The importance of keeping ones domain name secure is something that many organisations and people take for granted. With .ca domain names in mind, but also being applicable to all domain name registrants, the Canadian ccTLD manager CIRA has provided a handy Ultimate Domain Name Security Checklist.
CIRA note “it can be easy to forget just how many applications rely on the DNS to function, and how critical domain names are to the entire internet ecosystem.”
“If you manage a .CA domain name, or any other domain name, it is critical to understand just how central they are to both the functioning of your business and the security of your systems. No matter how small your business is or how insignificant some of your domains may be, if they become compromised they can cause headaches that spread throughout your ecosystem. Even old, unused domains can be used by hackers to infiltrate or embarrass your organization.”
The guide has a checklist of the following records domain name registrants should keep and actions they should take:
- Where is your domain name registered? Take note of the registrar name and their website.
- Is two-factor authentication enabled? If not, do it.
- Who is the DNS provider? Is it the registrar default, a third-party provider?
- Does the DNS provider have two-factor authentication? If they do, enable it. If not, consider finding one that does.
- Is the Internal Master DNS service not available for queries? This means the DNS is unable to answer requests over any port except to the external/secondary DNS provider.
- Is the Internal Master DNS service running latest software? If not, find out why.
- Do you have a secondary DNS provider? A backup DNS helps protect against DDoS attacks, if your domain name is mission critical you should have one.
- Does your secondary DNS provider have two-factor authentication enabled?
- Does your secondary DNS provider have Transaction Signatures (TSIG) enabled?
- What is the TTL (time to live) for your zone file?
- Does your domain require an Extended Validation (EV) SSL certificate? Is it enabled?
- What is the renewal date for your SSL certificate?
- Who is the registrant contact on your domain? Is their contact information up to date?
- Who is the technical contact on your domain? Is their contact information up to date?
- Who is the administrative contact on your domain? Is their contact information up to date?
- Have you whitelisted the emails coming from your registrar and registry so you can get critical security and technical updates?
- Do you know who has administrative access to your domain registrar? Make a list and keep it updated.
- What is the renewal date of your domain? Do you have auto-renew enabled?
- Have you reviewed the policy rules of your registrar and registry?
- Have you audited your DNS zone records?
- Do you have your primary zone file backed up, control tested and working?
- Is your domain locked at the registry?
- Do you have your domain name registration records on file? Backed up?
- Do you have your domain name billing records on file?
- Do you have any trademark and/or public documents associating you with the domain name on file? Backed up?
- Do you have any legal document relevant to your domain name on file? Backed up?
The original version of the checklist on CIRA’s website was created in HTML allowing for copy/paste directly into Github, Jira, Confluence, or wherever else workflow is managed. CIRA recommend reviewing and updating once a year.
In their post, CIRA acknowledge the “checklist is pretty exhaustive—some would say it’s the ultimate—if you would like dive deeper into domain name security, we suggest you take a look at A Registrant’s Guide to Protecting Domain Name Registration Accounts from ICANN’s Security and Stability Advisory Committee (SSAC).”
“Our friends at Akamai also recently published a great guide: Protecting your domain names: Taking the first steps. It goes into detail on a few of the items in our checklist and has some great insight.”
To copy/paste the original of the checklist, go to the original version on the CIRA website here.