SideBySide Domains
PILLAR GUIDE SECURITY

Complete Domain Security Guide

Your domain is the foundation of your online presence. Here's everything you need to protect it from hijacking, theft, and attacks.

1. Common Domain Threats

Domain Hijacking

Attackers gain unauthorized access to your registrar account and transfer your domain away. This can happen through phishing, credential theft, or social engineering the registrar's support team.

DNS Hijacking

Attackers modify your DNS records to redirect traffic to malicious servers. Visitors think they're on your site but are actually on a fake version capturing credentials or serving malware.

Expired Domain Theft

Domain expires unnoticed, gets registered by someone else, then used for phishing, SEO spam, or sold back to you at inflated prices.

Social Engineering

Attackers impersonate you to registrar support, using publicly available information to "verify" identity and gain account access.

2. Account Security

Essential Account Protection

  • ✓ Enable 2FA: Use an authenticator app (not SMS). Hardware keys like YubiKey are even better.
  • ✓ Strong unique password: Use a password manager. Never reuse passwords.
  • ✓ Secure email: Your registrar account email is a critical target. Secure it with 2FA too.
  • ✓ Review account contacts: Remove old email addresses. Update phone numbers.
  • ✓ Check authorized users: Remove former employees or partners who no longer need access.

Registrar Selection for Security

Not all registrars have equal security. Look for:

  • • 2FA support (preferably hardware key compatible)
  • • Registry lock options
  • • Activity logging and alerts
  • • Strong support verification procedures
  • • DNSSEC support

Top picks for security: Cloudflare, Namecheap, Porkbun

3. Domain Locks Explained

Lock Type What It Prevents How to Enable
Registrar Lock
(clientTransferProhibited)		 Unauthorized transfers to other registrars Default on most registrars. Toggle in domain settings.
Registry Lock
(serverTransferProhibited)		 Transfers, DNS changes, even by registrar Request from registrar. Often requires manual verification to modify.
Update Lock
(clientUpdateProhibited)		 Changes to WHOIS/contact information Available at some registrars.

Registry Lock: Maximum Protection

Registry lock is the highest level of protection. Changes require out-of-band verification (phone call, in-person, etc.). Use for critical domains. Available at: Cloudflare (Enterprise), MarkMonitor, CSC, and some premium registrar plans.

4. DNSSEC Setup

DNSSEC (Domain Name System Security Extensions) cryptographically signs your DNS records, preventing attackers from forging responses.

How DNSSEC Works

  1. Your DNS records are cryptographically signed
  2. Public keys are published in DNS
  3. Resolvers verify signatures before accepting responses
  4. Forged records fail verification and are rejected

Enabling DNSSEC

If using Cloudflare DNS: One-click enable in dashboard. Cloudflare handles key management automatically.

If using registrar DNS: Enable in domain settings, then add DS record at registry level. Most registrars guide you through this.

5. Monitoring & Alerts

Expiration Monitoring

Set calendar reminders 90, 60, and 30 days before expiration. Enable auto-renew on all critical domains. Keep payment methods current.

DNS Change Monitoring

Tools like DNS Spy, Little Warden, or Cloudflare's audit logs can alert you to unauthorized DNS changes. Critical for detecting hijacking attempts.

WHOIS Monitoring

Services like DomainTools or WhoisXML can alert you to WHOIS changes. Useful for detecting unauthorized transfers or contact changes.

Certificate Transparency Logs

Monitor CT logs for unauthorized SSL certificates issued for your domain. Tools: crt.sh, Facebook CT Monitor, Cloudflare.

6. Recovery Planning

If Your Domain Is Hijacked

  1. Contact registrar immediately — Report unauthorized transfer/changes
  2. File UDRP complaint — For trademark-infringing transfers
  3. Contact ICANN — If registrar is unresponsive
  4. Document everything — Screenshots, emails, timeline
  5. Report to law enforcement — Especially for financial losses

Prevention Documentation

Keep records that prove ownership:

  • • Original registration confirmation emails
  • • Payment receipts for renewals
  • • Historical WHOIS records (use archive services)
  • • Business registration showing domain use

7. Domain Security Checklist