-security-of-ca/
• CIRA improves safety of Canada’s Internet
  http://cira.ca/news/news-releases/improving-Canadas-Internet/
• Recent domain hijackings should remind CIOs of the importance of domain locking says .CA executive
  http://cira.ca/news/news-releases/recent-domain-hijackings-should-remind-cios-of-the-importance-of-domain-locking-says-ca-executive/
• SAC 044: A Registrant’s Guide to Protecting Domain Name Registration Accounts
  https://www.icann.org/en/system/files/files/sac-044-en.pdf

Date modified:

2015-11-19