The Spamhaus Project

best-practice

10 DNS best practices to keep your Domain Reputation in check

Poor DNS hygiene can leave your organization vulnerable to threats like subDoMailing, DNS spoofing, domain hijacking and other threats. In addition to putting domain security at risk, these vulnerabilities can have long-term effects on domain reputation. Here are ten DNS best practices businesses can implement to protect their domains and their entire business.

by The Spamhaus TeamSeptember 30, 20245 minutes reading time

Jump to

Introduction

Meet Nexora Dynamics. A medium-sized (fictional) tech company with ambitious expansion plans to enhance its online footprint. Unfortunately, while migrating to a new CRM platform, they overlooked a CNAME record pointing to an expired third-party service. Cybercriminals have since exploited this domain, setting up a phishing site under the company’s trusted domain. The result? Customers fell prey to scams, the company's credibility took a nosedive, and revenue was lost. This incident, known as subdomain hijacking, could have been avoided with proper DNS security measures.

In this blog, we’ll explore how businesses can protect their domain reputation and avoid Nexora Dynamics fate.

Make your Domain Reputation a priority

Domain reputation, as the name implies, reflects how trustworthy your domain is. It’s a key factor in determining if, when, and how users and systems should interact with your domain.

Consider the incident in our example: it highlights how an exploit can impact not just the abused parts but the entire domain’s reputation. When your domain is compromised, it’s also likely to end up on blocklists maintained by Domain Reputation providers, such as Spamhaus’ Domain Blocklist.

When our fictional company neglected its DNS configuration, particularly the dangling DNS entry, it left itself wide open to vulnerabilities such as SubDoMailing, DNS spoofing, or, in this case, domain hijacking. These types of threats put a domain’s security at risk and can have long-lasting impacts on its reputation.

10 DNS security essentials

To protect against threats like Nexora Dynamics faced, businesses need to adopt a comprehensive DNS security strategy. This involves following best practices, being alert to potential routes of compromise, and implementing proper DNS security procedures.

Let’s look at ten strategies the company should have implemented:

1 - Choose reputable and secure providers to host and manage your domain. Take into consideration the neighborhood you are setting up in. Domains are business assets that need to be protected. Spamhaus’ reputation statistics provide insight into reputable registrars and networks so you can make informed decisions.

2 - Configure DNS servers properly and document procedures, keeping them up-to-date to reflect changes. It’s also essential to actively review DNS logs to identify suspicious activities that may indicate an attack. Authoritative nameservers can be misused in DDoS attacks as reflectors if your configuration isn’t tuned correctly. Keep software up-to-date and settings updated according to best practices.

Alternatively, host your authoritative DNS at a hosting provider specializing in this. Make sure that your chosen hosting provider supports all the features you need, such as different record types and API access to modify DNS records.

3 - Configure SPF, DKIM, and DMARC email authentication to verify the legitimacy of emails and reduce the risk of phishing attacks and other mail-borne threats. For a more indepth look at this read, 'Authentication and encryption for email.'

4 - Adopt and properly configure DNSSEC (Domain Name System Security Extensions). By adding cryptographic signatures, DNSSEC ensures that responses are authentic, preventing attackers from modifying DNS data.

5 - Maintain an inventory of domain registrations and ensure each domain’s purpose is documented. Set up notifications for domain renewals and SSL certificate expiry dates to avoid security risks or domains falling into the wrong hands.

6 - Regularly audit your DNS records to ensure they're accurate and remove outdated entries that could be points of vulnerability. Pay special attention to CNAME records and NS records pointing to other domains. Remove any that are no longer needed, or where the remote domain no longer exists. It's also important to remove unnecessary TXT records, especially from the bare domain.

7 - Build robust DNS policies specifically in relation to deletion and registration. From restrictions on access to zone files, to deleting a domain name and removing it from the active zone, these policies play a huge role in DNS hygiene. If you'd like to learn more, Prudence Malinki, Head of Industry Relations at Markmonitor, shares her advice on the role policy can play in ensuring DNS security here.

8 - Activate registry lock to prevent unauthorized domain modifications and safeguard against domain hijacking. Not all domain owners do this since it comes at an additional cost, however protecting valuable domain assets is a worthwhile investment.

9 - Train your teams including network admins, IT security professionals, and system administrators on DNS concepts, security techniques, monitoring, compliance. Equip them with the skills they need to implement security changes. DNS changes should only be made by a few individuals in the organization, therefore access should be limited accordingly.

10 - Invest in automated solutions to manage common DNS tasks, including updating SOA serial numbers and notifying secondary DNS servers of zone data changes. When you enable DNSSEC, a number of repetitive tasks are essential, especially around key rotation. Choosing a product that can automate these tasks minimizes the chance of mistakes.

And specifically for your Domain’s Reputation?

Implementing the ten strategies highlighted and taking steps to secure your DNS is in itself a positive indicator of reputation. It also signals that your business takes security seriously. Nevertheless, in the example, automated monitoring tools might have highlighted the change in domain reputation earlier, prompting Nexora Dynamics to investigate further.

If there is one lesson to learn from Nexora Dynamics’ experience, it’s this: DNS security is not optional. It is essential to maintaining a good reputation and ensuring the trust of your customers. Making DNS security a priority not only protects your domain but your entire business.