Good security practice for domain registrars
Page 1 of 5
Who is this guidance for?
This guidance is for domain registrars and operators of Domain Name System (DNS) services. It sets out outcomes and recommendations to promote good practice in a set of principles, and aims to reduce the prevalence of malicious and abusive domain registrations.
It builds on existing industry good practice from international bodies such as ICANN and the NetBeacon Institute. It is consistent with other UK government guidance issued to registrars and other infrastructure service providers to tackle other issues such as fraud, extremist and illegal content.
Wider context
As a common vector in many cyber attacks, countering phishing remains a key challenge in cyber security. To enable phishing in the first place, malicious actors rely on obtaining misleading and fraudulent domains, or taking over legitimate domain names at scale.
Along with other internet infrastructure providers, DNS registrars have an important role to help counter domain abuses throughout their lifecycle by:
- impacting the ability of actors to register misleading domains in the first place
- reducing the time that malicious domains are available online
- ensuring their customers are less vulnerable to abuse and takeover by malicious actors, by helping them secure and retain their domain registrations
- reducing the number of vulnerable and compromised systems that can be used for malicious purposes, by enabling effective reporting of threats and vulnerabilities from third parties to domain owners
Note on the scope
This guidance covers domain abuse as defined by the DNS Abuse Framework, covering five broad categories of harmful activity: malware, botnets, phishing, pharming and spam, when it acts as a delivery mechanism for the other forms of DNS abuse.
This guidance applies generally to the whole domain registration market, but how the principles are applied will vary across different market segments.
It is recognised that different organisations in the field of domain registration have different ways of working. Registrars are therefore split into two main categories and you should apply the principles that best apply to your business model. Note that these categories are generic, and some organisations may find that both fit. If this is the case for you, consider which principles and security measures are most appropriate for your business:
Retail and wholesale
- sell at scale to customers
- automate customer interaction
- have domains that are usually in active use
Brand protection and domain investors
- have established relationship with customers
- keep privately managed lists of registered domains
- involve a human in the decision-making process
- have domains that are not in use as a common feature
