S 2.298 Administration of Internet domain names

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of IT

Internet domain names (domains) have to be registered with registration authorities (registrars). A registration authority can grant names for one or more top-level domains (for example, the "classic" domains .com, .org, .gov and the various country domains, such as .de for Germany, .at for Austria, and .ch for Switzerland). Domains are registered for a specific period. Once this period has expired, the registration must be extended by paying a fee. Failure to extend a registration can have unfortunate consequences (see T 2.100 Errors on applying for and managing Internet domain names). Steps must therefore be taken to ensure that the registrations for all the domains that an organisation uses are extended regularly and in good time. For this purpose, in every organisation someone should be appointed to coordinate administration of the domain names with the various registration authorities.

In addition to administration of the domain names and ensuring that registrations are extended at the right time, management of Internet domain names must take into account the following further points:

DNS name server

When a domain name is registered, at least two DNS name servers (primary name servers), which are responsible for assigning computer names to IP addresses, must be specified. A name server is often operated by the Internet access provider, but it can also be operated by the organisation itself. When stipulating the name server, care must be taken to ensure, as a minimum, that the primary name servers are located in different class C networks. Otherwise, a denial of service attack on the router with which this network is connected to the Internet could bring the entire domain to a standstill, as no names from this domain can be resolved any more. If the requirements regarding the availability of name resolution are high, the primary name servers should ideally reside in different networks with connections via several providers.

Domain names

At the beginning of the "Internet era" it was generally sufficient for an organisation to operate a single Internet domain. However, as the popularity of the world wide web rose, it became customary not only to operate a domain bearing the company's own name, but to also set up separate domains for well-known products.

To prevent domains with the names of one's own products and services being registered by other parties who could then disseminate pornographic or other offensive content under that address, which visitors would then assume to be connected with the organisation, not only should the company name and the names of its own well-known products be registered with the correct spelling, but as far as possible, variations of these, for example names assembled out of several words connected by hyphens, should also be registered. These names should be registered under the various "relevant" top-level domains (e.g. .de, .com, .org, .info). The possible need to register incorrectly written variants of products or company names as well (i.e. likely possible misspellings of the names) should also be considered. The extra effort that this entails is trivial compared with the effort required to enforce the "restitution" of a domain before the courts.

Where domains are registered in this way for precautionary purposes, at least a minimal website which names the domain name on which the real site is to be found and offering a direct link to that site should be set up. If necessary, it is quite easy for the organisation's main web server to also act as web server for that domain via appropriate name resolution.

Registration authorities and registration periods

A number of registration authorities exist for several of the top-level domains (e.g. .com and .org). It is possible to switch registration authorities at any time, although usually this incurs a fee.

It is important to have a summary of the relevant period of registration, the cost of extending this and the bank account details of the registration authority in respect of all the registered domains, so that the registrations can be extended on a timely basis.

Contractual arrangements with Internet service providers

If the domains of the organisation are not registered and administered by the organisation itself, but by an internet service provider instead, then care must be taken over the contractual arrangements so as to ensure that the organisation itself retains control over the domains. This can be important, for example, if there is a change of registrar or where disputes occur over names.

Appropriate procedures should be put in place to cover the eventuality of mistakes and omissions by the service provider with regard to the administration of domain names, as considerable damage can occur in such cases (see T 2.100 Errors on applying for and managing Internet domain names).

If the name server is not operated in the organisation itself, but is hosted by a service provider, the requirements regarding the availability of name servers and processing times for changes in the DNS of the organisation should be specified in the service level agreements.

Review questions:

© Federal Office for Information Security. All rights reserved.