Confused about domain locks? Understand the intricacies and security effectiveness.

By Ken Linscott
Share this post

At the beginning of 2019, CSC joined the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the UK National Cyber Security Centre, and other leading security organizations—including Cisco® Talos, FireEye®, and Akamai—in alerting corporations and the public to the widespread, growing threat of state-sponsored domain name system (DNS) hijacking. The targets of these attacks have included government, corporate, telecommunication, and infrastructure entities—and result in website and email redirection to collect sensitive information.

In a DNS hijacking, a bad actor can divert company customers to a fake website to steal login credentials and confidential data. This poses a threat as not only a serious data breach, but a privacy nightmare, especially in light of more stringent government privacy policies, like the EU’s General Data Protection Regulation. Information can also be harvested from inbound company emails, then used to launch sophisticated phishing attacks on customers and employees using a company’s own domains to make the phish appear legitimate.

Amongst all of the aforementioned directives, domain locking is the predominant advice and recommended best practice given to brand owners.

What are domain locks?

Domain locks were first introduced in the .COM domain extension in response to bad actors gaining illegitimate access to registry and registrar platforms to make unauthorized changes to domain name records.

There are two different types of locks available:

  • Registrar locks that are prefaced with [client]
  • Registry locks that are prefaced with [server]

You’ve probably seen the following if you’ve looked at a domain name’s WHOIS record:

  • [client or server] Delete Prohibited – Ensures a domain name cannot be deleted or lapsed
  • [client or server] Transfer Prohibited – Rejects unauthorized transfers away from domain name provider
  • [client or server] Update Prohibited -No WHOIS modifications allowed, including name server re-delegations

Both client (registrar) and server (registry) locks apply additional layers of security on key operations. But it is more complicated than this, depending on:

1. How the locks have been implemented. Registry locks have a common implementation regulated by the registry, but registrar locks are defined by the registrar themselves.

2. Who is maintaining the definitive WHOIS data. The registry (THICK registry) or the registrar (THIN registry, e.g., .COM and .NET where the registrar maintains the WHOIS data).

But herein lies the problem—for someone not in the domain industry, it’s very confusing as to what locks are applied to their business-critical domains and what locks should be applied.

So here, we explain the various lock options, and rate their effectiveness:

1. Registrar transfer lock:

  • ClientTransferProhibited
    Lock effectiveness: very low

All locks are optional except for this registrar transfer lock that the Internet Corporation for Assigned Names and Numbers (ICANN) made mandatory for all generic top-level domains (gTLDs). These locks will stop your registrar from being duped into transferring your domain to another registrar by a fraudulent request in a domain hijacking.

But, this lock won’t stop DNS hijacking (the modification of your DNS), nor your domain from being maliciously lapsed. And if a cyber-criminal gains unauthorized access to your domain management portal, they could still process a request to the registry to transfer the domain away from your management, as the transfer request is sent directly to the registry without extra validation.

2. Full registrar lock:

  • ClientDeleteProhibited
  • ClientTransferProhibited
  • ClientUpdateProhibited
    Lock effectiveness: low

You can mitigate more risks by employing all three registrar locks as above. The important piece is to understand specifically what a registrar lock means to your registrar, and how they have implemented them. If properly implemented, these locks mean there’s manual and more vigilant checks between your registrar and you, to ensure that lapse, deletion, modification, and transfer requests are all legitimate and authorized. If not implemented properly, the risk is that once a request is made in the domain management portal, authorized or not, it automatically removes the registrar locks with no additional verification steps.

The additional risk with these locks is that the registry will not validate any of the requests that come from your registrar—meaning that if a cyber-criminal gains unauthorized access to your domain management portal, they could still process a request to the registry to lapse, delete, modify (DNS hijacking), or transfer the domain away from your management (domain hijacking).

In particular, this is a risk for any THICK registries who hold the definitive WHOIS data.

3. Full registry lock:

  • ServerDeleteProhibited
  • ServerTransferProhibited
  • ServerUpdateProhibited
    Lock effectiveness: medium

These registry locks validate requests from the registrar, so if the registrars’ systems have been compromised, an unauthorized request will be identified and dismissed, thus providing you with far better protection, particularly in the case of THICK registries who hold the definitive data.

However, registry locks alone will still leave you vulnerable to unauthorized update requests for THIN registry extensions like .COM, where the definitive WHOIS data is held by the registrar.

4. CSC’s MultiLock:

  • ClientTransferProhibited
  • ServerDeleteProhibited
  • ServerTransferProhibited
  • ServerUpdateProhibited
    Lock effectiveness: high—best in class

The most effective mechanism is to employ all registry locks together with the registrar transfer locks—at CSC, we combine them into our MultiLock service, which includes an additional mechanism not shown in the WHOIS to protect any THIN WHOIS details held with us as the registrar. Specifically, we do not allow any changes through Domain Manager if MultiLock is enabled, and this is achieved by cutting off automated access to the WHOIS database we manage. This ensures that every step of the chain requires manual validation, meaning the request will be validated in two separate handshakes—between the client and registrar, and then between the registrar and registry. This approach means that regardless of a THICK or THIN registry, your business-critical domains are protected from the risks of domain hijacking, DNS hijacking, and malicious deletions.

Our June 2019 CSC Cyber Security Report identified that only 43% of the 120 media brands researched had registry locks in place, despite the recommendations from industry experts and governments.

Given the increase in DNS hijacking attacks, it’s key for brand owners and those responsible for their business’ operating infrastructure to understand not only the scale of the threat, but the intricacies of the solutions. Too many brand owners have a false sense of security offered by registrar locks alone, and a more comprehensive solution should be considered for fuller protection.

>> Request a consultation to understand if your vital domains have the appropriate locks applied.