Do you own your DNS?
This sounds like a simple question with the obvious answer: Yes of course you do, because it’s your website and your email, right? Unfortunately, it’s not that simple of an answer, and the real answer could put your company in a difficult position.
DNS is short for Domain Name System. It is the service that matches your domain name to a business IP address (a unique number) which enables people to locate and see your website. If you have a live website, you also have a working DNS. And, if your DNS is not working, your website and email will not be accessible to the Internet at large. This is why it is critical to ensure that you own your DNS.
And when we say you, we mean the company, not the IT person that could leave at any moment. Not the marketing company that assured you they need to own the DNS to update your website (they don’t). It should be your company. This helps to ensure that other people, or organizations, don’t use owning your DNS against you – remember the DNS serves up your website and links to your email system. Also important is to be on top of your DNS renewal dates, including payments to ensure your DNS registrations don’t lapse and make you subject to a DNS hijacking attack.
DNS Quick Check
If you’re not sure whether you own your DNS, here’s a quick way to find out.
- Execute a WHOIS search by hopping on your search engine of choice and typing in ‘WHOIS search’.
- Enter your domain name and review the information.
- Use the information you see to determine who your domain registrar vendor is.
- Take a look at the Nameservers listed– if it’s not related to the registrar, there is a third-party in the mix. This could be by design or could be an indication that you don’t ‘own’ your DNS.
- If you cannot log into the management portal for your registrar, you should submit a ticket to go through an ownership verification to regain access. If your nameservers differ from your registrar and you cannot access the management for your nameserver vendor, you can switch nameservers back to the registrar but make sure you accurately bring over all DNS records that keep your resources operational.
You have knowledge of who owns your DNS. Now implement a few best practices.
- Ideally, your domain should be with a company that offers domain creation and domain renewal as well as DNS management and web hosting. Organizations like CloudFlare, Bluehost and GoDaddy are examples.
- Your registrar account should be generic to your company, like your business name.
- Consider purchasing domain registration privacy offered through your registrar to obfuscate the publicly available information from WHOIS lookups.
- Access to your registrar account should be protected with multi-factor authentication and should leverage password best practices.
- Utilize separate contacts for your admin and technical contacts. Ideally, the email addresses used should be generic. You should send emails to a few different contacts to help ensure important emails aren’t missed. Example, the domain renewal email.
- Owning the DNS should stay with the company, including direct access to your registrar and your nameservers.
- Do not let others have access to your registrar account. Once access is granted, they could have the ability to move your domain and make themselves the point person for renewal and billing information. This opens up too many opportunities for you to be put in a bad situation with your website.
- Marketing or web companies do not need access to your registrar top-level account. You do not have to grant access to update your website.
Although the topic of who owns your DNS seems a tad mundane and a lot less problematic than a phishing attack, the outcome of losing control can be hugely detrimental to your business. Take some time to go through the process of learning who owns your DNS, and if necessary, go through the steps to regain control. If you want to read more about highly sophisticated DNS hijackings, check out A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security