Corporate news

Gandi Corporate Services: for the security of your domain names

A computer floating on a pedestal as though in a museum, in a glass case, surrounded by laser security, representing a highly secure e-commerce site

While cyberthreats are increasingly omnipresent, Gandi Corporate Services guides businesses in deploying and securing their domain name portfolio and protecting their brands and other distinguishing marks.

Capitalizing on 20 years of know-how, we invite you to explore:

Domain name security is a core commitment

Why is domain name security important?

Domain name security is important because domain names are central to any business activity online.

On the one hand, it guarantees the availabilty of digital services linked to the business (website, email addresses, etc.) One problem related to a domain name can, then, have major repercussions on a company’s businesses.

But on the other hand, a domain name also safeguards a business’s brand. In the face of cyberthreats, registering the most relevant domain names and monitoring for illegitimate uses should also be central to any company’s online brand protection strategy.

A company’s business activity and its brand image, then, both depend on this important piece of intellectual property, which may only cost around $10 per year to register or renew. Which is why it’s all the more necessary to make sure it’s secure.

Gandi Corporate Services’ infrastructure and architecture is the cornerstone of your domain security

From a general point of view, the security and resiliance of our customers’ DNS (and so, for example, the availability of a website associated with a domain name) are made possible thanks to the architecture of the infrastructure itself, implemented by Gandi Corporate Services’ network and security experts.

Since its DNS servers are responsible for a domain name’s availability on the web, the impact of any potential downtime of any of them needs to be limited, by linking at least two distinct DNS services to each domain name (don’t put all your eggs in one basket). That’s why with Gandi Corporate Services, every domain name is, by default, configured with three independent, geographically dispersed name services, making it possible for a DNS server always being available to respond to DNS requests for your domain name, and thereby guaranteeing your digital business’s continuity.

Additionally, Gandi’s DNS architecture is built using Anycast infrastructure. This makes it possible to have more servers available across the globe, and responds to requests from the closest datacenter to the requestor in order to accomplish two main goals:

  • Provide quicker responses by being geographically closer to the requestor
  • Create redundancy of the service to better address any incidents in datacenters or networks

Gandi Corporate Services now has Points of Presence (POP) in the following locations*:

  • Amsterdam
  • Ashburn
  • Chicago
  • Dallas
  • Frankfurt
  • Fremont
  • Hong-Kong
  • Johannesburg
  • London
  • Los Angeles
  • Luxembourg
  • Miami
  • Mumbai
  • New York
  • Paris
  • Sao Paulo
  • Seattle
  • Silicon Valley
  • Singapore
  • Stockholm
  • Sydney
  • Tokyo
  • Toronto

*non-contractual; subject to change

It’s this resiliant infrastructure, then, built on more than 20 years of experience, that comprises the essential base for guaranteeing domain name security. However, a good domain security strategy should also rely on various related services, including:

  • flexible and secure interface
  • options for securing your account login (two-factor authentication, etc.)
  • domain name and DNS server security options
  • monitoring services for online brand protection

Gandi Corporate Services protection services for securing your domain name

The Gandi Corporate Services offer includes daily help from an account manager with managing and protecting your intellectual property rights online. It’s the combination of this team of experts and the robustness of the infrastructure that enables you to make a large number of online brand protection and security.

Secure domain name administration portal

Gandi’s administration portal is secured by traditional login methods (via username and password), to which you can also add for additional security:

  • the two-factor authentication (TOTP, U2F)
  • IP address restriction
  • fine-grained rights management via a team system
  • fine-grained access rights via SSO

Two-factor authentication

Two-factor authentication adds a layer of account protection. When it’s active, logging in to your account requires, in addition to your usual password, a unique, dynamically generated code:

  • either by an app installed by smartphone, tablet, or computer (TOTP)
  • or by physical key (U2F)

This option can be directly activated from Gandi’s administration portal.

IP address restriction

The IP address restriction lets you go further in terms of security by limiting access to the Gandi administration interface to a pre-defined, restricted list of IP addresses.

Fine-grained rights management via a team system

Beyond these two options, Gandi’s administrative portal enables you to manage individual and personalized by user enabling you to attribute different levels of permission within the same time. That way, the transparency and trackability of any actions performed on your account are guaranteed, for a fine-grained, flexible, and secure.

Fine-grained access rights via single sign on using the SAML protocol

Finally, SSO login, or Single Sign-On, enables you to sign in to your Gandi administration portal with your business’s username and password. In addition to making the user experience more comfortable, it’s also much more secure and practical for the administrator to only manage its business account directory by only authorizing access to users according to the scope of their work.

The SSO via SAML login method, then, guarantees the widest security, since it allows:

  • ensure and master the security level of logins of a business
  • manage access of employees from a single place (as well as avoid any possible oversights in removing access)

Domain name security options

Domain name security depends on being able to strictly control the actions made possible on domain names and by optimum availability of DNS servers. That’s why Gandi Corporate Services provides security options to offset this fragility.

The Transfer Lock service

The Transfer Lock enables you to lock your sensitive domain names at your domain registrar in order to avoid unwanted transfers. Deactivating this lock is uniquely accessible to contacts with the necessary permissions.

The service is available to the majority of domain extensions Gandi Corporate Services provides and supplements Registry Lock which is a service provided by certain registries.

The Registry Lock service

Registry Lock is a domain lock system based on actual human intervention of 2–3 people. The goal is to offer an additional level of security to critical domains names by making certain critical modifications impossible without verification by the registry.

This procedure blocks sensitive domain name updates, specifically:

  • domain name transfer to another owner/registrar
  • domain name contact updates
  • DNS server changes
  • deletion of domain names

Activating Registry Lock lets you, for example, prevent malicious actions on your domain names, even in the case of account compromise.

The Registry Lock service is currently available for .com, .net, and .fr as well as .at, .be, .cl, .co.cr, .co.uk, .com.au, .hk, .mx, .sg, .cz, .fi, .gr, .ie, .it, .lt, .nl, .pt, .re, .rs, .se, .si.

Advanced DNS service

For vital domain names, we strongly recommend the Advanced DNS option, which guarantees 99.999% up time.

The Advanced DNS option provides an additional, logical DNS entry associated with three other LiveDNS entries from Gandi’s infrastructure, all of it manageable from Gandi’s administrative portal.

Limiter l'impact de cyberattaques grâce de la redondance des infrastructures
Limit the impact of cyberattacks with infrastructure redundancy

This additional logical server uses Cloudflare’s extended Anycast infrastructure, spread out across more than 200 cities*, in order to ensure optimum redundancy:

  • Seattle
  • San Jose
  • Los Angeles
  • Chicago
  • Toronto
  • Newark
  • Ashburn
  • Atlanta
  • Dallas
  • Miami
  • Medellin
  • Valparaiso
  • Sao Paulo
  • London
  • Amsterdam
  • Paris
  • Frankfurt
  • Madrid
  • Stockholm

*non-contractual; subject to change

DNSSEC service

DNSSEC is a protocol that enables you to sign the information exchanged at the level of nameservers, using public key encyrption. It establishes a “chain of trust” from the DNS root, thereby securing data sent by DNS servers.

Data are then authenticated end-to-end, which makes it possible to guarantee the authenticity of responses. It is, then, impossible for a third party to break this chain of trust without being detected.

The activation of DNSSEC protects against attacks such as DNS hijacking, and enables you to guarantee for example that the traffic towards your site would not be redirected towards a fraudulent site, seeking to steal data and information.

Illustration du service DNSSEC

Illustration of DNSSEC service

Gandi Corporoate Services provides the DNSSEC service for free with all domain extensions that support it and has even simplified its use for your convenience: in one click, you can activate the DNSSEC chain of trust without you having to generate the cryptographic keys required for this yourself.

Monitoring services to protect your brand online

Securing domain names is at the heart of what Gandi Corporate Services is all about. But the threats against domain names go beyond technical threats, requiring constant surveillance of uses of your brand name online via domain name monitoring services in order to ensure a well managed digital presence.

Domain name monitoring service

The domain name monitoring service works by a system of internet monitoring that detects illegitimate uses of your brand name among domain names and subdomains on a daily basis. These alerts enable you to react rapidly when faced with fraud linked to your domain name with the goal of being able to intervene sometimes even before content can be published on the domain name or that it be used for sending phishing attacks, etc.

The service extends to subdomains, typographic variants, international characters, as well as IDN homoglyphs, across a catalog of more than 1,200 TLDs.

Online content monitoring service

The online content monitoring service in particular makes it possible to stop counterfeiting, protect your customers from fraud and other online scams, especially when a domain name used for sending illicit content uses the brand name without permission.

In comparison with the domain name monitoring service, the online content monitoring service offers additional coverage since it operates on:

  • online marketplaces
  • social media
  • mobile application

This multidimensional dynamic ensures a business can become aware of the use of their brand name on the market and regain control.

These are the fundamental keys to an effective domain security strategy. The robustness of the infrastructure and the expertise of Gandi Corporate Services are of course the primary advantages of this service, but the complementarity of these security services will guarantee the protection of domain names. Associating them together enables you to have control over your entire domain name portfolio and to establish a defensive brand protection strategy.

To learn more about each of these services, please feel free to contact your Account Manager or to contact the Gandi Corporate Services team at corporatecontact@gandi.net.