Ask HN: How do I secure the domain for my business?
In all of my infrastructure, the provider hosting my domain (nameserver) is the most critical part. If I lose the account/access to whatever provider is hosting my domains everything crumbles. It's a single point of failure.
What are best practices to make this as secure as possible?
63 comments
[ 2.8 ms ] story [ 96.2 ms ] threadI don't hold any domains for corporate enterprise purpose but, if I did, I'd be looking for domain registrars that can provide some guarantees.
I don't know if such a thing exists, hopefully someone here can answer that, but if not, I'd start making some phone calls/sending some emails to see what/who can offer better than your typical cookie cutter registrars.
Since I'm from Germany it'd propably be best to also use a provider from Germany in case any legal issues arise.
Make sure you set up 2FA, fallback email addresses (also 2FA'd), pay for 10 years in advance, etc, but most important is that the company will call you if there's a problem or a transfer request.
Similarly, make sure you call them every 6 months, confirm your authentication process, confirm all your points of contact, confirm billing, etc, etc. Put it in your calendar, and make sure it gets done.
Your domain name is a single point of failure that you cannot avoid: your only choice is to get the best service you can justify in your budget.
Are you trying to secure it against someone transferring the domains out of your account? Make sure you have all the account security up to date and correct (2FA on the account + the email account that has the ownership), and that all the "transfer locks" are setup (EPP codes and so on)
Are you trying to secure your DNS setup against various DNS attacks? Read up on DNS and various security patterns you can implement like DNSSEC and so on.
You're trying to prevent issues regarding DNS uptime (in case the main domain stops resolving, or other system problems)? In that case, setup DNS over multiple TLDs (and registrars) and have a process for failing over.
In short, it depends on what you're trying to protect against, and who you are trying to protect it against.
Also, chose a registrar that won't just terminate your account over nothing (like Google is famous to do). I've had good luck with DNSimple over the years. Sign up for their enterprise plan and make sure to stay up-to-date on their policies. If you see that they start acting "googley", start thinking about moving to another one.
There's also another risk: if you decide after 2 years you're not happy with your registrar, tough luck, you've already paid for 10 years.
The only time it becomes a problem is if your new registrar doesn't support N+1 year registration - your 8-year example means you need to find someplace that supports 9- or 10-year regs.
It's written for domains under gov.uk, but, ignoring that, the rest is universal and thorough.
You may need to switch to a registrar that will let you do it, but that's generally a matter of finding one and giving them enough money, which isn't really difficult. Look for a corporate/brand focused registrar and call their sales and see what the minimum spend is.
If the registry for your domain doesn't do any registry locks, then you would need to switch to a different TLD, which is difficult.
Being a paying customers can do wonders
No affiliation with them, but my personal domains are registered with a local Dutch registrar, who in turn registers some of them with Key-Systems.
I presume all this is for a legitimate business and thus any operator will do.
However, if you get a domain within the top 4-5 TLD (the original TLD of .COM,.NET,.ORG,.EDU,.INT/.MIL/.GOV), all of these domains are ultimately belonging to US incorporated entities or governmental organizations and not any UN operated office thus is not party to the UN charter and the legal avenues afforted to it.
Operationally there is .onion that is non-organizational for the TOR network as well as .I2P for Freenet.
So it may do you well that you get both .de and .com as well as any other .tld you are willing to spend and protect for your brand name as that's what alot of scammers/spammers and marketers will try to redirect traffic into due to mistyped characters. Also for legal/public campaigns that may be counter to your business direction or your client's.
One last thing: There is the whole DNS server aspect of a machine sending out answers to your infrastructure. The domain usually has a locking mechanism that procedually protects the domain from being transferred to another provider at whim. I would spring for the anonymization to prevent social engineering attempts as well as extend your DNS records into DNSSEC to ensure to the world that every answer or call back to your DNS records are flat factual answers that are cryptographically sound. DNS is one of the few things that helps control the chaos doesn't overrun the network.
And be sure to pay your bill on a multiyear basis with reminders at the CTO/CFO level - there is usually a 30-60 day soft hold after the domain expires but it's a regular occurrence with every corporation as to whether or not they catch domains that are important to their image or brand vs. ones simply forgotten and become swiped up for ransom or other possibly unwholesome pursuit.
Cheers!
I don't know how you can defend against that, except having a company incorporated with that name in the country which corresponds to the TLD.
see https://www.icann.org/resources/pages/policy-2012-02-25-en for the UDRP, which is used for most, but not all the TLDs.
https://www.cloudflare.com/products/registrar/custom-domain-...
https://markmonitor.com/
The registrar for google.com? microsoft.com? netflix.com? ubuntu.com? reddit.com? amazon.com? They all use Markmonitor.
Of course, markmonitor aren't perfect: https://news.ycombinator.com/item?id=28351432
Other options include 'CSC corporate domains', the registrar for apple.com and twitter.com - and some companies, like facebook and cloudflare, are their own registrars.
I believe Cloudflare's initial purchase requirement is much lower.
Never had any hijacks after that. We did have to postpone a DNS service change because the CEO didn't answer the verification call and the registry wouldn't try again on the same day. No big deal, we set up the lock for a reason and fail-closed is desirable.
[1] I know, but the CEO thought they must still be good, because they were in charge in the 90s. I'll check closer on these things in the future, I guess.
Other protections are obviously good, but less effective like:
- buy your domain on different TLDs and registars and host the same site and all services that can be duplicated on them, citing all other domains you own on all, as needed you have well established evidence that you are the right owner and others if one disappear easily find the others;
- keep you customers informed of all your domains/services/public part of your infra so in case of issues (of any kind) they understand that something happen and probably most interesting one can still find you;
- mirror your websites on ZeroNet and advertise them in all officials ones, of course 99.9999% of business customers never ever even try ZeroNet for curiosity but it's evidence, something working and something you can potentially embed in other software (depending on your activity).
Surprisingly I haven’t find any good solution among the answers here.
Note how domains like google.com, amazon.com, microsoft.com are registered with them. You can find similar services by looking in Whois records, e.g. bankofamerica.com is with www.cscprotectsbrands.com, lloyds.com is with ascio.com.
No web developer or web development agency or SEO person or whatever needs your EPP/transfer codes. I say this because I have absolutely lost count of the amount of businesses that just hand this over because these people just say they need it and before you know it, the domain you put so much effort into managing ends up on some crappy web hosting service. It's gotten beyond the joke. I feel like every business I've ever been associated with has seen this. Marketing hires some "digital marketing consultant". Suddenly the domain is sitting on Crazy Domains and the entire zone is empty.
And I have to admit, yes I'm salty. I got torn to pieces over a large mail cluster "failing" and this turned out to be the cause.
Or after the cause is known. Unless maliciously done "tearing someone to pieces" is a strange way to deal with managements training failures, lack of procedures or similar.
I would be more interested in how to secure it from the registrar fucking up? Is there a way to hold a domain so that even when your registrar is being tricked into giving it awway, you can still prevent that or get it back?
Or do we have to wait for cryptographically secured ownership of domains so that a key that only you yourself hold is needed to move it? Something like Ethereum Name Service domains?
ns-1271.awsdns-11.co.uk
ns-522.awsdns-02.net
ns-433.awsdns-03.com
ns-1870.awsdns-03.org
In your case, you'd likely want to each domain used in your custom nameserver configuration to be registered at a different company. In this way, you no longer have a single point of failure.
Your registrar should be under different administration from your DNS servers (more than one), which should be different from your service (e-mail/web/etc) host(s). If you want to play it real safe you could get matching names under different TLDs, but only after you've separated the above.
This way, either of your nameserver companies closing you off should pose little practical problem, while limiting the relationship with your registrar to nothing more will significantly lower the possibilities of issues occurring there.
Put the account e-mails for the above providers under a different domain than the one under management.
So assuming you don't run your own physical infrastructure (all the power to you if you do) for either part, you need at least 4 different accounts spread over at least 3 different companies.
Putting one of the name servers at either the registrar or the web-hosting provider is not that terrible though, as long as it's not the only one.
Wouldn't it increase the risk not decrease it? Now there will be three single point of failure and compromise of any of the three party will result in downtime. In theory, the later two could be recovered or moved but your solution doesn't solve any problem.
> Most importantly securing against account termination and being unable to recover that account (like it happens a lot with Google).
We are not solving for high availability or minimizing risk of brief downtime here. The DNS part I addressed, so you're really down to two. DNS round-robin and monitoring can get you close enough to one. Until a solution like Handshake/ENS are adopted, you won't get away from the registrar.
If your DNS host is unavailable _and_ they're your registrar, then you can't make changes at the registry to use a different DNS host.
But if they're unavailable and they're not your registrar, then you can still make changes at the registry to use a different DNS host (although you'll still have to deal with the two-day TTL on the NS records at the root).
So the idea of using a different registrar and DNS host amounts to separating the control and data plane for your domain.
Big registrars can’t afford any support costs since they prefer to squeeze the price down as far as possible, and therefore they prefer to simply lose or outright drop any customer in case of any and all problems. Conversely, small registrars may charge more, but have better (i.e. actually existing, and sometimes even dedicated and personal) support for when things go wrong, and have a vested interest in keeping you as a customer.
A small registrar might also be so small as to know you personally, which will help monumentally against any social engineering attacks.
Full disclosure: I work at such a registrar, but I see that you’re not in our target market.
1. https://news.ycombinator.com/item?id=29112559
2. https://news.ycombinator.com/item?id=26865752
All my clients lost access to my saas for the guts of a day until I could get Nominet to fix.
For tech, just choose some big registar with good reputation, and use all measures, registar recommends, like 2FA, chrypto-keys, etc. For example my friend register his domain on GoDaddy.
For legal issues, it depends on your jurisdiction. For example, in Ukraine we could bye 2nd level domain .ua, if have registered trademark, and process of registration lasts for 2 years.
Mean, you send request to government registration service, that you want to register some name, than they make checks, to ensure nobody use this name, and that not exists some names which very similar (so you will not look associated with Mercedes or some other well known brand), and if all ok, you will receive official registration rights, and after that you could ask to registar .ua name, and it will be associated with your legal entity (I'm not sure, most probably possible register as private person just to your name).
And after that procedure, nobody could steal your domain without stealing your entity. Even if you will once forgot to pay for domain, it will just remain blocked, and nobody else could use it, until end official registration of trademark.
For other domains, like .com or local, things are slightly different, but all very similar, in that if you have registered trademark (same as domain name without suffix), you have legal power to defense. And nearly all hostings respect this power, so in most cases you will not need to call judge, just send to hosting support photo of documents of registered trademark, and hosting will immediately remove site of person, who try to use your registered trademark name.
Once, when should made another automatic payment, happens some technical error, so payment transaction where not successful, and provider immediately removed domain and site, so site disappear and domain becomes non-registered and open to anybody.
Fortunately, site/domain where not very important for him, so in a few days he discovered this, and registered same domain on other registar and recreated site from outdated backups.
As I know, many domain registars now offer special service, it named differently, but idea is the same - for very small additional cost (or even free), when domain registration end, it switched to locked for 30 days or something similar, when nobody else could buy domain and reregister it for themselves, so you will have time to fix issues if they happen. Other registars could in such cases call you to all your contacts, and don't turn off domain for a week or more, so similarly, you have time to make payment or to fix technical issues.
You probably don't need all infrastructure to be built on same domain as you build your marketing part (the domain exposed to customers). Have it built around another domain.
You can have all your endpoints to be served from several subdomains, so you can do that as well.
If one domain crumbles, you can switch to use of another one in mere minutes.