Home / Industry

Preventing Your DNS Account from Being Hacked

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

Recent years have brought a plague of attacks targeting your ability to do business online. Whether in the form of distributed denial of service attack (DDoS), spam, phishing, or Facebook and Twitter scams. Likely the most disturbing issue for e-commerce organizations has been the growing prevalence of DDoS attacks waged to interrupt their business, or worse, to extort money. 2010 has inaugurated a new type of attack, wearing an old disguise — hijacking your managed DNS by compromising your e-mail account.

We have known that e-mail addresses have been vulnerable for years. Those of us in the technical industry especially cringe every time your company rolls out a new Web application using an "I forgot my password" feature. But you accept it anyway because you know your users won't remember their password.

It hurts when that exploit happens to you.

With cloud based e-mail services, access to your e-mail address can be more easily intercepted than behind a corporate firewall. The ability to then also send a "forgot password" request to that same compromised email address adds pain to misery when you have been attacked.

This is exactly what happened to Twitter and Baidu when their DNS was compromised and switched to point to a group claiming themselves as the "Iranian Cyber Army."

DNS services are frequently outsourced because most organizations don't have the expertise to manage their own DNS, nor the capital to invest in the infrastructure required to provide global resiliency and fast resolution at the same time as withstand 40 GB+ size DDoS attacks daily. The key is for you to know who you can trust to protect yourself from being hijacked and guarantee that your DNS stays up 100% of the time.

For our own customers' piece of mind, Afilias has built a number of protections into our managed DNS service. We think these are the minimum criteria that managed DNS organizations should follow when a Web portal is used to manage your DNS settings.

Restrict access

You should restrict access to your DNS Web portal by IP address. While this might limit usability if a staff member is traveling, it ensures that if your e-mail account is compromised that the attacker cannot log-in from an IP address that is not already specified on your account.

Vary user permissions

You should vary the types of permissions allowed to users in the system. That means that not every account should have read and write access. This lowers the probability that, if attackers are able to compromise your e-mail and get your password for your DNS account, that they will have the ability to actually change something.

Afilias allows you to set user groups, to easily set user restrictions to multiple users at a time.

Also ensuring you have more than one account with access to make changes ensures that someone can correct a problem or suspend a compromised account quickly.

Out of band security alerts

E-mail alerts are great, but not if the e-mail account they are sent to is compromised. We offer a unique feature where you can also require an SMS token for password resets. This sends a unique code to your mobile phone that must be used in conjunction with the password reset link you get in your e-mail.

In this case you have the convenience of resetting your password if you forget it, but a attacker would also have to compromise your mobile phone to be able to get into your managed DNS account.

Lock-outs to stop script attacks

Some attackers just want to brute force script an attack to guess your password. A best practice standard is to deploy lock-outs for failed login and password reset attempts. Afilias sets its threshold fairly low at just 6 attempts.

If you lock yourself out, you always have phone support to reset your password — better safe than sorry!

Written by John L. Kane, Vice President, Corporate Services at Afilias.


About Afilias – Afilias is the world's second largest domain registry, with more than 20 million names under management. Afilias powers a greater variety of top-level domains than any other provider, and will soon support hundreds of new TLDs now preparing for launch. Afilias' specialized technology makes Internet addresses more accessible and useful through a wide range of applications, including Internet domain registry services, Managed DNS and mobile Web services like goMobi® and DeviceAtlas®. Learn More

Related topics: Cyberattack, Cybercrime, DDoS, DNS, Email, Security


Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers