Skip to main content

Good Practices for the Registration and Administration of Domain Name Portfolios (Part I)

Good practices dns 492x280 30may17 en

It's always wise to remember good practices related to the registration and administration of domain names, especially when referring to portfolios with tens or hundreds of them. Good practices allow companies to have their online operations uninterrupted and prevent them, for example, from losing their domain names due to expiration or hijacking. On the other hand, poor practices can lead to disruptions in business, loss of customer confidence and harm to reputation, among other negative consequences.

This blog post, the first in a series, covers three good practices – and more will come in posts. Let's get started.

Keep Registration Information Up to Date

At the point of creation of each domain name, the registrant provides contact details to the registrar. This information is then made publicly available via the WHOIS service, allowing companies to be contacted for a wide number of reasons – including technical or operational matters associated with the domain, interest in the content posted on the associated website, or security concerns.

Companies should make sure that the contact data as displayed in WHOIS is accurate and up-to-date. Incorrect or obsolete information can prevent security researchers from contacting registrants whose domains may have been compromised, or potential business partners from establishing a contact that could lead to a new business opportunity.

Don't Use Personal Email Addresses

Companies should not allow the use of personal email addresses in the registration data of their corporate domain names. This recommendation includes both email addresses that employees use outside of work and email addresses that identify individuals in the organization. Both can leave a company vulnerable.

  • Don't allow the use of personal email addresses, such as johndoe@gmail.com or janedoe@hotmail.com.

    The email addresses listed for the registrant and the administrative contact of a domain name are key for its administration. When employees' personal email addresses are listed, nothing prevents them from hijacking the domain when they leave the company.

  • Use generic, role-based or department-based email addresses, such as domain_admin@companyname123.com, instead of email addresses with people's names, such as j.doe@companyname123.com.

    Providing the names of individuals involved in the administration of corporate domain names exposes them to an increased risk of social engineering and spear-phishing attacks aimed at the company. Instead, use role-based or department-based names, ideally with several users receiving communications sent to those addresses.

Avoid Having Domain Names In-Bailiwick

Bailiwick is the situation that exists when a company registers the domain example.com and then lists the email addresses user1@example.com and user2@example.com in the domain name's WHOIS.

Attackers who gain control of ta domain name in the bailiwick can redirect email by replacing the legitimate name servers with name servers that they operate. They can then add an MX record that directs email to a mail server that they also operate. Or they can turn off email entirely by deleting the domain's MX record, in which case no email will be sent to or received by the company that registered the affected domain.

An extra layer of difficulty is added when the registrar cannot communicate with the affected company, as it has no access to its corporate email. This situation requires out-of-band communication and proof to the registrar that the company is indeed the affected registrant.

Look for future posts where I'll give you other good practices to follow!

Comments

    Danny Burnaman  16:52 UTC on 30 May 2017

    Great article, looking forward to the remaining ones. Thanks

    Dirk Krischenowski  22:56 UTC on 30 May 2017

    Good article! The protection of personal data by non-personal email addresses is a good step to keep up with the upcoming European WHOIS requirements (GDPR, General Data Protection). Registrar should make registrants aware of this text which should also be availabe in major languages.

    Anthony Asiemo  23:28 UTC on 01 June 2017

    My domain is down, can anyone help me here?

    NhiDung  01:02 UTC on 08 June 2017

    Great article, looking forward to the remaining ones. Thanks

    Ross Rhine  12:23 UTC on 09 June 2017

    Thanks for the useful tips! Never heard of the term "in-bailiwick" domains, but I was always smart enough to use out-of-bailiwick domains in whois contacts (email addresses).

    Jean Guillon  00:34 UTC on 22 June 2017

    Part 2 coming?

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."