Domain Security 101
Contents:
DNSSEC
CAA Record
Domain Transfer Lock
2FA
Auto-Renew
Email Security 101
DNSSEC
DNSSEC adds a layer of trust on top of the DNS system by adding cryptographic signatures to existing DNS records. This ensures the record wasn't modified, protecting against DNS injection and man-in-the-middle (MITM) attacks.
Cloudflare have a detailed post on DNSSEC here: https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
CAA Record
CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. - Let's Encrypt Docs
Example:
dig CAA cyberhost.uk
;; ANSWER SECTION:
cyberhost.uk. 600 IN CAA 0 issue "letsencrypt.org"
cyberhost.uk. 600 IN CAA 0 issue "sectigo.com"
cyberhost.uk. 600 IN CAA 0 iodef "mailto:[email protected]"
The above records allow for only Let's Encrypt and Sectigo* to issue certificates for cyberhost.uk. If a Certificate Authority that is not listed, tries to create a certificate it will fail and an email should be sent to [email protected].
*Let's Encrypt is our main CA however this will failover to ZeroSSL (which uses sectigo), thanks to Caddy :)
Domain Transfer Lock
It's good practice to enable a Domain Transfer Lock this prevents domain hijacking where the domain is transferred to another register under the control of someone else.
This is typically a simple toggle in your domain registrar's control panel.
Use 2FA
To prevent your domain from being hijacked ensure that all accounts that are used to manage that domain has some form of 2FA.
Accounts:
- Domain Registrar
- DNS Management
Auto-Renew
It's simple don't let your domain expire and be purchased by someone else!
Email Domain Security 101
Alex Blackie has a simple guide on email domain security:
https://www.alexblackie.com/articles/email-authenticity-dkim-spf-dmarc/
