Domain name security is one of the many cybersecurity threats that businesses should be wary of. At Webnames, we have built a free, powerful and easy tool that can help detect potential domain compromise risks for small businesses and large organizations alike.
Domain name security risks
As the literal address of brands and businesses online, domain names are an often-overlooked aspect of cybersecurity. A few common domain security risks are:
- Unauthorized domain name transfer
- Unauthorized DNS updates to a domain name
- User account compromise at the domain registrar
- Domain name expiry due to missed reminders
- Websites or forwarders not secured with an SSL Certificate
Businesses should have robust internal security processes with access controls for domain registrar accounts, multi-factor authentication, change management processes and detailed event logging. In addition, product specific features such as domain registry locks, registrar locks and the basic domain transfer locks are essential for business-critical domains.
Previously, we identified 6 Corporate risk factors from domain management for medium and large organizations, and this tool goes a step further to automate and simplify high-level risk assessment for your domain portfolio. A scheduled domain security scan for the entire domain portfolio is highly recommended to identify any shortcomings and mitigate risks. That’s where Webnames’ domain security scanner comes in handy.
Try our automated, free domain security scanner tool now!
How does the domain security scan tool work?
The first thing you should know about this tool is that you can use it to scan domains registered at any domain registrar. The security tests that this tool can perform use only publicly available information about the domain and the website, if one is present at the address.
The domain security scanning tool uses Extensible Provisioning Protocol (EPP) status codes, Whois lookup data, and also tests whether a HTTPS connection can be established with the scanned address.
Using the above data sources and checks, our domain security scan tool tests 5 parameters that have a bearing on the threat perception to a domain name:
- Domain Transfer lock status
- Domain Registry lock status
- Domain Registrar lock status
- Whois data privacy (on a best-effort basis to detect whois proxy usage)
- Ability of the website to be served over an HTTPS connection
When you run a scan for a domain, the tool automatically validates the status of each of these parameters and presents a report that identifies significant and secondary threats. Domain locks at the registry and registrar levels act as a powerful deterrent against unauthorized DNS updates, transfers, and registrant changes. Domain locks are the single most powerful safeguard against domain hijacking.
What do the alerts on the domain security scan report mean?
The results of the domain security scan report are broadly classified into significant threats and secondary threats. In an ideal world, no threats can truly be ignored, but threat perception and mitigation must always be weighed against the importance of the domain name to a business, cost, and constraints in implementation of additional security measures.
Significant threats are flagged when a domain:
- Does not have domain transfer lock enabled
- Is not correctly configured with an SSL certificate (if the domain is not redirected to another address)
- Does not use a masking or Whois privacy service to hide personally identifiable registrant information
Secondary threats are flagged when a domain:
- Does not have domain registrar lock enabled
- Does not have domain registry lock enabled
A ‘one size fits all’ approach does not work for domain security risk assessment. The above classification of threat levels as significant and secondary could be very different for a large corporation with 1000+ domain names, as compared to a small business with just a couple of names. In fact, even for a large corporation, the main corporate domain name would likely justify a registry lock, while a defensive domain registration for an unused domain would likely not.
Domain Security Recommendations & Next Steps after Scanning
Once you have your domain security scan results, check the Threat Analysis Report to understand the risk profile of your domain name portfolio. Each identified threat contains recommendations to mitigate that particular risk and often these can be simple steps such as enabling the Transfer Lock which is a free feature with most registrars.
If you use a domain to redirect to another location, you can upgrade to HTTPS forwarding using Webnames DNS hosting . You could also consider enabling Whois Privacy with your domain registrar, to protect the registrant details from being publicly accessible. Whois data protection is especially valuable for small business and professional service websites.
Popular Domain Name Security Best Practices
Here are 7 highly recommended best practices for domain name security:
- Use a unique and secure password for your domain registrar account
- Enable multi-factor authentication for your registrar, hosting and other critical accounts
- Enable transfer locks and other domain locks unless a planned move is imminent
- Purchase and enable WHOIS privacy protection
- If your registrar account can be accessed by multiple users, enable access control restrictions
- Enable SPF records, DKIM Records, and other email security measures to defend against phishing and spam
- Switch to HTTPS forwarding for domains that are not actively in use
At Webnames, we help small and large businesses alike protect their domain portfolios and websites. If you are a small business, looking for cost-efficient ways to protect your domains and business, consult our domain security guide for small businesses or contact Webnames support. If you are a large organization with a sizable portfolio and need a professional domain portfolio audit, our team of domain experts is happy to assist. Sign up for your domain portfolio audit and let us know if you would like us to include a comprehensive security review as well.