Sep 10, 2020 - by Staff Writer
Corporate Domain Name Management: 7 Steps for Uncovering and Remediating Risks
Keeping corporate domain name portfolios in tip-top shape requires more than just managing the registration of domain names in support of new brands, TLDs and market expansion. It also requires periodic review to ensure that names are both secure and resolving, and that website visitors can consistently reach their destination, regardless of whether they’ve added the www, or have misspelled or fat-fingered names.
Step 1: Take Inventory
A portfolio review starts with inventorying all domains owned by the company. In the past, domain professionals would use Reverse Whois tools to search through domain name ownership records using an email address, physical address, company name or phone number to uncover lost or forgotten domains. With GDPR in full effect now, Reverse Whois lookups are no longer as accurate as they once were, as much of the data used to populate their databases is no longer available. That said, searching by nameservers can still return some meaningful results, as this data is still readily available. Today, inventorying domains means starting with known registrations from approved registrars, then searching for domains containing brands and referencing unique nameservers, and finally, asking for employees to provide lists of domains that they may have registered. While this seems fairly straight-forward, trying to uncover all domains which belong to the company can be a major undertaking, and given that employees often register domain names outside of company policy, it’s a never-ending task.
Step 2: Check Registrar
After all company-owned domains are identified, checking to see that names are managed with an approved registrar who meets security, operational, technical and support requirements is an important second step. Names that aren’t should be transferred as soon as possible. Domains registered through unauthorized registrars may indicate that a domain has lapsed, is no longer owned by the company, and has since been re-registered by a third-party.
Step 3: Confirm Nameserver and DNS Accessibility
Once domain names are under the company’s management, ensuring that nameservers and DNS settings are under the company’s control is the next critical step. Surprisingly, it’s not uncommon to see domain names with approved registrars still referencing old, unauthorized nameservers. How does this happen, you might ask? When domain names transfer from one registrar to another, they transfer with their existing nameservers. If the gaining registrar fails to update nameservers, domains could still be pointing to outdated, infringing or fraudulent content.
Step 4: Verify Lock Status
Checking to see that all domain names are locked to protect against deletions, transfers and updates is critical. Names with an EPP status of OK are available to transfer with just an authorization code. Mission critical names, those hosting content or used for email, should be registry-locked, if possible. Registry-locking provides an additional layer of security so that domains are protected against hacktivists from pointing domains to politically motivated content, disgruntled employees from embarrassing their employers, and inadvertent mistakes which can happen at anytime. Registry-locked domains are only editable when a unique offline security protocol is completed between the registry and the registrar.
Step 5: Ensure Domains Are Resolving Correctly and Consistently
Ensuring that all domains are pointing to relevant content is a best practice. This means pointing defensive typo-squats and misspellings to production sites - helping users to reach their intended destinations. Beyond that, checking to see that the root and www versions of domains are resolving to the same location also helps to ensure a consistent experience for website visitors.
Step 6: Track and Manage Certificates
For company-owned resolving domains, ensure that certificates exist and that there are no issues with them. This is more important than ever now that all major browsers are clearly identifying sites without certificates as not secure. Also, be aware and monitor for upcoming expiration dates.
Step 7: Review and Update DNS
Review DNS settings for all domains and known sub-domains. Ensure that domains and sub-domains with MX records are authorized to receive e-mail. For those that are not, MX records should be removed. For those that are authorized, ensure that SPF and DMARC data exists. Also, check for instances of lame delegation which can introduces delays in reaching websites.
The information contained in this article is provided for informational purposes only.
