How to Adopt a Robust Domain Name Security Strategy

Gareth Jehu, CTO at Com Laude, has strong words to say on encryption protocols, domain locks and more.

At the start of the pandemic, Zoom suffered a setback when hackers crashed meetings by ‘Zoombombing’. Failing to adequately secure its software was costly, resulting in a $85 million (£61.7 million) lawsuit. There are currently more than 30,000 website exploits everyday, yet at least 20% of the Alexa Top 100,000 websites still don’t use any encryption, leaving them vulnerable.

Domain names are a vital component of digital infrastructures, yet security practices around them can often be overlooked meaning companies are wide open to attacks. From encryption to registry locking, below we explore some of the key facets of domain name security strategies that are too often ignored.

Implementing an Up-To-Date Encryption Protocol

Active websites, apps and online services that store confidential data should employ encryption methods such as SSL/TLS (Secure Sockets Layer / Transmission Layer Security). Google recently reported that 89% of the browsing traffic in Chrome is using encryption, but with 20% of the top 100,000 websites still not using any, the message hasn’t been heard.

Today, SSL or TLS is essential for all domain names that support critical business functions. However, some organisations argue that encryption isn’t required if their core web presence is informational, but when the average cost of an SSL/TLS certificate is negligible, it seems counterproductive for an organisation investing in a domain name to not secure their digital presence.

A key challenge in encryption has been the growth in free certificates and the reduction in validity terms. Until recently, organisations could buy certificates that lasted up to three years, and only had to authenticate their credentials once during this time. Today, organisations such as Let’s Encrypt issue certificates for months, rather than a year at a time, meaning the domain name holder needs to authenticate them much more regularly.

Auditing the Domain and SSL/TLD Portfolio Regularly

Auditing, much like the MOT of your car provides for a vital health check, covering key factors such as who owns each domain, and how registrations are being used.

Like domain names, many organisations see individuals purchasing SSL certificates on an ad-hoc basis – this unstructured approach can lead to issues and unnecessary costs. Many organisations routinely don’t know key information such as which domain names are using SSL certificates and what the management process is.

Once an organisation has followed key steps to explore their security requirements before considering the right certificate strategy, such as understanding which domain names within the portfolio currently resolve, they can then determine a future policy for SSL adoption and management. To highlight the importance of having a formalised certificate management process, consider the following: If an organisation has 50 SSL certificates, then the management burden per annum can be up to 225 hours, or approximately 28 working days if there are no processes in place.

Adopt a Robust Domain Lock Solution

To prevent domain hijacking, organisations should ensure their critical domain names, where possible, are protected by domain locks.

A growing number of top-level domain (TLD) registry operators now offer a robust domain lock solution called Registry, ensuring only authorised personnel are able to make changes to DNS settings using a multi-factor authentication (MFA) process.

However, not all TLD operators support locking at the registry server level so it’s key organisations understand which domain names should be locked. An experienced Domain Strategist will manage this process and ensure the portfolio is regularly aligned to reflect the ever-changing digital landscape.

Choose a Trusted Enterprise Domain Name Service Partner

Major DNS outages can wreak havoc. DNS records are complex beasts that need TLC – but how regularly do we actually check the DNS settings are correct?

Organisations often have a number of people who can make changes to the DNS settings – some of these changes may not be widely recorded within the wider business, which can lead to details being off-policy. It’s crucial organisations carry out regular audits of the domain portfolio to identify where there might be issues.

Every business should understand how their domain names are being used and whether they’re delivering an ROI. Internal stakeholders might not realise a domain is no longer resolving to the correct website. DNS traffic analysis highlights anomalies and high-traffic domain names which may need enhanced security management.

A key part of a DNS health check involves testing the performance of the DNS infrastructure provider. Working with enterprise providers such as NS1 ensures the critical domain names are supported on the most secure and fastest networks.

Auditing DNS regularly is now considered best practice.  In 2019, the US Department of Homeland Security issued an emergency directive on DNS Infrastructure Tampering. The first action recommended for organisations was the audit of DNS records to ensure they are resolving correctly, and that MFA is being utilised.

By Gareth Jehu, CTO at Com Laude.

Gareth Jehu has 20 years’ experience of working in domain name management and served in multiple operational and technical senior management positions for both domain name registrars and registries.

Popular Articles