How do I secure the domain for my business?

Here's a very good guide from GOV UK: https://www.gov.uk/guidance/keeping-your-domain-name-secure

It's written for domains under gov.uk, but, ignoring that, the rest is universal and thorough.

I know you're getting a lot of good technical advise in this thread but let me bring out something that needs to be said more often:

No web developer or web development agency or SEO person or whatever needs your EPP/transfer codes. I say this because I have absolutely lost count of the amount of businesses that just hand this over because these people just say they need it and before you know it, the domain you put so much effort into managing ends up on some crappy web hosting service. It's gotten beyond the joke. I feel like every business I've ever been associated with has seen this. Marketing hires some "digital marketing consultant". Suddenly the domain is sitting on Crazy Domains and the entire zone is empty.

Outside the best practices others are mentioning there are companies that specialise or provide high security domain registration, Mark Monitor are the big one. CloudFlare also offer this type of service. I have no idea how much it costs, would actually love to know if anyone has any experience with any of them?

https://www.cloudflare.com/products/registrar/custom-domain-...

https://markmonitor.com/

Apart from what's been said already: One basket per egg.

Your registrar should be under different administration from your DNS servers (more than one), which should be different from your service (e-mail/web/etc) host(s). If you want to play it real safe you could get matching names under different TLDs, but only after you've separated the above.

This way, either of your nameserver companies closing you off should pose little practical problem, while limiting the relationship with your registrar to nothing more will significantly lower the possibilities of issues occurring there.

Put the account e-mails for the above providers under a different domain than the one under management.

So assuming you don't run your own physical infrastructure (all the power to you if you do) for either part, you need at least 4 different accounts spread over at least 3 different companies.

Putting one of the name servers at either the registrar or the web-hosting provider is not that terrible though, as long as it's not the only one.

What are you trying to secure it against? This is always the first step to think about, also known as "threat assessment" or similar.

Are you trying to secure it against someone transferring the domains out of your account? Make sure you have all the account security up to date and correct (2FA on the account + the email account that has the ownership), and that all the "transfer locks" are setup (EPP codes and so on)

Are you trying to secure your DNS setup against various DNS attacks? Read up on DNS and various security patterns you can implement like DNSSEC and so on.

You're trying to prevent issues regarding DNS uptime (in case the main domain stops resolving, or other system problems)? In that case, setup DNS over multiple TLDs (and registrars) and have a process for failing over.

In short, it depends on what you're trying to protect against, and who you are trying to protect it against.

I actually wrote a blog post about this awhile back at hhttps://dev.to/conjuredbytes/domain-and-registrar-security-c.... Hopefully, someone finds it helpful.

Like I have said previously¹² about choosing a registrar: If you have regular backups, and if some downtime is not really a problem, it might be fine to use web server hosting, e-mail (and in extreme cases even DNS hosting), from some fly-by-night el cheapo provider. But your domain name registrar? Pick them carefully, don’t skimp, and make sure they have good support. Because when things go pear-shaped, you really want to be able to actually talk to someone to change your web server or e-mail DNS records (or even DNS servers) to somewhere else.

Big registrars can’t afford any support costs since they prefer to squeeze the price down as far as possible, and therefore they prefer to simply lose or outright drop any customer in case of any and all problems. Conversely, small registrars may charge more, but have better (i.e. actually existing, and sometimes even dedicated and personal) support for when things go wrong, and have a vested interest in keeping you as a customer.

A small registrar might also be so small as to know you personally, which will help monumentally against any social engineering attacks.

Full disclosure: I work at such a registrar, but I see that you’re not in our target market.

1. https://news.ycombinator.com/item?id=29112559

2. https://news.ycombinator.com/item?id=26865752

Iwould recommend using a company in your jurisdiction, they might be less known, a bit pricier, but will have some kind o customer support in your mother tongue in case things should go wrong.

Being a paying customers can do wonders

The best protection for that is your local laws: choose a domestic provider and keep good lawyers around. Also remember the scale: an over-the-top provider have lobbyist, lawyers etc, a smaller one have probably more human relation and less power in local justice system.

Other protections are obviously good, but less effective like:

- buy your domain on different TLDs and registars and host the same site and all services that can be duplicated on them, citing all other domains you own on all, as needed you have well established evidence that you are the right owner and others if one disappear easily find the others;

- keep you customers informed of all your domains/services/public part of your infra so in case of issues (of any kind) they understand that something happen and probably most interesting one can still find you;

- mirror your websites on ZeroNet and advertise them in all officials ones, of course 99.9999% of business customers never ever even try ZeroNet for curiosity but it's evidence, something working and something you can potentially embed in other software (depending on your activity).

Register it to an email that you have full control of, e.g. don't use email address linked to your University or employee. Take good care of your email (2fa). Use a domain registrar that you trust. Saving a few dollars each year on domain is not worth the possible complications. If you are enabling auto renew be sure at all time that your credit card is valid. Put reminders in your calendar about exportation dates.

Most advice here seems to be about securing it from yourself. Making sure you do not let someone get your credential via whatever means.

I would be more interested in how to secure it from the registrar fucking up? Is there a way to hold a domain so that even when your registrar is being tricked into giving it awway, you can still prevent that or get it back?

Or do we have to wait for cryptographically secured ownership of domains so that a key that only you yourself hold is needed to move it? Something like Ethereum Name Service domains?

Hostgator left me in a terrible situation once. Domain name came with hosting package and expired after 10 years. Hostgator had lost my records?! I went to Nominet and they were really helpful. I think I recollect that if you login to Nominet with your admin email address from your domain name you see your domains in the Nominet control panel. I guess Nominet are the big player in this scenario. Not sure if Nominet is UK.

All my clients lost access to my saas for the guts of a day until I could get Nominet to fix.

The major risk here is social engineering, someone who pretends to be you and call your registrar to get credentials reset.

Surprisingly I haven’t find any good solution among the answers here.

The main question if you want to defend from technical issues or from legal, so measures extremely different.

For tech, just choose some big registar with good reputation, and use all measures, registar recommends, like 2FA, chrypto-keys, etc. For example my friend register his domain on GoDaddy.

For legal issues, it depends on your jurisdiction. For example, in Ukraine we could bye 2nd level domain .ua, if have registered trademark, and process of registration lasts for 2 years.

Mean, you send request to government registration service, that you want to register some name, than they make checks, to ensure nobody use this name, and that not exists some names which very similar (so you will not look associated with Mercedes or some other well known brand), and if all ok, you will receive official registration rights, and after that you could ask to registar .ua name, and it will be associated with your legal entity (I'm not sure, most probably possible register as private person just to your name).

And after that procedure, nobody could steal your domain without stealing your entity. Even if you will once forgot to pay for domain, it will just remain blocked, and nobody else could use it, until end official registration of trademark.

For other domains, like .com or local, things are slightly different, but all very similar, in that if you have registered trademark (same as domain name without suffix), you have legal power to defense. And nearly all hostings respect this power, so in most cases you will not need to call judge, just send to hosting support photo of documents of registered trademark, and hosting will immediately remove site of person, who try to use your registered trademark name.

Apart from the 2fa to for domain service itself, ensure you are enforcing 2fa if you use an external mail provider. And set the domains to autorenew.

There are features of domain providers that can prevent domain transfer without certain conditions being met.

I don't hold any domains for corporate enterprise purpose but, if I did, I'd be looking for domain registrars that can provide some guarantees.

I don't know if such a thing exists, hopefully someone here can answer that, but if not, I'd start making some phone calls/sending some emails to see what/who can offer better than your typical cookie cutter registrars.

What if a company incorporates using your name in this or that jurisdiction then claims your .com? It happened in the past (although many companies, at first, simply bought the .com from the early .com hoarders for it was easier and faster than claim the name ownership).

I don't know how you can defend against that, except having a company incorporated with that name in the country which corresponds to the TLD.

Don't make your infrastructure relaying on single domain then.

You probably don't need all infrastructure to be built on same domain as you build your marketing part (the domain exposed to customers). Have it built around another domain.

You can have all your endpoints to be served from several subdomains, so you can do that as well.

If one domain crumbles, you can switch to use of another one in mere minutes.

Setup an alternative e-mail address that you can assign to your hosting account. Happened once to me that my credit card failed and the domain didn't renew and ultimately cancelled my domain. However because of 2FA via e-mail I couldn't login to my account to pay the outstanding payment.

Buy for 10 years (assuming .com)

I avoid using Google Domains as registrar or DNS server. Because if their weird bot locks my Google account, I lose access to my domain and there's no customer service to help.

You have not really given us enough information to suggest the best solution. For example, is this because you host many websites for other people who all use your custom nameservers? Either way, if you are hosting many sites with custom nameservers, look at what AWS does for its nameservers for route53. Theirs are set-up like so:

ns-1271.awsdns-11.co.uk

ns-522.awsdns-02.net

ns-433.awsdns-03.com

ns-1870.awsdns-03.org

In your case, you'd likely want to each domain used in your custom nameserver configuration to be registered at a different company. In this way, you no longer have a single point of failure.

Use a provider that uses 2FA for login