Don’t Use Personal Email Addresses
Personal email addresses should never be used as points of contact for corporate, governmental, or organizational domain administrators. As part of the review process, make sure personal email addresses are never used for domain contact information or registrar access accounts.
Using an employee’s personal email address (e.g. email@example.com) as a point of contact effectively hands over control of the domain to that employee. domainerelite In addition to the fact that you don’t know what sort of security practices your employees use on their personal email accounts, you’re opening yourself up to retaliatory action by a disgruntled current or former employee. All your domain contact points should include email addresses controlled by your organization, or a parent organization.
Using an employee’s organizational or corporate email address (e.g. should also be avoided. Providing the names of individuals involved in the administration of corporate domain names exposes them to an increased risk of social engineering and spear-phishing attacks aimed at the company. Instead, use role-based or department-based names (, ideally with several users receiving communications sent to those addresses.
Protect against Phishing Attacks
Phishing is one of the major attacks used to compromise registrar accounts. Phishing attacks against your DNS administrators should be expected, so a comprehensive phishing defense is imperative. The following suite of anti-phishing techniques can provide effective protection against phishing attacks.
Use generic, role-based or department-based email addresses, such as firstname.lastname@example.org. Phishing emails which arrive in a role-based account are often easier for administrators to spot.
Include anti-phishing training in your annual security review, and require all DNS administrators to complete the training.
Deploy endpoint security software and enforce security policies on all the devices used by the DNS administrators (as well as everyone in your organization).
Deploy an email filtering service to help prevent some common phishing and malware attacks on your DNS administrators as well as the rest of your organization.
Filter DNS queries to prevent employees from visiting known phishing sites. Tools like Akamai’s Enterprise Threat Protector (ETP) provide enterprise security at the DNS level.
There is no “silver bullet” to stop phishing attacks, but adopting the right combination of defenses for your organization will help limit the risk.
Credential Updates – Change the Passwords
Regular password changes are good practice for all online accounts, and domain name registrar accounts are no exception. When performing an audit of your DNS infrastructure, ask everyone with registrar access to rotate their credentials. While your organization may have a comprehensive password policy, it’s common to overlook external services like your registrar. External accounts should be subject to your internal password security guidelines and rotation schedule. Passwords for registrar accounts should be long and complex; the use of a password manager can make it easy to generate and store complex passwords in an encrypted, redundant and findable way. Passwords should never be written down or stored in an unencrypted form.
Two-Factor Authentication (2FA) for Registrar Accounts
When supported by your registrar, two-factor authentication (2FA) should be required for all accounts. With 2FA, anyone attempting to log in to the registrar will need not only the account password, but a second factor such as a smartphone application or hardware token. 2FA can thwart what might otherwise have been a successful phishing attempt.
When possible, SMS-based 2FA should be avoided. SMS-based 2FA is still better than accounts secured only with passwords, but other methods such as Time-based One-Time Passwords (TOTP), hardware tokens, or push-based 2FA should be preferred. New Digital Identity Guidelines from NIST recommend that SMS as part of 2FA should be deprecated (see NIST Special Publication 800-63B).
If your registrar doesn’t support 2FA, request this feature. If they’re not receptive to your concerns, consider exploring alternative registrars. In many cases, there are competing domain registrars for the same TLDs, ccTLDs, and gTLDs.