Ask HN: How do I secure the domain for my business?
In all of my infrastructure, the provider hosting my domain (nameserver) is the most critical part. If I lose the account/access to whatever provider is hosting my domains everything crumbles. It's a single point of failure.
What are best practices to make this as secure as possible?
Here's a very good guide from GOV UK: https://www.gov.uk/guidance/keeping-your-domain-name-secure
It's written for domains under gov.uk, but, ignoring that, the rest is universal and thorough.
Wow, a lot of good advice in there. Thanks!
Unfortunately a registry lock for most TLDs seems very difficult to get.
Not all TLD registries offer registry locks, but those run by Verisign (includes .com, .net), Affilias (lots of gtlds), and Neustar (.biz and .org), and according to a MarkMonitor slide deck, about 30 ccTLDs do.
You may need to switch to a registrar that will let you do it, but that's generally a matter of finding one and giving them enough money, which isn't really difficult. Look for a corporate/brand focused registrar and call their sales and see what the minimum spend is.
If the registry for your domain doesn't do any registry locks, then you would need to switch to a different TLD, which is difficult.
I know you're getting a lot of good technical advise in this thread but let me bring out something that needs to be said more often:
No web developer or web development agency or SEO person or whatever needs your EPP/transfer codes. I say this because I have absolutely lost count of the amount of businesses that just hand this over because these people just say they need it and before you know it, the domain you put so much effort into managing ends up on some crappy web hosting service. It's gotten beyond the joke. I feel like every business I've ever been associated with has seen this. Marketing hires some "digital marketing consultant". Suddenly the domain is sitting on Crazy Domains and the entire zone is empty.
Yes, I think business domains should be handled with absolute care and know how internally. Hence why I put so much importance on this matter.
Honestly have a look at web development subs. You'll often find posts like "this business asked me to change their landing page but they want to manage their own domain WTF is this possible??".
And I have to admit, yes I'm salty. I got torn to pieces over a large mail cluster "failing" and this turned out to be the cause.
Maybe you should be salty that management thinks "tearing people to pieces" is an appropriate response to an incident before the cause is even known.
> "tearing people to pieces" is an appropriate response to an incident before the cause is even known.
Or after the cause is known. Unless maliciously done "tearing someone to pieces" is a strange way to deal with managements training failures, lack of procedures or similar.
Strongly disagree with this sentiment, the point of hiring a professional is that there’s not a manual or a rulebook for every situation they face. You need their creative problem solving skills and good judgement.
It's an incident response. That almost always means an error, normally in policy like code review or security. Sure, I expect programmers to be able to write code creatively without having their hands held. But incidents should be prevented with checklists, because that's the best practice to prevent them.
Outside the best practices others are mentioning there are companies that specialise or provide high security domain registration, Mark Monitor are the big one. CloudFlare also offer this type of service. I have no idea how much it costs, would actually love to know if anyone has any experience with any of them?
https://www.cloudflare.com/products/registrar/custom-domain-...
https://markmonitor.com/
This. You can use 'whois' to find the registrars used by big sites.
The registrar for google.com? microsoft.com? netflix.com? ubuntu.com? reddit.com? amazon.com? They all use Markmonitor.
Of course, markmonitor aren't perfect: https://news.ycombinator.com/item?id=28351432
Other options include 'CSC corporate domains', the registrar for apple.com and twitter.com - and some companies, like facebook and cloudflare, are their own registrars.
One problem startups will run into with MarkMonitor and CSC is that they have a substantial minimum initial purchase. If you've got a domain portfolio, then that works out OK because you're just buying additional years on the domains you've already decided to keep, but it makes it impractical to use them for registry-locking one or two domains.
I believe Cloudflare's initial purchase requirement is much lower.
At my last job, I worked with MarkMonitor to get registry lock on our domains after an incident at Network Solutions [1]. It was expensive, but the price didn't matter because they had an annual spending requirement that was more than our annual renewals, since we didn't have many domains. Ownership has changed since then, and I don't have the slightest idea about current pricing. I think they charged us $1000/year for registry locks, on top of the $100/year for a .com/.net. If you had more domains, they might have had a bulk discount; but from our perspective, it was pay $$$$/year for registry locks on our two important domains and get the rest of our registrations free.
Never had any hijacks after that. We did have to postpone a DNS service change because the CEO didn't answer the verification call and the registry wouldn't try again on the same day. No big deal, we set up the lock for a reason and fail-closed is desirable.
[1] I know, but the CEO thought they must still be good, because they were in charge in the 90s. I'll check closer on these things in the future, I guess.
Apart from what's been said already: One basket per egg.
Your registrar should be under different administration from your DNS servers (more than one), which should be different from your service (e-mail/web/etc) host(s). If you want to play it real safe you could get matching names under different TLDs, but only after you've separated the above.
This way, either of your nameserver companies closing you off should pose little practical problem, while limiting the relationship with your registrar to nothing more will significantly lower the possibilities of issues occurring there.
Put the account e-mails for the above providers under a different domain than the one under management.
So assuming you don't run your own physical infrastructure (all the power to you if you do) for either part, you need at least 4 different accounts spread over at least 3 different companies.
Putting one of the name servers at either the registrar or the web-hosting provider is not that terrible though, as long as it's not the only one.
> our registrar should be under different administration from your DNS servers (more than one), which should be different from your service (e-mail/web/etc) host(s).
Wouldn't it increase the risk not decrease it? Now there will be three single point of failure and compromise of any of the three party will result in downtime. In theory, the later two could be recovered or moved but your solution doesn't solve any problem.
The issue OP is asking about is the "everything crumbles" scenario, and (from their comment down the thread):
> Most importantly securing against account termination and being unable to recover that account (like it happens a lot with Google).
We are not solving for high availability or minimizing risk of brief downtime here. The DNS part I addressed, so you're really down to two. DNS round-robin and monitoring can get you close enough to one. Until a solution like Handshake/ENS are adopted, you won't get away from the registrar.
Your registRAR's availability doesn't stop your domain from being present at the registRY, but _if_ your DNS provider becomes unavailable you'll be thankful that your registrar is able to change your NS records with the registry.
Even if you registrar's DNS you could change it in the same way. What would using different DNS acheive?
There's three players: registry, registrar, and DNS host. The parts that affect your availability are the registry's nameservers and your DNS host. The registrar is the control plane for the registry -- if your registrar is unavailable and your registry and DNS host are fine, you're still up.
If your DNS host is unavailable _and_ they're your registrar, then you can't make changes at the registry to use a different DNS host.
But if they're unavailable and they're not your registrar, then you can still make changes at the registry to use a different DNS host (although you'll still have to deal with the two-day TTL on the NS records at the root).
So the idea of using a different registrar and DNS host amounts to separating the control and data plane for your domain.
What are you trying to secure it against? This is always the first step to think about, also known as "threat assessment" or similar.
Are you trying to secure it against someone transferring the domains out of your account? Make sure you have all the account security up to date and correct (2FA on the account + the email account that has the ownership), and that all the "transfer locks" are setup (EPP codes and so on)
Are you trying to secure your DNS setup against various DNS attacks? Read up on DNS and various security patterns you can implement like DNSSEC and so on.
You're trying to prevent issues regarding DNS uptime (in case the main domain stops resolving, or other system problems)? In that case, setup DNS over multiple TLDs (and registrars) and have a process for failing over.
In short, it depends on what you're trying to protect against, and who you are trying to protect it against.
Most importantly securing against account termination and being unable to recover that account (like it happens a lot with Google).
The only thing that would help you in that case is having an account at another registrar, with a similarly named domain (maybe different TLD, or added word in front of the domain name) that is established as a alternative but rightful domain in case of failure. Test the fail-over process and make sure your documentation describe what domains are legitimate fail-over domains for your users.
Also, chose a registrar that won't just terminate your account over nothing (like Google is famous to do). I've had good luck with DNSimple over the years. Sign up for their enterprise plan and make sure to stay up-to-date on their policies. If you see that they start acting "googley", start thinking about moving to another one.
I actually wrote a blog post about this awhile back at hhttps://dev.to/conjuredbytes/domain-and-registrar-security-c.... Hopefully, someone finds it helpful.
Like I have said previously¹² about choosing a registrar: If you have regular backups, and if some downtime is not really a problem, it might be fine to use web server hosting, e-mail (and in extreme cases even DNS hosting), from some fly-by-night el cheapo provider. But your domain name registrar? Pick them carefully, don’t skimp, and make sure they have good support. Because when things go pear-shaped, you really want to be able to actually talk to someone to change your web server or e-mail DNS records (or even DNS servers) to somewhere else.
Big registrars can’t afford any support costs since they prefer to squeeze the price down as far as possible, and therefore they prefer to simply lose or outright drop any customer in case of any and all problems. Conversely, small registrars may charge more, but have better (i.e. actually existing, and sometimes even dedicated and personal) support for when things go wrong, and have a vested interest in keeping you as a customer.
A small registrar might also be so small as to know you personally, which will help monumentally against any social engineering attacks.
Full disclosure: I work at such a registrar, but I see that you’re not in our target market.
1. https://news.ycombinator.com/item?id=29112559
2. https://news.ycombinator.com/item?id=26865752
Iwould recommend using a company in your jurisdiction, they might be less known, a bit pricier, but will have some kind o customer support in your mother tongue in case things should go wrong.
Being a paying customers can do wonders
Yeah, that's propably what I'm gonna do. Currently looking into Hetzner for the domain hosting since I'm from Germany.
I prefer to use a different company for my domains, as for other services--like Mail, Web, Hosting. Therefore, if something happens to one, it doesn't affect my other services. As you mentioned, you are from Germany. I can highly recommend https://INWX.de —I use them myself, and for hosting, I use Hetzner as well.
Thanks a lot. Signed up a few minutes ago on https://INWX.de and quite like what I see so far. It's nice that they are specialized in domains. For Hetzner it's just another service.
Another option in Germany is Key-Systems: https://www.key-systems.net/
No affiliation with them, but my personal domains are registered with a local Dutch registrar, who in turn registers some of them with Key-Systems.
Will look into it, thanks!
I would take a moment to pause and consider the TLD if you're concerned with authorities taking over your domain. Various TLD (.com,.io,.pizza) have different polices regarding termination as well as different legal basis whether or not seizure can be exacted in a given jurisdiction.
I presume all this is for a legitimate business and thus any operator will do.
However, if you get a domain within the top 4-5 TLD (the original TLD of .COM,.NET,.ORG,.EDU,.INT/.MIL/.GOV), all of these domains are ultimately belonging to US incorporated entities or governmental organizations and not any UN operated office thus is not party to the UN charter and the legal avenues afforted to it.
Operationally there is .onion that is non-organizational for the TOR network as well as .I2P for Freenet.
So it may do you well that you get both .de and .com as well as any other .tld you are willing to spend and protect for your brand name as that's what alot of scammers/spammers and marketers will try to redirect traffic into due to mistyped characters. Also for legal/public campaigns that may be counter to your business direction or your client's.
One last thing: There is the whole DNS server aspect of a machine sending out answers to your infrastructure. The domain usually has a locking mechanism that procedually protects the domain from being transferred to another provider at whim. I would spring for the anonymization to prevent social engineering attempts as well as extend your DNS records into DNSSEC to ensure to the world that every answer or call back to your DNS records are flat factual answers that are cryptographically sound. DNS is one of the few things that helps control the chaos doesn't overrun the network.
And be sure to pay your bill on a multiyear basis with reminders at the CTO/CFO level - there is usually a 30-60 day soft hold after the domain expires but it's a regular occurrence with every corporation as to whether or not they catch domains that are important to their image or brand vs. ones simply forgotten and become swiped up for ransom or other possibly unwholesome pursuit.
Cheers!
Having a smaller player can also make quite unpredictable "wonders", often not the wonders you expect.
The best protection for that is your local laws: choose a domestic provider and keep good lawyers around. Also remember the scale: an over-the-top provider have lobbyist, lawyers etc, a smaller one have probably more human relation and less power in local justice system.
Other protections are obviously good, but less effective like:
- buy your domain on different TLDs and registars and host the same site and all services that can be duplicated on them, citing all other domains you own on all, as needed you have well established evidence that you are the right owner and others if one disappear easily find the others;
- keep you customers informed of all your domains/services/public part of your infra so in case of issues (of any kind) they understand that something happen and probably most interesting one can still find you;
- mirror your websites on ZeroNet and advertise them in all officials ones, of course 99.9999% of business customers never ever even try ZeroNet for curiosity but it's evidence, something working and something you can potentially embed in other software (depending on your activity).
Register it to an email that you have full control of, e.g. don't use email address linked to your University or employee. Take good care of your email (2fa). Use a domain registrar that you trust. Saving a few dollars each year on domain is not worth the possible complications. If you are enabling auto renew be sure at all time that your credit card is valid. Put reminders in your calendar about exportation dates.
Most advice here seems to be about securing it from yourself. Making sure you do not let someone get your credential via whatever means.
I would be more interested in how to secure it from the registrar fucking up? Is there a way to hold a domain so that even when your registrar is being tricked into giving it awway, you can still prevent that or get it back?
Or do we have to wait for cryptographically secured ownership of domains so that a key that only you yourself hold is needed to move it? Something like Ethereum Name Service domains?
Some registries have a feature called “Registry lock”. This means that a domain cannot be transferred to another registrar without a lot of work to unlock it first.
Is that possible for .com domains?
Hostgator left me in a terrible situation once. Domain name came with hosting package and expired after 10 years. Hostgator had lost my records?! I went to Nominet and they were really helpful. I think I recollect that if you login to Nominet with your admin email address from your domain name you see your domains in the Nominet control panel. I guess Nominet are the big player in this scenario. Not sure if Nominet is UK.
All my clients lost access to my saas for the guts of a day until I could get Nominet to fix.
The major risk here is social engineering, someone who pretends to be you and call your registrar to get credentials reset.
Surprisingly I haven’t find any good solution among the answers here.
I think markmonitor.com offers this sort of service, but I suspect it's "call us" pricing.
Note how domains like google.com, amazon.com, microsoft.com are registered with them. You can find similar services by looking in Whois records, e.g. bankofamerica.com is with www.cscprotectsbrands.com, lloyds.com is with ascio.com.
The main question if you want to defend from technical issues or from legal, so measures extremely different.
For tech, just choose some big registar with good reputation, and use all measures, registar recommends, like 2FA, chrypto-keys, etc. For example my friend register his domain on GoDaddy.
For legal issues, it depends on your jurisdiction. For example, in Ukraine we could bye 2nd level domain .ua, if have registered trademark, and process of registration lasts for 2 years.
Mean, you send request to government registration service, that you want to register some name, than they make checks, to ensure nobody use this name, and that not exists some names which very similar (so you will not look associated with Mercedes or some other well known brand), and if all ok, you will receive official registration rights, and after that you could ask to registar .ua name, and it will be associated with your legal entity (I'm not sure, most probably possible register as private person just to your name).
And after that procedure, nobody could steal your domain without stealing your entity. Even if you will once forgot to pay for domain, it will just remain blocked, and nobody else could use it, until end official registration of trademark.
For other domains, like .com or local, things are slightly different, but all very similar, in that if you have registered trademark (same as domain name without suffix), you have legal power to defense. And nearly all hostings respect this power, so in most cases you will not need to call judge, just send to hosting support photo of documents of registered trademark, and hosting will immediately remove site of person, who try to use your registered trademark name.
For technical issues, I know at least one real case: my friend registered domain and created hosting, as private person, and choose automatic recurrent payment from his credit card. All where ok for more than year.
Once, when should made another automatic payment, happens some technical error, so payment transaction where not successful, and provider immediately removed domain and site, so site disappear and domain becomes non-registered and open to anybody.
Fortunately, site/domain where not very important for him, so in a few days he discovered this, and registered same domain on other registar and recreated site from outdated backups.
As I know, many domain registars now offer special service, it named differently, but idea is the same - for very small additional cost (or even free), when domain registration end, it switched to locked for 30 days or something similar, when nobody else could buy domain and reregister it for themselves, so you will have time to fix issues if they happen. Other registars could in such cases call you to all your contacts, and don't turn off domain for a week or more, so similarly, you have time to make payment or to fix technical issues.
Apart from the 2fa to for domain service itself, ensure you are enforcing 2fa if you use an external mail provider. And set the domains to autorenew.
Mails are another interesting factor. If you use your own domain for mails, where should you have the nameserver for that domain? If I use that mail to sign up for a registrar and the service disrupts, theoretically my mails shouldn't work anymore as well and I would be unable to recover anything.
There are features of domain providers that can prevent domain transfer without certain conditions being met.
I don't hold any domains for corporate enterprise purpose but, if I did, I'd be looking for domain registrars that can provide some guarantees.
I don't know if such a thing exists, hopefully someone here can answer that, but if not, I'd start making some phone calls/sending some emails to see what/who can offer better than your typical cookie cutter registrars.
Thanks a lot! Yeah, I'm looking for a registrar that ensures high security, availability and most importantly a functional support. I don't mind paying extra bucks.
Since I'm from Germany it'd propably be best to also use a provider from Germany in case any legal issues arise.
This is really the best solution: pay (a lot) extra to get a registrar that offers enterprise class support.
Make sure you set up 2FA, fallback email addresses (also 2FA'd), pay for 10 years in advance, etc, but most important is that the company will call you if there's a problem or a transfer request.
Similarly, make sure you call them every 6 months, confirm your authentication process, confirm all your points of contact, confirm billing, etc, etc. Put it in your calendar, and make sure it gets done.
Your domain name is a single point of failure that you cannot avoid: your only choice is to get the best service you can justify in your budget.
What if a company incorporates using your name in this or that jurisdiction then claims your .com? It happened in the past (although many companies, at first, simply bought the .com from the early .com hoarders for it was easier and faster than claim the name ownership).
I don't know how you can defend against that, except having a company incorporated with that name in the country which corresponds to the TLD.
You see to have a misunderstanding of how the domain dispute process works. Having a trademark/company registered doesn't allow you to expropriate domains from an existing owner. See for instance, nissan.com. However, if you registered a domain in "bad faith" against someone with a trademark (eg. using it to redirect to a competitor's site, or trying to extort money from them), your domain can be seized.
see https://www.icann.org/resources/pages/policy-2012-02-25-en for the UDRP, which is used for most, but not all the TLDs.
Don't make your infrastructure relaying on single domain then.
You probably don't need all infrastructure to be built on same domain as you build your marketing part (the domain exposed to customers). Have it built around another domain.
You can have all your endpoints to be served from several subdomains, so you can do that as well.
If one domain crumbles, you can switch to use of another one in mere minutes.
Setup an alternative e-mail address that you can assign to your hosting account. Happened once to me that my credit card failed and the domain didn't renew and ultimately cancelled my domain. However because of 2FA via e-mail I couldn't login to my account to pay the outstanding payment.
Buy for 10 years (assuming .com)
Beware: if your registrar of choice goes bust within those 10 years, you probably lose your money.
This is unlikely. When a registrar goes bust, the registry can take over, assign a replacement registrar by buyout or alternate agreement. See “Registerfly” case as an example.
In some cases though, the registrar only pays the registry for 1 year at a time, making the money their customers pre-pay effectively a low-interest loan for the registrar. If that registrar goes bust, you'll be able to transfer your domain to a different registrar, but you'll lose the money you paid (i.e. loaned) to the original registrar.
There's also another risk: if you decide after 2 years you're not happy with your registrar, tough luck, you've already paid for 10 years.
That's not usually a problem. You can transfer a registration with N years remaining, the new company will charge a one year registration and you now have N+1 years covered.
The only time it becomes a problem is if your new registrar doesn't support N+1 year registration - your 8-year example means you need to find someplace that supports 9- or 10-year regs.
Read the first part of my comment again. Some (many?) registrars don't actually register the domain for N years at once with the registry, even if you pay them for N years.
If they don't pay the registry, wouldn't it not show up in whois? If it doesn't show up with the expected expiration date in whois shortly after registration/renewal, I'd be demanding it get fixed.
I avoid using Google Domains as registrar or DNS server. Because if their weird bot locks my Google account, I lose access to my domain and there's no customer service to help.
You have not really given us enough information to suggest the best solution. For example, is this because you host many websites for other people who all use your custom nameservers? Either way, if you are hosting many sites with custom nameservers, look at what AWS does for its nameservers for route53. Theirs are set-up like so:
ns-1271.awsdns-11.co.uk
ns-522.awsdns-02.net
ns-433.awsdns-03.com
ns-1870.awsdns-03.org
In your case, you'd likely want to each domain used in your custom nameserver configuration to be registered at a different company. In this way, you no longer have a single point of failure.
Use a provider that uses 2FA for login