Security

Domain Security in 2021: DNSSEC, Registry Lock, and Account Protection

System AdminApril 9, 2021394 views6 min read

Your Domain Is Often the Weakest Link

You can have the most secure server configuration imaginable — patched, hardened, monitored around the clock — and still lose everything if an attacker hijacks your domain. Domain security is frequently overlooked because it sits outside the typical server administration workflow. But consider what happens when someone takes control of your domain: they redirect your traffic, intercept your email, issue fraudulent SSL certificates, and effectively become you in the eyes of the entire internet.

This guide covers the tools and practices that protect your domain from unauthorized changes, hijacking, and DNS manipulation: DNSSEC, registry lock, transfer protection, and registrar account hardening.

Understanding the Threat: How Domains Get Compromised

Domain compromises happen in several ways:

  • Registrar account takeover: An attacker gains access to your registrar account through weak credentials, social engineering, or credential stuffing. From there, they can change DNS records, transfer the domain, or modify WHOIS information.
  • Unauthorized transfer: An attacker initiates a domain transfer to a registrar they control. If transfer protections are not in place, the transfer may complete before you notice.
  • DNS spoofing: Without DNSSEC, attackers can inject forged DNS responses that redirect visitors to malicious servers. The visitor's browser has no way to verify that the DNS response is authentic.
  • Social engineering at the registrar: Attackers contact your registrar's support team, impersonate you, and convince them to make changes to your account or domain configuration.

DNSSEC: Authenticating DNS Responses

DNS was designed without authentication. When your browser asks a DNS resolver for the IP address of your domain, it trusts the response without any verification. DNS cache poisoning and man-in-the-middle attacks exploit this trust by injecting forged responses.

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. The process works through a chain of trust: the root DNS zone signs the TLD zone (e.g., .com), the TLD zone signs your domain's zone, and your domain's zone signs individual records. When a resolver receives a DNSSEC-signed response, it can verify the entire chain, confirming that the record has not been tampered with.

How to Enable DNSSEC

  1. Sign your zone: Your DNS hosting provider signs your DNS zone, generating DNSKEY and RRSIG records.
  2. Publish the DS record: You add a DS (Delegation Signer) record at your registrar, which links your domain's signing keys to the parent TLD zone.
  3. Verify: Use online DNSSEC analysis tools to confirm that the chain of trust is intact and signatures are valid.

Many DNS hosting providers handle the signing automatically. Your primary responsibility is ensuring the DS record at the registrar matches the keys at your DNS host. A mismatch — especially during a DNS provider migration — can cause your domain to fail DNSSEC validation, which is worse than not having DNSSEC at all (resolvers that enforce DNSSEC will refuse to return results for a broken chain).

DNSSEC Considerations

  • Key rotation: DNSSEC keys should be rotated periodically. Most managed DNS providers handle this automatically. If you manage your own signing, establish a key rotation schedule.
  • Zone signing maintenance: RRSIG records have expiration dates. If they expire without being renewed, your domain's DNSSEC validation fails. Automated zone signing handles this, but monitor for failures.
  • Performance: DNSSEC adds slightly larger DNS responses and verification overhead. For the vast majority of use cases, the impact is negligible.

Registry Lock: The Strongest Protection Against Unauthorized Changes

Registry lock (also called domain lock or server transfer lock) prevents any changes to your domain at the registry level — the authoritative database maintained by the TLD operator. With registry lock enabled, changes to nameservers, registrar transfers, and WHOIS modifications require a manual, out-of-band verification process, typically involving direct contact between your registrar and the registry.

This means that even if an attacker gains access to your registrar account, they cannot modify your domain without passing the manual verification step. Registry lock is the most effective protection against domain hijacking, and it is available for most major TLDs.

How to Get Registry Lock

Registry lock is typically a premium service offered by registrars. Not all registrars support it, and the process varies. Contact your registrar to ask whether they offer registry lock for your TLD and what the verification process involves. The annual cost is modest compared to the protection it provides.

Transfer Protection

Domain transfers between registrars follow a standardized process that includes authorization codes (EPP codes) and confirmation emails. Protect against unauthorized transfers with these measures:

  • Enable transfer lock: This is a standard feature at most registrars. When enabled, transfer requests are rejected automatically. You must explicitly disable the lock before initiating a legitimate transfer.
  • Protect your authorization code: The EPP code is the key to transferring your domain. Never share it unless you are actively initiating a transfer. Treat it with the same sensitivity as a password.
  • Monitor transfer notifications: Registrars send email notifications when a transfer is initiated. Ensure the email address on file is current and monitored. Respond immediately to any unexpected transfer notifications.

Registrar Account Hardening

Your registrar account is the gateway to your entire domain portfolio. Protect it with the same rigor you apply to your banking or infrastructure accounts:

  • Strong, unique password: Use a password manager to generate and store a complex, unique password for your registrar account. Do not reuse passwords from other services.
  • Two-factor authentication: Enable MFA on your registrar account. Use a hardware security key or authenticator app — not SMS, which is vulnerable to SIM swapping attacks.
  • Limited access: Restrict account access to the smallest number of people who genuinely need it. Use role-based permissions if your registrar supports them.
  • Contact information: Keep your registrar contact information — especially the email address — current. This is where transfer notifications, renewal reminders, and security alerts are sent.
  • Renewal management: Enable auto-renewal for all critical domains. Expired domains can be registered by anyone, and domain expiration hijacking is a real and active threat.

WHOIS Privacy

WHOIS records publish your name, address, email, and phone number by default. This information can be used for social engineering, targeted phishing, and spam. Enable WHOIS privacy (also called domain privacy protection) to replace your personal information with proxy contact details. Most registrars offer this service, often at no additional cost.

Monitoring Your Domain

Set up monitoring that alerts you to changes in your domain's DNS records, WHOIS information, and certificate issuance. Certificate Transparency logs can notify you when a new SSL certificate is issued for your domain — if you did not request one, someone may be attempting a man-in-the-middle attack or domain takeover.

DNS monitoring tools can track changes to your A, AAAA, MX, NS, and TXT records and alert you to unauthorized modifications. This early warning gives you time to respond before the impact reaches your users.

A Domain Security Checklist

  • Enable DNSSEC and verify the chain of trust
  • Enable registry lock if available for your TLD
  • Enable transfer lock on all domains
  • Enable two-factor authentication on your registrar account
  • Use a strong, unique password for your registrar
  • Enable WHOIS privacy
  • Enable auto-renewal for critical domains
  • Monitor DNS records, WHOIS, and certificate issuance
  • Review registrar account access and permissions quarterly

Wrapping Up

Domain security is the foundation that everything else sits on. A compromised domain bypasses every other security measure you have in place. The protections outlined here — DNSSEC, registry lock, transfer protection, and registrar hardening — are straightforward to implement and provide substantial protection against the most common domain attack vectors. Treat your domain with the same seriousness as your server and your code. It deserves it.

DevOpsWordPressBackupMySQL