Domain Security 101

Cloud Sep 7, 2021

Contents:

DNSSEC
CAA Record
Domain Transfer Lock
2FA
Auto-Renew
Email Security 101

DNSSEC

DNSSEC adds a layer of trust on top of the DNS system by adding cryptographic signatures to existing DNS records. This ensures the record wasn't modified, protecting against DNS injection and man-in-the-middle (MITM) attacks.

Cloudflare have a detailed post on DNSSEC here: https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

CAA Record

CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. - Let's Encrypt Docs

Example:
dig CAA cyberhost.uk

;; ANSWER SECTION:
cyberhost.uk.		600	IN	CAA	0 issue "letsencrypt.org"
cyberhost.uk.		600	IN	CAA	0 issue "sectigo.com"
cyberhost.uk.		600	IN	CAA	0 iodef "mailto:hidden@email.com" 

The above records allow for only Let's Encrypt and Sectigo* to issue certificates for cyberhost.uk. If a Certificate Authority that is not listed, tries to create a certificate it will fail and an email should be sent to hidden@email.com.

*Let's Encrypt is our main CA however this will failover to ZeroSSL (which uses sectigo), thanks to Caddy :)

Domain Transfer Lock

It's good practice to enable a Domain Transfer Lock this prevents domain hijacking where the domain is transferred to another register under the control of someone else.

This is typically a simple toggle in your domain registrar's control panel.

Use 2FA

To prevent your domain from being hijacked ensure that all accounts that are used to manage that domain has some form of 2FA.

Accounts:

  • Domain Registrar
  • DNS Management

Auto-Renew

It's simple don't let your domain expire and be purchased by someone else!

Email Domain Security 101

Alex Blackie has a simple guide on email domain security:
https://www.alexblackie.com/articles/email-authenticity-dkim-spf-dmarc/

Comments

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.