GovWire

Guidance: Keeping your domain name secure

Cabinet Office

June 14
15:47 2024

Use this guidance if youre the nominated Technical Point of Contact who is responsible for the secure management of a .gov.uk domain name. The Technical Point of Contact must be someone from the Registrants or Registrars organisation.

If youve been issued a .gov.uk domain but are not technical, follow the guidance on how to get started with your .gov.uk domain.

Contact domainmanagement@digital.cabinet-office.gov.uk if you have any questions about the security of .gov.uk domains.

If attackers take partial or full control of a .gov.uk domain name they can:

  • intercept emails
  • send email impersonating public sector organisations
  • send your website visitors to inappropriate or illegal sites
  • trick users into giving over their personal details like credit card information
  • use your domain to access other digital services to cause critical national disruption

If the Domains Team contacts you to fix issues with a .gov.uk domain, you must fix this to help keep the public sector secure. The time frames to fix issues will depend on the severity of the problem.

1. Make sure your domains are registry locked

The Domains Team is currently not taking any new Registry Lock applications as the process is undergoing a review due to the .gov.uk Registry migration. Existing .gov.uk domains that are already registry locked will continue using the current process.

Most organisations have a change control process to prevent unauthorised changes being made to domains. Despite this, changes can still be made by:

  • current or former staff in an organisation with the right credentials

  • anything that compromises your registrars service

The Registry Lock service:

  • prevents unauthorised changes being made to .gov.uk domain records and contact details in the .gov.uk registry

  • notifies any relevant teams when changes to these records are made

The service will check any changes to the .gov.uk zone file for your domain as well as your contact details held at the registry. The zone file usually contains your name server records but can occasionally include other records as well. It will not prevent changes to individual DNS records like A, MX and TXT held with your DNS provider.

Registry Lock will not affect your day-to-day Domain Name Service (DNS) management and only works for .gov.uk domains. For other domains you should check with your registrar.

2. Set up any services on the domain securely

If you set up all emails and websites on .gov.uk domains you must follow guidance on how to:

When setting up digital services, additional laws and standard you must follow include:

3. Sign up the domain up to Active Cyber Defence tools

The National Cyber Security Centre (NCSC) offers a number of free Active Cyber Defence (ACD) tools to public sector organisations.

Sign up your domain to the:

  • Mail Check service to help you to adopt secure email standards

  • Web Check service to help you find and fix common vulnerabilities

Register your domain for the free Active Cyber Defence tools.

4. Renew domains on time

All .gov.uk Approved Registrars are required to contact Registrants approximately 30 days and 7 days before expiry.

A Registrar must not renew a domain without the explicit consent of a Registrant.

More information on renewals is available in the gov.uk Registry-Registrar Lifecycle Policy.

5. Check name servers are configured properly and working

Make sure all of your .gov.uk domains name servers are:- using a valid domain name- active and responding

Always check name servers to make sure there are no spelling mistakes or typos in the record. Remove any inactive name servers as soon as possible.

Inactive or unresponsive name servers might cause traffic to services on your domain, including email and web, to work intermittently or stop working. If the inactive server is on an unregistered domain, your domain is also at a higher risk of hijacking.

6. Check name servers critical to your domain are locked

If any of the name servers on your domain depend on a second level domain, make sure they are locked at the registry level if this service is available to you.Critical name servers are at higher risk of being compromised if they are not locked.

Example: The registrant is responsible for the domain name example.gov.uk.

This domain name uses the name server ns1.example.net provided by their supplier.

The supplier must make sure example.net is server locked at the registry level.

You should consider changing your registrar or supplier if you experience any ongoing issues with them. Follow our guidance on how to choose a good registrar.

7. Check name server records are resilient

Make sure every .gov.uk domain is set up with:

  • at least 2 name servers

  • all name servers resolving to a different IP address

Name servers should be spread across multiple physical locations for resilience and there should be restricted privileges for different administrators, for example limiting them to certain domains. Where possible you should make sure your domain also has a different class C subnet for these name servers.

This will help you to make sure traffic to services on your domain, including email and web services, continue to work if a single name server, IP address or subnet goes down.

You should have multiple name servers registered against your domain by following IANA recommendations.

8. Check delegation and authoritative name server records match

If your domain name server records at your registrar do not match the name server records at the registry level there is a high risk of domain compromise or hijack.

To check your delegation and authoritative records match you should:

  1. Use a tool like the dig command to carry out a manual check to make sure all delegation and authoritative records match.

  2. Make sure there are no spelling mistakes in your name server records.

  3. Update name server records to match the registry level records if there is an incorrect record.

9. Check your name servers responses are consistent

Your name servers may be behaving inconsistently, for example by returning different name servers or TXT records.

If your domain name server records are inconsistent, there is an increased risk of your domain being hijacked. Traffic to services on your domain, including email and web also could:

  • send traffic to the wrong place

  • work intermittently

  • stop working altogether

To make sure all your name server records are consistent you should check that all name servers:

  • respond with the same records and there are no spelling or numerical mistakes

  • serve the same name server (N

Related Articles

Comments

  1. We don't have any comments for this article yet. Why not join in and start a discussion.

Write a Comment

Your name:
Your email:
Comments:

Post my comment

Recent Comments

Follow Us on Twitter

Share This


Enjoyed this? Why not share it with others if you've found it useful by using one of the tools below: