en

Good Practices for the Registration and Administration of Domain Name Portfolios (Part I)

30 May 2017

Carlos AlvarezCarlos Alvarez, SSR Engagement Director (LAC)

This content is only available in

null

It's always wise to remember good practices related to the registration and administration of domain names, especially when referring to portfolios with tens or hundreds of them. Good practices allow companies to have their online operations uninterrupted and prevent them, for example, from losing their domain names due to expiration or hijacking. On the other hand, poor practices can lead to disruptions in business, loss of customer confidence and harm to reputation, among other negative consequences.

This blog post, the first in a series, covers three good practices – and more will come in posts. Let's get started.

Keep Registration Information Up to Date

At the point of creation of each domain name, the registrant provides contact details to the registrar. This information is then made publicly available via the WHOIS service, allowing companies to be contacted for a wide number of reasons – including technical or operational matters associated with the domain, interest in the content posted on the associated website, or security concerns.

Companies should make sure that the contact data as displayed in WHOIS is accurate and up-to-date. Incorrect or obsolete information can prevent security researchers from contacting registrants whose domains may have been compromised, or potential business partners from establishing a contact that could lead to a new business opportunity.

Don't Use Personal Email Addresses

Companies should not allow the use of personal email addresses in the registration data of their corporate domain names. This recommendation includes both email addresses that employees use outside of work and email addresses that identify individuals in the organization. Both can leave a company vulnerable.

  • Don't allow the use of personal email addresses, such as johndoe@gmail.com or janedoe@hotmail.com.

    The email addresses listed for the registrant and the administrative contact of a domain name are key for its administration. When employees' personal email addresses are listed, nothing prevents them from hijacking the domain when they leave the company.

  • Use generic, role-based or department-based email addresses, such as domain_admin@companyname123.com, instead of email addresses with people's names, such as j.doe@companyname123.com.

    Providing the names of individuals involved in the administration of corporate domain names exposes them to an increased risk of social engineering and spear-phishing attacks aimed at the company. Instead, use role-based or department-based names, ideally with several users receiving communications sent to those addresses.

Avoid Having Domain Names In-Bailiwick

Bailiwick is the situation that exists when a company registers the domain example.com and then lists the email addresses user1@example.com and user2@example.com in the domain name's WHOIS.

Attackers who gain control of ta domain name in the bailiwick can redirect email by replacing the legitimate name servers with name servers that they operate. They can then add an MX record that directs email to a mail server that they also operate. Or they can turn off email entirely by deleting the domain's MX record, in which case no email will be sent to or received by the company that registered the affected domain.

An extra layer of difficulty is added when the registrar cannot communicate with the affected company, as it has no access to its corporate email. This situation requires out-of-band communication and proof to the registrar that the company is indeed the affected registrant.

Look for future posts where I'll give you other good practices to follow!

Carlos Alvarez
Carlos Alvarez
SSR Engagement Director (LAC)

Carlos Alvarez

Read biographyRead biography