The secret to secure DNS? It’s all in the policies

After nearly a decade working at one of the top corporate registrars in the world, I've seen firsthand how a well-crafted domain name policy can be a game-changer. It doesn’t just make managing your portfolio smoother and more cost-effective; it can also strengthen security and minimize the scope of compromised accounts, domains and DNS.

Why Domain Name Policies Matter

Before discussing the nuance of a good DNS policy and strategy, first let’s talk about the reasons for having these policies and why they are essential to provide context related to corporate domain name portfolios.

Large multinational corporations have complex portfolios —covering multiple TLDs across the globe, having domain names with large volumes of traffic passing through them, and trading in equally high volumes of revenue. Due to these distinct factors, corporate portfolios face additional risks.

If a critical domain name falls into the wrong hands, it can lead to massive revenue loss and irreparable damage to a company’s reputation and consumer trust. This is why having a correctly-crafted registration policy is so vital - it can protect and secure this often overlooked valuable business asset.

Creating a Registration Policy for Everyone

A solid registration policy can take many shapes depending on the company's size and business needs. One thing’s for sure: it is fundamental that all relevant stakeholders are involved in creating the policy and have visibility into it. Everyone - legal, technical, finance, and senior leadership - should not only have a say but also be in the loop. An inclusive policy ensures that no “rogue” registrations, deletions, or security practices occur in the business.

Policies aren’t “set it and forget it” documents; they need to evolve. Regular reviews by the same representatives and stakeholders of the business, (with guidance of a consultative or corporate registrar for the granular elements such as portal access, etc.) are a must.

This policy will also facilitate visibility to any proposed plans for expanding or contracting the domain name portfolio, ensuring that the business maintains a “joined up” approach.

The Power of Policy

Registration policies play a huge role in DNS hygiene, from restrictions on who is granted access to the zone files, to administering the content of the domain name, to the deletion process flow regarding how a domain name is prepared for deletion and removed from the active zone.

When an effective domain policy is created, it minimizes compromised accounts, compromised domains, and unauthorized third-party actions. You can further enhance this layer of security on a domain name portfolio by aligning yourself with a registrar that has attained certified levels of security (ISO207001 is an indication of trustworthy infrastructure), but who can also provide a consultative role in shaping and maintaining that policy

Strengthen security with a Deletion Policy

Your deletion policy should explicitly account for the disengagement of any advertising or external marketing teams, including relinquishing administrative rights, access, or controls of any domain names under your portfolio. This also means cleansing and removing any or all records associated with domain names identified for deletion, including any additional domain names that may be forwarding or connected to the domain name.

These codified and standardized actions aren’t just about housekeeping - they significantly reduce the scope for subdomailing, wherein third parties gain access to host records of domain names that have not been correctly scrubbed of zone file data.

Build your policy before it is needed

At first glance, creating such a robust policy may, at first, seem like a daunting prospect fraught with difficulties (such as corralling the relevant stakeholders and getting their consent to create such a policy). But trust me, it’s far better being proactive in crafting such rules and safeguards than reacting to a breach or security incident where your portfolio or account has been compromised for nefarious use and reasons.

As with most challenges, success comes from teaming up with the right people who can help you navigate such stormy weather. Luckily, there are plenty of reputable partners to help you create the best policy and working document for your business. With their help, hopefully you will avoid being in a position where you need to initiate your breach disclosure protocol with your infosec team. Prevention beats clean up every time!

Want to clean up your DNS? Here are ten DNS best practices you can implement to protect your domains and your entire business.