Preventing DNS Takeovers
Dallas Read
on
As part of DNSimple's ongoing commitment to enhancing our security, we've introduced a new, conditional verification step when you add a zone to your DNSimple account (this will only affect a small percentage of zone creations). It's designed to protect all DNSimple customers against DNS takeover attacks, and we're implementing it across all plans.
Everyone relies on secure domain routing and will benefit from these protections. Preventing DNS takeover not only safeguards your domains, it helps ensure a more secure internet for all.
Let's go over what a DNS takeover attack is and how our updated verification process works to further secure your domains.
What is a DNS takeover attack?
A DNS takeover attack occurs when an attacker gains control of a domain's DNS records. This allows them to redirect traffic, impersonate services, or intercept sensitive data. It's a serious security concern, and while rare, it can happen under specific conditions.
When a domain is removed from an account but still points to DNSimple's name servers, a malicious actor could potentially add that same zone to their own DNSimple account. Without a verification step in place, this unauthorized user could inadvertently be allowed to manage the domain's DNS records without actually owning the domain.
Our new verification process works to mitigate this possibility.
The new verification process
When you add a zone to DNSimple, we will determine where the domain delegates and whether it was previously in a different account. We may require you to verify their ownership of the domain if the domain was recently removed from another DNSimple account and still points to our name servers.
Verification is required when:
- The domain/zone was previously in a different account. AND
- The domain is pointed at DNSimple's name servers (including vanity name servers).
How it works:
- When prompted to verify a domain, you'll be given two randomly-generated verification name servers (e.g.
ns-random123.dnsimple-verify.com). - You'll be asked to add these verification name servers at your domain registrar (where you purchased your domain name).
- After the verification passes, we'll send you an email letting you know that you can add the zone to your account. It could take anywhere from a few minutes to a few hours for this email to arrive.
- Once you've added the zone to your DNSimple account, remember to remove the verification name server from the delegation at your domain registrar.
- Verifications expire after 48 hours, but you can retry by re-initiating the add zone operation.
TLDs that require pre-delegation checks (like .DE, .CA, etc) are unable to use zone verification at this time. For these domains, you'll be prompted to reach out to support.
You can read more about the zone verification process in this support article.
A constant process
Security isn't a one-off feature — it's a constant process of strengthening defenses and anticipating risks. This new verification requirement for adding zones is just one of the ways DNSimple continues evolving to meet that challenge. We're excited to roll out this change and to continue bringing you seamless domain management and security.
If you have questions or want to talk more about your DNS management, get in touch — we'd love to hear from you. Not using DNSimple yet? Give us a try free for 30 days, and see how simple and secure domain management can be.
Dallas Read
Dream. Risk. Win. Repeat.
We think domain management should be easy.
That's why we continue building DNSimple.
