With more than 20 years of securing .CA domain names, protecting the domain name system (DNS) is in our DNA here at CIRA. However, it can be easy to forget just how many applications rely on the DNS to function, and how critical domain names are to the entire internet ecosystem.
If you manage a .CA domain name, or any other domain name, it is critical to understand just how central they are to both the functioning of your business and the security of your systems. No matter how small your business is or how insignificant some of your domains may be, if they become compromised they can cause headaches that spread throughout your ecosystem. Even old, unused domains can be used by hackers to infiltrate or embarrass your organization.
Never fear! We here are to help with our Ultimate Domain Name Security Checklist! Simply follow these domain security best practices and you will be well on your way to protecting your data and your business.
Ultimate domain name security checklist
For each domain name you manage, take note of the following:
|Where is your domain name registered? Take note of the registrar name and their website.|
|Is two-factor authentication enabled? If not, do it.|
|Who is the DNS provider? Is it the registrar default, a third-party provider?|
|Does the DNS provider have two-factor authentication? If they do, enable it. If not, consider finding one that does.|
|Is the Internal Master DNS service not available for queries? This means the DNS is unable to answer requests over any port except to the external/secondary DNS provider.|
|Is the Internal Master DNS service running latest software? If not, find out why.|
|Do you have a secondary DNS provider? A backup DNS helps protect against DDoS attacks, if your domain name is mission critical you should have one.|
|Does your secondary DNS provider have two-factor authentication enabled?|
|Does your secondary DNS provider have Transaction Signatures (TSIG) enabled?|
|What is the TTL (time to live) for your zone file?|
|Does your domain require an Extended Validation (EV) SSL certificate? Is it enabled?|
|What is the renewal date for your SSL certificate?|
|Who is the registrant contact on your domain? Is their contact information up to date?|
|Who is the technical contact on your domain? Is their contact information up to date?|
|Who is the administrative contact on your domain? Is their contact information up to date?|
|Have you whitelisted the emails coming from your registrar and registry so you can get critical security and technical updates?|
|Do you know who has administrative access to your domain registrar? Make a list and keep it updated.|
|What is the renewal date of your domain? Do you have auto-renew enabled?|
|Have you reviewed the policy rules of your registrar and registry?|
|Have you audited your DNS zone records?|
|Do you have your primary zone file backed up, control tested and working?|
|Is your domain locked at the registry?|
|Do you have your domain name registration records on file? Backed up?|
|Do you have your domain name billing records on file?|
|Do you have any trademark and/or public documents associating you with the domain name on file? Backed up?|
|Do you have any legal document relevant to your domain name on file? Backed up?|
This checklist was created in HTML so you can copy/paste it directly into Github, Jira, Confluence, or wherever else you manage your workflow. Make sure to review and update it once a year. A good way to remember is to set a calendar reminder on the same date as your domain name renewal. Remember to keep the list of domain names you manage updated regularly.
Further reading on protecting domain names
While this checklist is pretty exhaustive—some would say it’s the ultimate—if you would like dive deeper into domain name security, we suggest you take a look at A Registrant's Guide to Protecting Domain Name Registration Accounts from ICANN's Security and Stability Advisory Committee (SSAC).
Our friends at Akamai also recently published a great guide: Protecting your domain names: Taking the first steps. It goes into detail on a few of the items in our checklist and has some great insight.