Home / Industry

Preventing Your DNS Account from Being Hacked

Recent years have brought a plague of attacks targeting your ability to do business online. Whether in the form of distributed denial of service attack (DDoS), spam, phishing, or Facebook and Twitter scams. Likely the most disturbing issue for e-commerce organizations has been the growing prevalence of DDoS attacks waged to interrupt their business, or worse, to extort money. 2010 has inaugurated a new type of attack, wearing an old disguise — hijacking your managed DNS by compromising your e-mail account.

We have known that e-mail addresses have been vulnerable for years. Those of us in the technical industry especially cringe every time your company rolls out a new Web application using an "I forgot my password" feature. But you accept it anyway because you know your users won't remember their password.

It hurts when that exploit happens to you.

With cloud based e-mail services, access to your e-mail address can be more easily intercepted than behind a corporate firewall. The ability to then also send a "forgot password" request to that same compromised email address adds pain to misery when you have been attacked.

This is exactly what happened to Twitter and Baidu when their DNS was compromised and switched to point to a group claiming themselves as the "Iranian Cyber Army."

DNS services are frequently outsourced because most organizations don't have the expertise to manage their own DNS, nor the capital to invest in the infrastructure required to provide global resiliency and fast resolution at the same time as withstand 40 GB+ size DDoS attacks daily. The key is for you to know who you can trust to protect yourself from being hijacked and guarantee that your DNS stays up 100% of the time.

For our own customers' piece of mind, Afilias has built a number of protections into our managed DNS service. We think these are the minimum criteria that managed DNS organizations should follow when a Web portal is used to manage your DNS settings.

Restrict access

You should restrict access to your DNS Web portal by IP address. While this might limit usability if a staff member is traveling, it ensures that if your e-mail account is compromised that the attacker cannot log-in from an IP address that is not already specified on your account.

Vary user permissions

You should vary the types of permissions allowed to users in the system. That means that not every account should have read and write access. This lowers the probability that, if attackers are able to compromise your e-mail and get your password for your DNS account, that they will have the ability to actually change something.

Afilias allows you to set user groups, to easily set user restrictions to multiple users at a time.

Also ensuring you have more than one account with access to make changes ensures that someone can correct a problem or suspend a compromised account quickly.

Out of band security alerts

E-mail alerts are great, but not if the e-mail account they are sent to is compromised. We offer a unique feature where you can also require an SMS token for password resets. This sends a unique code to your mobile phone that must be used in conjunction with the password reset link you get in your e-mail.

In this case you have the convenience of resetting your password if you forget it, but a attacker would also have to compromise your mobile phone to be able to get into your managed DNS account.

Lock-outs to stop script attacks

Some attackers just want to brute force script an attack to guess your password. A best practice standard is to deploy lock-outs for failed login and password reset attempts. Afilias sets its threshold fairly low at just 6 attempts.

If you lock yourself out, you always have phone support to reset your password — better safe than sorry!

Written by John L. Kane, Vice President, Corporate Services at Afilias.

About Afilias


Afilias is the world's second largest domain registry, with more than 20 million names under management. Afilias powers a greater variety of top-level domains than any other provider, and will soon support hundreds of new TLDs now preparing for launch. Afilias' specialized technology makes Internet addresses more accessible and useful through a wide range of applications, including Internet domain registry services, Managed DNS and mobile Web services like goMobi® and DeviceAtlas®. Learn More

Related topics: Cyberattack, Cybercrime, DDoS, DNS, Email, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Related Blogs

Related News


Industry Updates – Sponsored Posts

To Where are Bounce Messages Sent?

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

An Open Source Perspective on Commercial MTAs

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Five Essential PowerMTA Configuration Tips

Protect Your Privacy - Opt Out of Public DNS Data Collection

What's New With Port25's PowerMTA v4.5

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Measuring DNS Performance for the User Experience

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Internet Grows to 296 Million Domain Names in Q2 2015

New Feature in PowerMTA v4.5: IP Based Rate Limiting

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

The Deep Web and the Darknet - The Nether Regions of the Internet

Case Study: Emergency Response Systems Rely on Timely Messaging Through PowerMTA

Port25 Announces Next Major Release of Its Email Delivery Solution, PowerMTA

Introducing the Verisign DNS Firewall

Sponsored Topics