Protect Your Domain Name

Publication:

Orange County Lawyer Magazine

Date:

September 2006

Author:

Jeff Lenning

An often overlooked computer security issue is protecting your firm’s (and your clients’) domain name. Your firm’s domain name is your address on the internet, and has likely become extremely important to your firm’s day to day operations. For example, it helps direct email intended for you to your email server, and web traffic to your web server. The loss of your domain name would no doubt severely impact your business and its communication. Thus, it is important to understand the risks associated with domain registrations, and techniques that can be used to mitigate those risks.

OWN VS RENT?
Prior to diving into the risks, it is first important to understand how the domain name system works, at least at a high level. One common misconception is that you (or your firm) “owns” the domain name. This is not true as nobody truly “owns” domain names. Rather, an entity obtains the right to use the domain name for a period of time, generally 1 year. At the end of the year, many domain names are renewed, and some are not.To obtain the right to use a particular domain name, an entity (such as your firm) contacts one of many “Registrars” who officially registers the domain name on behalf of the “Registrant” and sets it up on the internet for use.Since there are many Registrars providing varying levels of services at various prices, a Registrant may want to keep their domain name but change the Registrar. In those cases, the domain is “transferred” from one Registrar to another.
Risks
Now that we have a basic understanding of the domain name system, it is time to identify the risks. Specifically, we will explore the following risks as well as various techniques for mitigating them:
  • Domain Name Expiration
  • Outdated Whois Information
  • Unauthorized or Unintentional Transfers
  • DNS Hacking
  • Trademark Infringement

Domain Name Expiration
As we discussed above, an organization does not actually own a domain name rather they obtain the right to use it for a period of time. If an organization is not diligent in their renewal process, they may unintentionally let their domain expire. Once a domain has expired, it goes back into the pool for registration by the general public. The natural consequence of letting your domain name expire is that another organization may register it. Once another organization registers the domain, it is extremely difficult to get back. In order to get it back, you would probably be willing to pay some amount of cash. In fact, that is how some people earn a living, by quickly registering expired domain names and holding them “ransom.”To mitigate the risk of domain name expiration, here are some techniques.
  • Set your domain to “auto-renew.” Many Registrars offer an auto-renewal service that will automatically bill your credit card. It is important however to keep your credit card and contact information current with your Registrar.
  • Register (or renew) your domain name for a longer period of time than 1 year, for example 9 years.
  • Outsource the renewal-management responsibility to a third-party domain name management service provider
A related issue regarding expiring domains is “best efforts” domain registration. I will use a real world example of something that happened to me a few months ago. Our firm is working on a new product and we wanted a new domain name. I registered osapps.net and osapps.org however osapps.com was taken. As I was waiting patiently for osapps.com to expire, I received an email from a company I had never done business with offering to register osapps.com. That is funny I thought to myself, how would they know I want osapps.com? Out of curiosity, I went to their website, and it clearly indicated they would register osapps.com for me, for the price of $200. (Most registrars charge approximately $35 per year). Even though $200 was high, I really wanted the domain. Prior to submitting my credit card information however, I researched this company’s name on Google. As I quickly learned, it was a scam. I went back to the website and more carefully read their terms of service. For $200 they promise to try to get the domain name, but if they fail, they keep the fee. As it turns out, I waited until the domain eventually expired, and I was able to register the domain and now I have it.

Outdated Whois Information
Many Registrars send email notifications about the domain name from time to time, especially when a domain is about to expire. However, in order to actually receive those notices, your “whois” record must be kept current and up to date. (The whois record is simply documentation about the current Registrant.) In addition, if you have lost the login information to your Registrar’s website, the Registrar will often require you to prove that you are in fact the Registrant (as documented in the whois). If a third party has registered your domain name for you, it is important to make sure your firm is the Registrant. One of our clients had their former IT Consultant register their domain name for them. When my client fired the former IT Consultant, he would not release the domain name claiming that it was his domain name. An inspection of the Registrant of record (whois) indicated it was in fact registered to the former IT Consultant. Thus, my client was unable to get the domain name back and was forced to register a new domain name and update all website and email information.If you want to see the whois information for any domain, simply go to one of many websites that perform whois lookups and enter the domain name. There are many sites that provide whois lookups, some examples are netsol.com, ajaxwhois.com and easywhois.com. Techniques to ensure your whois record is current:
  • Periodically review your whois record
  • Outsource domain name management services to provider

Unauthorized or Unintentional Transfers
Another risk is unauthorized or unintentional transfers. Risks associated with transfers include losing control over the domain entirely. In essence, anyone can initiate a transfer request. For example, I could initiate a transfer request of your domain name right now. If the transfer succeeded, I would have complete control over your domain. Whether or not the transfer would succeed depends on several factors. If you are the type of person that ignores emails from your Registrar, dismissing them as unimportant, the chances of my transfer request being approved is increased. In addition, if you are not really sure about how domain name registration works, and you receive an email from your Registrar and assume that you should approve the email since it is coming from your trusted Registrar, then the chances of my transfer request greatly increases.Techniques:
  • Domain lock. Many Registrars allow you to “lock” the domain. A domain that is in a locked state will automatically and immediately deny any transfer requests. We recommend locking all of your domains to prevent unintentional or unauthorized transfers.
  • Know your Registrar. Some Registrars will send you a “renewal” notice in the mail leading you to believe that you are simply renewing your domain when in reality it is authorization to transfer your domain to that registrar.
Another related issue is the tactics used by some questionable Registrars. They will send paper letters to domain Registrants prior to the domain’s expiration date. They will then indicate in their letter that if you wish to renew with them, simply sign and return the letter with payment. This actually authorizes them to transfer the domain from your current Registrar to them. Many “fall” for this because they don’t even know who their current Registrar is. Be careful of these tactics.

DNS Hacking
The term “DNS Hacking” refers to unauthorized modifications to your domain settings. This type of hacking can result in bad things happening, including loss of internet services (website and email).As an example of DNS Hacking, I will use something that happened to my domain a few years ago. The short story is this: an unauthorized person hacked into the domain name registrar that registered clickconsulting.com for me. What their hack did was essentially route all internet traffic destined for my webserver to the user’s local computer. This essentially pulled my website offline for a short time until I could restore the settings. I immediately transferred my domain to a more reputable Registrar than the “low cost” registrar I had used.Here are techniques for reducing the risk of DNS Hacks:
  • Use a reputable and secure Registrar
  • Implement domain name locking
  • Use a reputable DNS hosting company
  • Use complex passwords for all Registrar and DNS hosting portals
  • Do not give out the password for your domain name to outside consultants

Trademark Infringement
In addition to the risks discussed above regarding your firm’s current domain name, there are issues regarding domain names you do not currently use. There are several “generic top level domains,” examples of which are .com, .net and .org. There are also country coded top level domains, like .uk and .au. Let’s say you are Disney, and you have a US trademark on the word “Disney”, and you register the domain names disney.com, disney.net, and disney.org. As many companies do, Disney neglects to consider the country coded domains, and therefore does not register them. Now, someone in Australia registers disney.com.au. In this instance, Disney wants to protect their brand and trademark and so they would try to acquire disney.com.au from the current Registrant.To avoid this type of issue, consider registering your trademark names as domain names with the various top level domains.

Conclusion

Domain name stability is something most companies take for granted. They do not understand the risks and the techniques to mitigate those risks. Hopefully, the above information will help you to secure and protect your firm’s internet domain name.

This article was written by Jeff Lenning