GovWire

Detailed guide: Choose a good registrar or DNS provider

Cabinet Office

October 7
09:57 2019

Domain names are critical government assets. When running them you must choose a reputable registrar or DNS provider which will let you manage your domains securely.

What are registrars and DNS providers

A registrar will help you to register a government domain with an internet domain name registry. In most cases, the registrar will also be your DNS provider, which hosts the authoritative name servers for your domains.

Some providers may combine other services like internet access, or web and email hosting. If you are choosing a DNS provider to manage your internal domains then you may not need a registrar.

How to choose a registrar or DNS provider

Cost should not be the main factor you consider, as the cheapest providers may not provide the best security or support.

Good registrars and DNS providers will offer:

  • security and resilience

  • reputation and governance

  • service and support

1. Security and resilience

You should look for a registrar or DNS provider that:

  • uses strong password requirements and multi-factor authentication when accessing your management portal

  • verifies your identity if you make changes by email or phone

  • lets you control who in your organisation can make changes

  • sends email notifications when changes are made

  • uses multi-factor authentication in its interaction with the registry

To further enhance the security and resilience of your domains you should also look for:

  • client and server lock processes that require additional validation for changes to be made

  • domain escrow to back up your domain data with a secure third party

  • support for DNSSEC to protect against DNS hijacking and man-in-the-middle attacks

  • support for adding CAA records, to indicate to certificate authorities whether they are authorised to issue digital certificates for your domain name

  • name servers spread across multiple physical locations and third-level domains for resilience

  • restricted privileges for different administrators, for example limiting them to certain domains

  • restricted management portal access by device or location

  • audit and activity logging

  • version control for DNS changes

  • a public API to allow for configuration management or infrastructure-as-code

  • export functionality to allow for backups of your DNS zone to be taken

Consider using multiple suppliers for important domains - that way, if one ever suffers an outage, your services will continue to work.

If an attacker were to gain control over your DNS they could change email routing or spoof your website without you being aware. NCSC provides guidance on how you can make sure a provider offers a secure service including the use of the Cloud Security Principles.

GDS recommends that you:

2. Reputation and governance

Performing your own due diligence will help you check if a registrar or DNS provider is reputable. You can:

  • check Companies House for its business history

  • find a supplier through the Digital Marketplace

  • look for evidence of good governance such as ISO27001 certification or ICANN accreditation

  • check the provider has a modern management portal that supports DNSSEC, null MX entries, long DKIM records, and CAA

  • check that the provider is not susceptible to common DNS misconfigurations such as public zone transfers or enabling the ANY record

  • check they provide a dispute resolution policy - for example what is the process if one of your domains gets hijacked?

  • check if DNS management is a core competency of the provider

  • check whether the registrar outsources their DNS infrastructure - if they have you will need to make sure the outsource provider is also reputable

3. Service and support

Its important to check that a potential provider offers you:

  • knowledgeable technical support

  • the support hours you need

  • an emergency phone and email contact

  • the option to check and monitor your records

  • the ability to make changes quickly and easily

  • a process for transferring your records to another supplier if there is a problem

Not all suppliers give you direct access to your DNS records via a control panel. Check if this is something you need and try it out before buying to make sure it offers a good user experience.

Find a registrar or DNS provider for .gov.uk domain names

There is currently no government procurement framework for finding a registrar or DNS provider, so you must search for a provider based on the criteria above.

The .gov.uk registry provides a list of registrars that currently support .gov.uk domains.

Registering a domain name does not cost a lot of money but is a significant point of control over many of the services you manage.

The baseline cost for a new domain name from the current registry provider is usually 80 + VAT for the first 2 years. The renewal fee every 2 years after that is 40 + VAT. You can expect your provider to charge a markup depending on the level of service they provide.

Why you need a trusted registrar or DNS provider

As a government domain administrator you must choose a registrar or DNS provider so you can:

  • meet the appropriate security standards for your organisation, for example, central government departments must follow the Minimum Cyber Security Standard

  • view the domains your organisation owns or has control over

  • keep the contact details of the domain administrator up to date

  • receive notifications before your domain names expire

  • protect your domains between both you and your registrar, and between your registrar and the registry

  • monitor when changes are made to your domain

Your organisation needs a trusted registrar or DNS provider to operate any government domain name. Its important you trust your provider because they can:

  • make changes to your DNS records, redirect your email, website, or digital services

  • get TLS/SSL certificates issued for your domains

  • validate domain name ownership for services like G Suite or Office 365

  • transfer your domains to another provider or otherwise out of your control

Further reading

For more information on choosing DNS providers you can read:

Related Articles

Comments

  1. We don't have any comments for this article yet. Why not join in and start a discussion.

Write a Comment

Your name:
Your email:
Comments:

Post my comment

Recent Comments

Follow Us on Twitter

Share This


Enjoyed this? Why not share it with others if you've found it useful by using one of the tools below: