Keeping your domain name secure
A domain name is an important asset and is not protected by default. Follow these recommendations to keep your domain secure.
Use this guidance if you’re the nominated Technical Point of Contact who is responsible for the secure management of a .gov.uk domain name. The Technical Point of Contact must be someone from the Registrant’s or Registrar’s organisation.
If you’ve been issued a .gov.uk domain but are not technical, follow the guidance on how to get started with your .gov.uk domain.
Contact [email protected] if you have any questions about the security of .gov.uk domains.
If attackers take partial or full control of a .gov.uk domain name they can:
- intercept emails
- send email impersonating public sector organisations
- send your website visitors to inappropriate or illegal sites
- trick users into giving over their personal details like credit card information
- use your domain to access other digital services to cause critical national disruption
If the Domains Team contacts you to fix issues with a .gov.uk domain, you must fix this to help keep the public sector secure. The time frames to fix issues will depend on the severity of the problem.
1. Make sure your domains are registry locked
The Domains Team is currently not taking any new Registry Lock applications as the process is undergoing a review due to the .gov.uk Registry migration. Existing .gov.uk domains that are already registry locked will continue using the current process.
Most organisations have a change control process to prevent unauthorised changes being made to domains. Despite this, changes can still be made by:
-
current or former staff in an organisation with the right credentials
-
anything that compromises your registrar’s service
The Registry Lock service:
-
prevents unauthorised changes being made to .gov.uk domain records and contact details in the .gov.uk registry
-
notifies any relevant teams when changes to these records are made
The service will check any changes to the .gov.uk zone file for your domain as well as your contact details held at the registry. The zone file usually contains your name server records but can occasionally include other records as well. It will not prevent changes to individual DNS records like A, MX and TXT held with your DNS provider.
Registry Lock will not affect your day-to-day Domain Name Service (DNS) management and only works for .gov.uk domains. For other domains you should check with your registrar.
2. Set up any services on the domain securely
If you set up all emails and websites on .gov.uk domains you must follow guidance on how to:
When setting up digital services, additional laws and standard you must follow include the:
-
Cyber Security Standard (if you’re a central government department)
3. Sign up the domain up to Active Cyber Defence tools
The National Cyber Security Centre (NCSC) offers a number of free Active Cyber Defence (ACD) tools to public sector organisations.
Sign up your domain to the:
-
Mail Check service to help you to adopt secure email standards
-
Web Check service to help you find and fix common vulnerabilities
Register your domain for the free Active Cyber Defence tools.
4. Renew domains on time
All .gov.uk Approved Registrars are required to contact Registrants approximately 30 days and 7 days before expiry.
A Registrar must not renew a domain without the explicit consent of a Registrant.
More information on renewals is available in the gov.uk Registry-Registrar Lifecycle Policy.
5. Check name servers are configured properly and working
Make sure all of your .gov.uk domain’s name servers are:
- using a valid domain name
- active and responding
Always check name servers to make sure there are no spelling mistakes or typos in the record. Remove any inactive name servers as soon as possible.
Inactive or unresponsive name servers might cause traffic to services on your domain, including email and web, to work intermittently or stop working. If the inactive server is on an unregistered domain, your domain is also at a higher risk of hijacking.
6. Check name servers critical to your domain are locked
If any of the name servers on your domain depend on a second level domain, make sure they are locked at the registry level if this service is available to you. Critical name servers are at higher risk of being compromised if they are not locked.
Example: The registrant is responsible for the domain name ‘example.gov.uk’.
This domain name uses the name server ‘ns1.example.net’ provided by their supplier.
The supplier must make sure ‘example.net’ is server locked at the registry level.
You should consider changing your registrar or supplier if you experience any ongoing issues with them. Follow our guidance on how to choose a good registrar.
7. Check name server records are resilient
Make sure every .gov.uk domain is set up with:
-
at least 2 name servers
-
all name servers resolving to a different IP address
Name servers should be spread across multiple physical locations for resilience and there should be restricted privileges for different administrators, for example limiting them to certain domains. Where possible you should make sure your domain also has a different class C subnet for these name servers.
This will help you to make sure traffic to services on your domain, including email and web services, continue to work if a single name server, IP address or subnet goes down.
You should have multiple name servers registered against your domain by following IANA recommendations.
8. Check delegation and authoritative name server records match
If your domain name server records at your registrar do not match the name server records at the registry level there is a high risk of domain compromise or hijack.
To check your delegation and authoritative records match you should:
-
Use a tool like the dig command to carry out a manual check to make sure all delegation and authoritative records match.
-
Make sure there are no spelling mistakes in your name server records.
-
Update name server records to match the registry level records if there is an incorrect record.
9. Check your name servers responses are consistent
Your name servers may be behaving inconsistently, for example by returning different name servers or TXT records.
If your domain name server records are inconsistent, there is an increased risk of your domain being hijacked. Traffic to services on your domain, including email and web also could:
-
send traffic to the wrong place
-
work intermittently
-
stop working altogether
To make sure all your name server records are consistent you should check that all name servers:
-
respond with the same records and there are no spelling or numerical mistakes
-
serve the same name server (NS) record for the designated domain
-
serve the same Start of Authority (SoA) record for the designated domain
10. Backup domain data
Suppliers should ideally have an export functionality so backups of .gov.uk DNS zones can be made. information so that you can restore lost records or recreate the zone elsewhere if required.You should take regular backups or copies of your zone.
11. Secure expired or unused .gov.uk domains
Make sure you secure expired or unused .gov.uk domain names properly by following the stop using your domain guidance.
12. Check the zone transfer (AXFR) status is closed
An open zone transfer (AXFR) status allows anyone on the internet to download all domain name server records.
Make sure the zone transfer (AXFR) status is closed on all of your name servers. This will protect your domain records from being downloaded and used to identify and exploit vulnerabilities.
To check your AXFR status you should:
-
Use an online tool to check your AXFR status on all of your name servers.
-
Turn off the AXFR status if it is open.
13. Check glue records are correct
A glue record contains the IP address of a name server. You would use glue records if you’re using in-zone name servers for your domain. For example if your domain is test.gov.uk and your nameservers are ns1.test.gov.uk and ns2.test.gov.uk.
If you change the IP address of your name server you need to update the glue records at the registry with the new IPs.
If your records do not match, traffic to services on your domain, including email and web, might work intermittently or stop working entirely.
You should contact your registrar or DNS supplier and ask them to make sure your glue records are consistent.
14. Remove glue records when you delete domains
Make sure you do not leave any glue records at the registry when you delete a domain as this deleted domain could be hijacked. Records which are not removed when a domain is deleted are known as ‘orphan glue records’.
You should contact your registrar or DNS supplier and ask them to remove glue records when domains are deleted from the zone.
15. Check CNAMEs
You can use a Canonical Name (CNAME) record to point a domain to another domain. For example, you might want to point ‘domain.gov.uk’ to ‘www.domain.gov.uk’ or to a domain hosted by your cloud service provider.
Make sure CNAME records are updated or deleted when you no longer need them to avoid your domain being hijacked.
16. Consider using Certification Authority Authorisation records
Check whether DNS Certification Authority Authorisation (CAA) records are appropriate for you to use with your domain names.
A CAA record limits the number of suppliers that can issue certificates for a domain to a predefined list.
17. Monitor how SSL certificates are issued
Monitor how SSL certificates are issued to check no one has managed to gain access to issue certificates on your domains or subdomains.
Updates to this page
Published 29 April 2020Last updated 14 June 2024 + show all updates
-
Updated point 4 - the renewals procedure is changing with the new Registry Operator
-
We have clarified that new applications to the Registry Lock service are currently paused. Domains that are currently Registry Locked will continue to use the locking and unlocking process as usual.
-
Updated the introduction and added a link to the get started with your .gov.uk domain name guidance.
-
This page has been restructured to focus on technical obligations of IT teams and suppliers. Some sections have been combined or moved to other pages as they are non-technical and the responsibility of the domain name administrator. New sections in this document are: 2 - Set up any services on the domain securely 3 - Sign up the domain up to Active Cyber Defence tools 10 - Backup domain data 17 - Monitor how SSL certificates are issued
-
The Domain Management team has now moved to the Central Digital and Data Office. This update removes any references to the Government Digital Service (GDS).
-
Clarifying that CNAMEs can point to a domain hosted by a cloud service provider
-
Updates to sections 1, 2, 3, 5, 6 and 13 to clarify information based on user feedback.
-
Updated to make it clear Domain Name Administrators must sign up for Registry Lock.
-
Update to Section 1 to clarify what the GDS Registry Lock Service does and that it does not impact day to day DNS management.
-
Added new section about consistent name server records
-
Added a point about renewing domain names
-
First published.