Securing your domain
You would not leave your shop unlocked overnight. You should treat your website the same way. Mick Begley, IE Domain Registry Technical Services Manager writes.
A domain name is effectively your online shop window. It is your place of business and it is how people find and trade with you online. In order for them to do business with you they need to trust you. As a customer, you would be less likely to walk into a shop with a broken window or an alarm going off constantly.
The same principle applies to your online presence. It is important that your online shop window is as secure as any bricks and mortar shop would be. Do you have an alarm? Is there a shutter protecting your window? Have you locked the front door?
Looking at the ‘door’ to your online shop, some hackers now attempt to setup their own hacked version of your shop front. This might look exactly like your website and the hackers’ hope is that customers will come through your front door but actually end up in their ‘shop’. From here, the hacker can compromise your customers by taking their credit card details and accepting payments for counterfeit or even non-existent goods or services. Another type of attack is where a hacker gains access to your website and defaces your shopfront to display a political message or points at a rival’s site in order to damage your business.
So how can you protect your website from these types of compromises? In this article we look at two particular tools that can be used to protect you, namely DNSSEC and Registry Lock. In order to protect your website, it is important to understand how the Domain Name Server (DNS) system works.
What is the DNS?
The DNS (Domain Name Server) System could be described as the phonebook or Yellow Pages of the Internet. Anytime a user browses to a website or sends an email, their route is determined by the DNS. Simply put, the DNS translates a human language alphanumeric website address into the correct IP address (e.g. 176.176.88.25) which computers use to make sure that the user ends up on the correct webpage.
Given that DNS is so fundamentally important to our daily use of the Internet, it can be an attractive target for an attacker to subvert or hijack. By default, most user queries go through a DNS server from their Internet Service Provider (ISP), which will cache, or store, the queried domain names for a set period.
“Given that DNS is so fundamentally important to our daily use of the Internet, it can be an attractive target for an attacker to subvert or hijack.”
So what is DNSSEC and how can it protect my website?
One way that a domain holder can help to prevent identity theft or phishing attacks on their website or email addresses is to implement DNSSEC on their DNS servers. DNSSEC creates a chain of trust, which allows the end-user to be sure that their query for a specific domain name is coming from the actual DNS servers that are owned and maintained by the domain holder. In our example above, if the ISP implements DNSSEC then every new query that enters their cache is automatically checked against this DNSSEC chain of trust to make sure that www.example.ie is actually the website that it’s claiming to be. Any invalid entries that have been injected by an attacker will be automatically rejected and flagged to the user.
A comparison could be made between DNSSEC and the certificate that the Revenue Commissioners issue for users of the Revenue Online Service (ROS). If you, as a user of ROS, do not have the certificate installed in your browser you cannot log into ROS. Even if you have the correct login details and know your password, you still will not be able to log into ROS without having the certificate installed in your browser. The presence of a valid ROS certificate provides a chain of trust, verifying that you are who you say you are. DNSSEC does the same thing for your website.
It allows the end-user to verify that the DNS query is being answered by a verified source (e.g. a DNS server owned by domain holder) and not one owned by a malicious third party. Having DNSSEC on your website provides protection against potential DNS poisoning attacks.
What other ways can I be compromised and how can I stop them? What is Registry Lock?
Your DNS information/IP address could be stored with a third party, such as your website designer or a registrar that hosts your servers. If a hacker manages to compromise that third party, then there is another type of hack they can implement. The hacker could redirect traffic intended for your site to a compromised system. So a user typing in www.example.ie would get redirected to any site the hacker wants such as www.HackerNews.com.
You can protect against this type of hack by implementing Registry Lock. This tool introduces manual verification of particular changes to your account. A domain that is under Registry Lock will be protected from changes of DNS IP address and Name Server or contact information changes. Verbal permission from the domain holder is required, in the form of a secure personal passphrase, provided over the phone to staff of the Registry.
You could think of Registry Lock as being similar to having a concierge that knows you, and follows your (and only your) requests when it comes to making changes to your shop. So if someone looks for access to change anything in your shop or move it somewhere, then the concierge will ask for your permission before he will allow access to your shop. Similarly, Registry Lock prevents any changes without the personal passphrase being provided to the registry, over the phone.
The great thing about Registry Lock is that it also protects the third party company who may be hosting your website and managing your DNS. If they had a security issue or intrusion, it would make it impossible for your DNS information to be changed, as the personal passphrase would be needed.
For more information please visit: www.iedr.ie/security
Mick Begley is the Technical Services Manager at IE Domain Registry CLG (IEDR), www.iedr.ie. The IEDR is the registry for .ie Internet domain names and maintains the database of .ie registered domain names.