13.1 Securing Your Domain Name
13.1 Securing Your Domain NameWhen ICANN opened the registration process so multiple registrars were allowed to register domains, two things happened : Prices for domain names dropped and the number of new domains registered took off. Millions of new domains are registered every month. As of this writing, there are 150 ICANN- accredited registrars, and countless resellers . All of these options mean that you have to be as concerned with the security of your registrar as you do with the security of your web host. When ICANN created the rules for becoming a registrar, security was not included as a consideration, so there is no minimal level of information protection that a registrar has to provide. In fact it was not until March 2002 that a security committee was appointed by ICANN. While the committee will undoubtedly set minimum security standards that registrars must follow, it may take years before registrars are forced to comply . Given the importance of a company's domain name, this is a scary thought. Knowing that there is no minimum security required by registrars is a red flag that a set of security questions needs to be posed to any prospective registrar. This is especially true if your company maintains a lot of domain names. The primary question a company should ask of their registrar is how the registrar handles domain name updates. Each .com, .net, and .org domain name has five pieces of information that can be updated by the domain owner:
All registrars have to supply this information to the gTLD database for a domain to be activated. When Network Solutions controlled all domains, the contacts were three different accounts ”as long as three unique contacts were listed. Some registrars still follow that model, but others have opted for a different approach: A single account is created, even though three separate contacts may exist. A single account for a domain can create several problems. Generally one person maintains this account. If that person leaves the company, especially under less-than -pleasant circumstances, this person may or may not share that account information. If the circumstances are extremely unpleasant, that person may decide to make changes to the domain prior to departure . If this does happen, most registrars have alternate ways of updating information, but those methods can take significantly longer, and the domain will be unavailable while the information is being changed. Many companies opt to give multiple users access to the account provided by the registrar. Unfortunately, most registrars use a web-based interface to manage domain names, so there is no way to track which user logged in and made changes. There is also no fail-safe way to prevent a disgruntled employee from making changes to the domain before quitting or being asked to leave. The best way to avoid problems associated with a single account is to avoid a single account. Some registrars specialize in working with enterprise organizations and understand the unique requirements of a midsize to large company. Consider using a registrar ”such as Network Solutions, Domain Bank, or Alldomains.com ”that has special corporate programs. These programs may be more expensive, but the cost is nothing compared to the amount of money that can be lost by having a domain disabled, or worse , redirected to another location. Another security precaution is to store current domain name information in a file. This will make it easier to get the information restored, should a problem arise. Most UNIX systems have a program called whois, which allows users to look up domain information. There are also Windows and MacOS whois clients available for download. The output of a whois query will look something like this: whois example.com [whois.crsnic.net] Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http:// www.internic.net for detailed information. Domain Name: EXAMPLE.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: A.IANA-SERVERS.NET Name Server: B.IANA-SERVERS.NET Updated Date: 07-jan-2002 The registrar for this domain is Network Solutions. Registrars have their own whois server, which can be queried for more information: whois -h whois.networksolutions.com example.com [whois.networksolutions.com] Registrant: Internet Assigned Numbers Authority (EXAMPLE-DOM) 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292 US Domain Name: EXAMPLE.COM Administrative Contact, Technical Contact, Billing Contact: Internet Assigned Numbers Authority (IANA) iana@IANA.ORG 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292 US 310-823-9358 Fax- 310-823-8649 Record last updated on 07-Jan-2002. Record expires on 15-Aug-2010. Record created on 14-Aug-1995. Database last updated on 20-Apr-2002 14:07:00 EDT. Domain servers in listed order: A.IANA-SERVERS.NET 192.0.34.43 B.IANA-SERVERS.NET 193.0.0.236 The administrative, technical, and billing contact are all the same, so there is only one contact listing. This is another common mistake made by companies: not using three separate contacts. For something as important as a domain name, a company should not have a single contact. Whenever possible have three different contacts, and make sure those people are aware that they are the contacts for the domain. Also, make sure the people who are contacts are aware of the update procedures for the domain. The three contacts are important not just for security reasons, but also for domain availability. If a company has a single domain contact, and that person leaves, even if it is on good terms, there is a good chance no one will know when the domain is up for renewal (most registrars send e-mail notification for domains that are about to expire). One of the most common forms of DNS failure is simply an expired domain. This is especially true now that registrars are allowing companies to register domains for up to 10 years. It may not occur to anyone to check the expiration date until e-mail and everything else stop working. To this point, the focus has been on internal security breaches related to domains. The focus on internal security issues is because most security incidents concerning the domain name occur internally. While external security incidents related to domain names are less frequent ” attackers tend to hit DNS servers rather than the domain name itself ”they are not unheard of, and proper precautions should be taken. If your registrar uses a web-based interface, make sure any changes are made over an SSL-encrypted connection. As with other services, make sure the password you choose for your account, or accounts, is secure. In addition to being secure, the password should be changed frequently. Keep in mind that most companies will not use their registrar password very often. Most companies can go for years without making changes to their domain name (this is not the same as DNS changes, which happen more frequently). Regular password changes help keep a company protected in the event that a registrar's database is compromised. If possible, request a method for domain name updates that is more secure than an SSL connection. An encrypted e-mail message, or at least one that is signed, would be preferable, although most registrars will not support methods other than web access for making domain changes. In that case, find out what security precautions are taken to protect both the web servers and the database. If a satisfactory answer cannot be given, transfer registrars. Today a domain name is a crucial part of any company's business. Considering how important the domain name is, the cost, often less than $30 a year, to maintain it is insignificant. Unfortunately, because the cost is so low, some registrars do not take adequate security precautions. As with any other vendor a company has a relationship with, a registrar has to be able to show that it has adequately secured its data. |
EAN: 2147483647
Pages: 131