Securing and managing domain names: how Gandi allows businesses to follow ANSSI’s recommendations

As highly valuable intangible assets, careful management of your portfolio of domain names has overtime become the cornerstone in all online global business strategies.

In order to help guide businesses in choosing their provider and identifying checkpoints, the Agence National de la Sécurité des Systèmes d’Informations (the French National Cybersecurity Agency) or ANSSI, has published a guide that brings together “Best current practices for acquiring and using domain names.”

Over the course of four articles, Gandi Corporate Services will present a series of proposed mechanisms that will help you meet each of these recommendations.

ANSSI

ANSSI is a French government agency created in 2009 to respond to potential threats of cyberattacks. As the national authority on all things cybersecurity related, ANSSI sets cybersecurity standards and publishes them both to inform as well as raise the awareness level of companies and more generally of all citizens.

One of these publications, which the agency has shared since 2017, is a collection of recommendations regarding the acquisition and use of domain names—a complete guide also highlighting critera for choosing a domain registrar.

Best practices for acquiring and securing domain names offered by Gandi Corporate Services in order to allow businesses to comply with ANSSI’s recommendations

ANSSI’s recommendations are organizational, legal, and technical in nature. Numbering 20 in total, we chose to treat 5 of these points in each of 4 articles dedicated to ANSSI’s recommendations in order to provide precise answers.

The first five recommendations are related to the reliability criteria of DNS actors to take into account when choosing a provider, namely:

1. Use registry lock
2. Select a registrar with a hardened authentication mechanism
3. Use registrar lock when available
4. Select a registrar that accepts DNSSEC information
5. Assess the security risks of contracting with a reseller

1. Use registry lock, when available

“Choose a registry offering a registry lock service and get contractual commitmentsor assurances as to the level of service guaranteed for this functionality.”

Gandi Corporate Services’ solution:

Registry Lock is a domain name security mechanism based on the intervention of 2–3 human beings. The goal is to offer an additional layer of security to sensitive domain names by making it difficult to make certain critical modifications.

This lock blocks all sensitive operations on a domain name, namely:

• Transferring a domain name to another owner or registrar
• Changing domain name contacts
• Changing DNS servers
• Deleting a domain name

Each of these actions requires at least two people: the domain owner and the registrar or registry. Each request should go through the registrar, who verifies the identity of the person making the request before sending it to the registry.

For example, Registry Lock is particularly useful to guard against data theft. If a third party access your account and tries to change the DNS servers to point to third-party servers that they control, even though they have full access to the domain, this operation would be rejected by the registry thanks to Registry Lock.

Gandi Corporate Services offers Registry Lock for .com, .fr, .net, but also on the following domain endings: .at, .bank, .be, .cc, .cl, .co.cr, .co.uk, .com.au, .hk, .mx, .sg, .cz, .fi, .gr, .ie, .insurance, .it, .lt, .name, .nl, .pt, .re, .rs, .se, .si, .tv, コム (.com in Japonese) / .닷컴 (.com in Korean) / .닷넷 (.net in Korean).

For more information about Registry Lock, please feel free to contact us at corporate@gandi.net.

2. Select a registrar with a hardened authentication mechanism

“Choose a registrar offering a logged and strong authentication mechanism, for example thanks to two-factor authentication and access filtering to the administration interface.”

Gandi Corporate Services’ solution:

The Gandi admin portal is an environment secured by a traditional authentication system (i.e. username and password), to which you can add a couple of security options:

• multi-factor authentication (TOTP, U2F)
• IP address based access restriction

Multi-factor authentication adds a layer of protection to your account. When you activate it, in order to log in to your account with your usual password, you also need to supply a unique, dynamically generated code:

• either by an application installed on your smartphone, tablet, or computer (TOTP)
• or a physical digital key (U2F)

So that means, for example, that if a colleague re-uses a password from another online service for their Gandi account, an attacker wouldn’t be able to access the domain name interface even if they obtain that re-used password (that would have been leaked by cybercriminals who compromised that other site). That’s because the login page will require multi-factor authentication in addition to the password in order to access the domain dashboard.

IP address based access restriction lets you go further in terms of security by limiting access to Gandi’s admin page to a list of pre-defined allowed IP addresses.

Besides these two options, Gandi’s platform also lets you customize user access permissions for each user to whom you provide access, letting you set different permissions within a single team. In that way, transparency and a trace of actions taken can be guaranteed flexibly and securely.

3. Use registrar lock when available

“Choose a registrar offering a registrar lock mechanism in order to prevent the fraudulent transfer of domain management.”

Gandi Corporate Services’ solution:

The registrar lock system provides additional protection for domain names. This protection comes in the form of placing a lock on the domain in order to prevent it from being transferred away from you without your consent. Only users with the necessary permissions may deactivate this lock.

This service is available for most domain endings offered by Gandi Corporate Services and complements the Registry Lock.

Activate transfer lock on a domain

4. Select a registrar that accepts DNSSEC information

“Select a registrar which enables the information required to use DNSSEC to be published.”

Gandi Corporate Services’ solution:

DNSSEC is a protocol that lets you sign information exchanged between name servers using public key encryption. It establishes a ‘chain of trust’ from the root DNS, securing data sent by DNS servers.

Data are there by authenticated from end to end, which guarantees the authenticity of the responses. It’s also, then, impossible for a third party to break that chain of trust without being detected.

Activating DNSSEC protects any redirection of your DNS data, also known as DNS hijacking, and allows you to guarantee, for example, that your site’s traffic isn’t redirected to a fraudulent site looking to steal data and information.

Gandi Corporate Services offers a free DNSSEC service on all domain endings that support it and has also simplified the activation process: in one click, the entire DNSSEC chain can be activated without you having to manage the necesssary cryptographic keys on your side.

Activate DNSSEC on your domain names

5. Assess the security risks of contracting with a reseller

“When a domain name holder uses a service provider, like a reseller, [they] must undertake a risk assessment and control approach.“

Gandi Corporate Services’ solution:

As a domain registrar, Gandi deals directly with the registries and establishes a tight relationship with its customers.

For those who entrust the management of their portfolio to a third-party provider, like an intellectual property law firm for example, the risks are under control at Gandi: the Gandi management interface is designed to offer fine-tuned permissions management for domain names so that the owner of a domain name reserves their rights and is able to set the limits of possible actions by a third party.

Addressing these first five criteria have allowed us to highlight different security measures put in place by Gandi Corporate Services to help with domain name management. For more information, please feel free to contact your account representative or write us at corporate@gandi.net.

And don’t forget to regularly check the “Corporate” category on our news site for more information on market news, how to protect your brand online, and of course, on the next 15 of ANSSI’s recommendations.

Tagged in corporate