Your domain is the route that all users, including your current and prospective customers, take to access your organization on the internet. While your actual system is set up with server IP addresses likely in a cloud environment, your users won't use a string of numbers to access your website. Instead, they will use your domain name and Domain Name System (DNS) routing to get to your site.
Because DNS infrastructure provides a foundation for internet traffic, it's important to keep track of potential risks that could impact access to your domain, including domain name expiration and renewal or validation issues with your domain name registrar. This article identifies common risks related to your domain name registrar, as well as how you can identify and resolve them.
What is DNS (Domain Name System)?
The Domain Name System (DNS) is an application layer protocol governing naming systems across the internet. Information will be associated with domain names so that network protocols can locate the appropriate services. Most often, DNS translates the uniform resource locator (URL) to the IP address hosting the services, which is how users can input a domain name to access a website in their browser.
Each top-level domain (TLD) is registered with a domain name registrar so that a website's machine-readable IP address can be routed to the human-readable domain name using DNS. The domain name registrar manages domain name reservations in accordance with the requirements of a domain name registry. The Internet Corporation for Assigned Names and Numbers (ICANN) likewise coordinates information regarding domain namespaces, and many registrars are accredited with ICANN. You select your domain extension, such as a [.rt-script].com[.rt-script] domain, with the registrar to create a new domain that your organization will use for its website or other apps.
Some commonly used hosting providers for registered domains include BlueHost, GoDaddy, Google Domains, Hover, NameCheap, Squarespace, and WordPress Hosting. Some providers offer web hosting packages that include a premium domain alongside their website builder and SEO marketing tools. Additionally, some hosting plans include add-on features, such as ecommerce shops, professional email accounts, subdomains, templates, free SSL certificates or a free domain name, email forwarding, and domain privacy, among other tools. Many web hosting plans include competitive pricing for the first year or additional benefits with auto-renewal. Whenever you build a new website with the right domain, you will need to evaluate how each registrar's web hosting services suit your business needs.
Because DNS infrastructure is geographically distributed and functions through global collaboration, enterprise deployment necessitates attention to your country's regulatory requirements.
How DNS Relates to Web Hosting Regulations
Regulations connected to DNS generally support information authenticity and the integrity of data in transit. Following regulatory guidance for DNS deployment may prevent malicious attacks that exploit vulnerabilities in DNS configurations.
In the United States, the National Institute of Standards and Technology (NIST) sets standards and creates frameworks for cybersecurity protocols. These materials include the NIST Cybersecurity Framework (CSF), which has been translated for use in other national governments, as well as NIST Special Publication 800-53 for establishing controls required for the federal government.
When assessing adherence to controls documented in NIST SP 800-53, you can evaluate the System and Communications Protection (SC) control family. SC-20 and SC-21 set out the requirements for Secure Name / Address Resolution Service. These controls specify data origin authentication and data integrity verification for your DNS deployment. You might also refer to Access Control (AC) 22, which defines parameters for publicly accessible content like your website.
You can also evaluate your DNS setup according to the DNS Deployment Guide set forth in NIST Special Publication 800-81. Though your organization is not required to follow the guidance in NIST SP 800-81 unless you contract with US federal agencies, it can be beneficial to follow such requirements to ensure secure configuration and reliable operation for your domain.
However, even the most secure deployment can be susceptible to potential risk. The next section describes common risk findings related to domain registrar issues.
Common Domain Registrar Risk Findings
Your domain registrar can set Extensible Provisioning Protocol (EPP) domain status codes related to your domain name registration. Some of these codes relate to domain activation, protections, or even renewals. Maintaining awareness of your domain's EPP status is critical to ensure that your site remains active and accessible for your users.
With continuous insight into your risk exposure, you can manage your domain asset management and monitor any potential risks impacting your domain. UpGuard BreachSight is a tool for protecting your organization's potential attack surface, and UpGuard scans for information related to your domain's EPP status to keep you informed of any upcoming changes or potential exposure related to your DNS setup.
Your domain may be at risk of changes, such as registrar transfer or deletion, in which case BreachSight will notify you of these findings:
- Domain registrar transfer protection not enabled
- Domain registrar deletion protection not enabled
- Domain registrar update protection not enabled
These findings indicate exposure risk to each of the actions named. Without domain transfer protection, your domain could be susceptible to domain hijacking, where a malicious actor gains control over your domain and can use it to reroute traffic elsewhere. Likewise, deletion protection and update protection ensure that unauthorized users cannot delete or update your domain during an attack.
BreachSight tracks DNS information to communicate findings related to your DNS records:
- Domain under Registry DNS resolution hold
- Domain under Registrar DNS resolution hold
A resolution hold occurs when the registrar has identified an issue with the domain information. If your registrar has applied a [.rt-script]serverHold[.rt-script] status code, you may need to supply updated information to your registrar. If your domain has been identified with the uncommon [.rt-script]clientHold[.rt-script] status, there may be other business issues to resolve directly with your domain registrar. Any domains with these statuses are not active, so your customers will be unable to access your website until the issue is resolved.
In addition to the previous risks and anything related to your upcoming domain expiration, UpGuard can identify issues related to renewal and will notify you with these findings:
- Domain renewal prohibited by registry
- Domain renewal prohibited by registrar
These two findings are typically only enacted during ongoing legal disputes. You can identify these findings by their status codes: [.rt-script]serverRenewProhibited[.rt-script] and [.rt-script]clientRenewProhibited[.rt-script]. If your current registrar has applied these authorization codes (EPP codes), you will need to work with your domain registrar to resolve these findings and renew the domain. If you are unable to resolve these findings, your domain will begin the deletion process after which it will become an available domain for others to register.
How to Resolve Domain Registrar Findings
Findings that relate to your domain registrar deployment can be mitigated by contacting your domain name registrar to determine the appropriate action. We recommend contacting your registrar's customer support and consulting their knowledge base to confirm any findings that need to be updated.
Any server-related issues, such as the [.rt-script]serverHold[.rt-script] and [.rt-script]serverRenewProhibited[.rt-script] status codes, require that you contact your registrar to provide required information or resolve issues in order to activate your domain.
Your domain registrar and web hosting provider may have different requirements for updating your domain registration services. For the findings that pertain to domain registrar protections, you can most likely update your settings through your registrar's online portal with the following codes:
- Set the [.rt-script]clientTransferProhibited[.rt-script] domain name status code to create a domain lock that prevents the registry from transferring the domain between registrars.
- Set the [.rt-script]clientDeleteProhibited[.rt-script] status code to prevent the registry from allowing an unauthorized user to delete the domain.
- Set the [.rt-script]clientUpDateProhibited[.rt-script] status code to prevent the registry from allowing an unauthorized user to update the domain.
If your registrar's online portal does not enable you to set these status codes, you can request that the registrar set these codes.
In addition to updating your domain name registration information directly with your registrar, you can evaluate your application of DNS System Security Extensions (DNSSEC) to protect your domain through authentication records. We recommend enabling WHOIS privacy protection with your registrar to protect your contact information, whether you run a small business or orchestrate registration for a large-scale enterprise. The best domain registrars typically offer this protection benefit.
You can also review your SSL certificates to install an up-to-date SSL certificate on your domain, protect against SSL/TLS certificate expiration, and strengthen your SSL cipher suites.
How UpGuard Can Help
Current UpGuard users can log in and access the Domains module to review your domains. Filter the domains by a specific risk finding, or search for individual notifications in your Risk Profile.
If you're not a current UpGuard user and you want to run an automated scan of your domains with BreachSight, sign up for a trial to experience our intuitive modules.
