Sign In

Internet Performance Delivered right to your inbox

Tips On Protecting Your Company’s DNS From Digital Identity Theft

Hacked

Imagine this scenario:

You start receiving reports from a select few customers unable to access your site. At first, it seems like perhaps a random ISP having an issue, but the complaints grow steadily until you realize your phones are ringing off the hook, web site hits and orders are dropping like a rock, and it seems like the normal deluge of emails suddenly have slowed to a crawl.

Yeah, something isn’t right.

Even more frustrating, at first glance, all of your systems appear to be ok. Your web and email servers are powered on, your Internet providers report everything is ok, you can reach your servers via their IP addresses but the big issue remains: no one can reach your servers via your domain name.

You stop in your tracks. The domain name. A light bulb goes off, your face grows red, and you scramble to do a WHOIS lookup on your domain name, then a DNS query using dig. What you see in these lookups hits you like a ton of bricks.

You run to your domain registrar’s site and/or your DNS provider, crossing your fingers that your logins still work so you can roll back the changes made by…someone.

How This Happens

Over the years, there have been numerous instances of companies whose digitial identity is essentially wiped off the Internet for minutes, hours, or even days at a time. The most recent incident resulted in $12,000 worth of Bitcoins being stolen by hackers.

Whether it was a simple mistake such as forgetting to renew a domain name (like this unthinkable case with Hotmail in the UK) or something as sinister as their domain registration or DNS provider accounts being broken into (like January’s MIT issue or this collection of sites last September, it is important to be aware of what can happen and what you can do to prevent it from happening for your website.

Here are some tips for how to safeguard your most vital online assets: your domain registration and DNS provider:

Make trustworthy partnerships

Choose a registrar and DNS provider that features great customer service, is established, and follows acceptable security practices. You need to have the confidence that your registrar and provider has your back and is following best practices, but that if something were to happen, you can get ahold of them right away.

Using us as an example, we have very strict account recovery procedures to ensure the person contacting us is actually the rightful owner of the account. These procedures have evolved over the years as we followed other high profile security incidents and also had personal experiences with unknown individuals attempting to access customer accounts.

These procedures may not allow for instant access to an account, but it ensures that the risk of social engineering is minimal as possible as we dot our i’s and cross our t’s.

Do not use a weak password or common security question answers

Best practices call for using completely separate, unique, long, and random passwords for your domain registration and DNS provider accounts. Additionally, don’t use security question answers such as your mother’s maiden name. (Those are pretty easy to find these days.)

Also, never provide your password to anyone, even a tech support team. If the company you are working with runs their operation properly, they won’t need to know your password to look at your account. None of my Dyn colleagues (and even myself) can look up a customer’s password even if we wanted to as it’s fully encrypted — following or exceeding industry standards.

Correct contact information & record keeping

It amazes me how out of date domain registration and DNS provider contact records can be. It is absolutely critical that these be updated and maintained constantly. This ensures you receive renewal notices, password reset attempts, and other correspondence about your accounts. Keep digital and physical copies of invoices to prove that you own the account and domains within it. Get exports of your zone files to ensure you have backups.

Without proper contact information, what is usually a straightforward Dyn password reset can take days or weeks to resolve if our strict internal procedures notices something amiss. We err on the side of caution, as customer security is our #1 concern.

Lock your domain registration

Most domain registrars (including Dyn) offer the ability put a domain registration in a locked state, preventing any transfers of the domain to another registrar. This ensures that if someone were able to somehow get ahold of your domain’s authorization code, they would be unable to transfer it unless they had access to your current domain registrar’s account.

Multiple accounts, permissions, and advanced security features

Some domain registrars and DNS providers offer features such as multiple user accounts, permission systems, and advanced security features to ensure the safety of your accounts.

If at all possible, never share a login with multiple people. This ensures that if one account is compromised, you have other ways to gain access to the service. If you do have to share a login, rotate the password frequently.

Permission systems allow you to give users only the permissions they actually need, which limits the scope of mistakes or damage that can be caused. You can also easily lock out a user account if that person has left the company.

Additionally, our DynECT Managed DNS platform offers the ability to configure IP Access Control Lists (ACLs), which limit login attempts to only authorized IP addresses, even if the username/password is correct, further protecting the security of your account.


Share Now

Whois: Chris Gonyea

Chris Gonyea is Product Manager, Traffic Management at Dyn, a cloud-based Internet Performance company that helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Follow on Twitter (@ChrisGonyea and @Dyn).