How can you have a domain lock or client transfer prohibited, and still lose your domain name to attackers? Domain lock was invented to prevent unauthorized parties from stealing your domain name. As reported by Brian Krebs on January 24, 2020, that happened to a well regarded service that helps Web sites detect and block fraud. They had a domain lock but attackers were able to bypass it through social engineering used against their hosting company’s customer support personnel. We put security systems in place but continue to fall victim to bad decisions made by “helpful” humans.
There is a stronger security option for securing your domain name in place called a Registry Lock. This prevents any changes to the domain without going through a significant and sometimes paper based form of proof-of-identity. But before you change to this level of protection, understand that this makes ANY changes to the domain space impossible without going through the Registry Lock process. This will prevent anyone, including authorized parties, from making domain changes from the Registrar’s web administration panel. This includes not just domain transfers, but also making changes to the DNS records for your domain that affect the location of your web server, provisioning of email services through Office365 or G-Suite, and changing CNAME or TEXT records. Somebody in authority needs to keep track of the Registry Lock information that is required to prove your identity, for perhaps years. Email addresses and authorized administrators who leave the firm need to have their access cancelled, and their replacements authorized through this same paper process.
In many ways this is similar to choosing between a Credit Alert and a Credit Freeze with the major credit bureaus. I have been using a Credit Freeze since the Equifax breach, and every time I apply for a line of credit, I bump into the Credit Freeze and have to go online and temporarily remove it. At least the entire process can be managed online.
I have provided some links to more information if this is an idea you think may be right for you. As hard as it will be to set up, it will be much harder to cancel should you decide at a later date that this is too large a burden to bear. And making trivial changes to your DNS records in support of email and IP telephony will be more difficult. Or moving your web server from one cloud host to another. Or actually moving your domain name to a different registrar.
Think about this one before you pull the trigger, especially keeping the necessary proofs and records over an extended time frame with changing personnel. This is not a trivial decision.
- Krebs on Security – Does Your Domain Have a Registry Lock?
- Brian Krebs on Twitter
- Registrar-Lock – Wikipedia
- About Locked Domain – ICANN