DNS is one of the most important services on your network. Making a mistake with DNS can be costly, can cause your website to go down, and can expose you to hackers. Not good! In this article, I'll describe 5 of the most common DNS mistakes to help you avoid them.
Mistake 1: Using Expired Domain Names
Domain names are important for your business, so don't let them expire. A domain name is what defines your site, so it deserves attention from start to finish. Using expired domain names is bad because, among other reasons, they may lower your ranking on search engines due to outdated content and links. Expired domain names are one of the worst SEO mistakes you can make and can lead to lasting damage to your company's reputation.
I recommend logging into your DNS management system or registrar once a month to check on the status of your domains, renew any that are close to expiration, and prune any dead DNS records, as I'll describe below. While you're reviewing your domain, check up on your TLS certificates and consider rotating your registrar passwords, too.
Mistake 2: Keeping Stale DNS Records
DNS records change. After all, one of the purposes for DNS is to allow a server or service to move and change IP addresses, while only requiring you to change a single record. If you are growing and adapting to market demands, your computing environment is in a continuous state of change and iterative improvement. When you keep stale DNS records published for your domain, it's just more surface area for an attack to grab onto.
To keep the decisions simple, I adopt this approach with old DNS records:
Many DNS records, especially TXT records, are created simply for setup purposes and can be deleted following successful setup. SPF records can also become stale. If you decomission a service that sent email from your domain, be sure to update your SPF record and remove the service. Otherwise, others using the same service may be able to spoof message from your employees. For a quick check of the DNS and SPF records on your domain, use the free tools below:
Take it as a challenge to find 2 records today that are published on your domain, but no longer required!
Mistake 3: Not Changing DNS Settings When You Change ISPs
When you switch from one Internet Service Provider (ISP) to another, be sure that all domain settings are correct, especially if the switch means you will have new public IP addresses. All DNS records referencing the old ISP should be updated to point to the new ISP at the time of the switch. As a domain management best practice, this means changing all DNS records, changing login information on network equipment, and ensuring your new environment is secure. When you switch ISPs, also be sure to take care of moving any forwarding rules, file storage, email, or other services you used with your previous ISP.
Mistake 4: Choosing the Wrong Registrar
While there are many domain registrars out there, you only need one and it's not always clear which is the best to choose. A safe choice for a registrar is to choose one of the most popular and well known ones. The top 5 registrars are all ICANN-accredited and will provide a reasonable sense of safety for you. Of course, securing access to registrar systems is in part your responsibility and you should take it seriously. More on that below.
When it comes to choosing a registrar, you need to consider the tradeoff between having control of your domain and letting a registrar manage it for you. My recommendation is always to manage as much of your domain as you can, provided you know what you're doing. It's too easy to make a mistake with DNS, so be sure to read up on the DNS topic for which you are making a change
[See a visualization of the top registrars and a deeper discussion on registering domain names with the most popular registrars]](/articles/domain-management-best-practices).
Mistake 5: Missing Security
DNS is one of those foundational services that runs a lot of the web, but can allow attackers to run away with valuable parts of your business if you aren't securing it. A few ways attackers can leverage DNS to your detriment are distributed denial of service (DDoS) attacks, registrar hijacking, and cache poisoning. To protect against these vectors, include DNS in your capacity planning considerations, tightly control access to your registrars, and use DNSSEC signatures on your DNS records so your registrar can validate requests. Case studies for the worst DNS security incidents also provide lessons for improving your DNS security.
Not only for DNS, it's a good idea to use multi-factor authentication on your domain management accounts to protect against unauthorized access. This will help ensure that only authorized users can access your systems and make changes. In your approach to authentication overall, consider the three big mechanisms - something you have (like a hardware token), something you know (like a password), something you are (biometrics).
A security-first mentality will serve you well, not just in how you access DNS and other services, but in the overall design of systems. It goes a long way toward protecting your organization from the harmful damage that can come from neglecting it. Keep your systems up to date, stay alert to developing threats, and review your security program regularly.
Tools to Help You Track DNS Records
Fortunately, there are tools to help you track your DNS records and look out for common issues. With NetworkCalc Pro, you can create customized alerts too look out for a variety of DNS issues in your domains and subdomains:
- Identify expiring registrations and certificates.
- Get alerted to an invalid SPF record.
- Find DNS configuration drift with declarative alerts that specify what your DNS records should be.