An in-depth look at Gandi’s security solutions

Mar 13, 2019  - written by  in Domain names

On February 15, 2019 ICANN issued an alert about possible attacks taking targeting the domain name system (DNS), causing a mini-panic about the security of DNS.

Security has always been an important issue for us at Gandi. Since our company began, we have strived to keep up to date on the latest best practices in the field so that we could in turn provide you with the best tools to secure you domain names.

This has mostly meant putting strong security precautions in place, both for our internal tools as well as those we offer to our customers, as well as the deployment of products and features that let our customers implement their own robust security strategies. Here’s a look at what that’s entailed.

=1=
Protect access to your accounts thanks to our implementation of two-factor authentication for account logins.

Two-factor authentication (2FA) provides extra protection to your Gandi accounts by letting you guarantee that you are the only person with access to your account, even if someone else gets ahold of your password.

There are two types of two-factor authentication we’ve implemented for Gandi accounts:

  • TOTP (Time-based One Time Password)

By installing an app (the FreeOTP app for example) that generates a “token” on your desktop computer or smartphone, you can generate a unique, time-limited password that can only be used once. This single-use code helps confirm you are the proper owner of the account and lets you confidently connect securely to your account.

For more information about how to use TOTP, feel free to consult our article on TOTP authentication in our online documentation.

  • U2F (Universal Second Factor) keys

U2F security keys are stored on physical security keys on smart cards that plug into your computer’s USB port or communicate via near-field communication (NFC, the same technology used for contactless payment), that were created in order to support an enhanced security on your account logins. These keys allow you to ensure total protection of online accounts, whether social networks, cloud storage, or your Gandi domain portfolio. U2F takes two-factor authentication and wraps it in another layer of security by verifying the website you’re visiting is not an imposter, and encrypts even the communication of your computer with the key itself.

Whatever physical key you choose (Yubico, Ledger wallets, or others), it will have a unique encrypted chip that lets you easily authenticate your login. For more information about U2F, check out our documentation on the subject.

=2=
Secure your account login with IP restriction

If you log in to your account from the same computer with a fixed IP address, whether at home, at the office, or on a trusted network, you can restrict access to your account to connections from your IP address only.

=3=
Secure your DNS with Anycast, DNSSEC, or AXFR

  • Anycast : 

Anycast technology lets us replicate your DNS settings around the world and respond to user from the closest datacenter to them. This guarantees not only low latency for DNS traffic, but also redundancy in the case of catastrophic datacenter loss.

We also offer premium services that let you host an extra DNS server, distributed via Anycast in an isolated network, thereby adding additional redundancy in the case of a DDOS (distributed denial of service) attack.

To find out more about how we implemented DNS on Anycast, check out this article by Arthur, one of our system engineers.

  • DNSSEC :

DNSSEC is a “security extension” to DNS that allows you to create a “chain of trust” all the way up to the root DNS, thereby providing authentication of DNS responses and protecting your services from forged and manipulated DNS responses, like the DNS hijacking attempts ICANN warned about in it’s alert on February 15. We’ve automated most of the process of setting up DNSSEC so that you can benefit from this added protection without having to go through an overly complex setup.

You can:

  1. Sign you LiveDNS zones
  2. Automatically publish keys to the registry, if you use our services
  3. Automate key rollover (when you change your key) if you use a third-party DNS service by way of the “Third Party DNS operator to Registrars/Registries Protocol.”

For more information, we suggest this article from our documentation.

  • AXFR :

Our DNS service also supports AXFR (DNS zone transfer), which allows you to automatically replicate changes on a zone from a master server to its slave servers. That way, you can add a third-party DNS server of your choice and reinforce your protection from DDOS attacks.

=4=
Secure your account thanks to Gandi v5 rights delegation

With the introduction of our new platform, we introduced a new system of rights management for users that offers greater granularity in the rights you can delegate to other users which allows you to create teams with different privileges (access to domain name management or hosting, access to billion but not domain names, etc.) to make sure that your team members only have access to what they need to have access to.