Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  3. Protecting public sector domains

Author: Central Digital and Data Office (CDDO), Cabinet Office

Protecting public sector domains

A domain is a critical digital asset. Email, websites, and other digital services depend on the domain being correctly configured and secure.

The Protecting Public Sector Domains Team monitors public sector domains to keep them secure. This helps to protect critical government services that depend on the security of the .gov.uk domain and other public sector namespaces.

If a domain is not securely managed, the trust in all associated services is at risk.

The domain holder is responsible for its security. Even if your organisation uses a third party to manage the domain, the responsibility for its security rests with the domain holder. 

It is not enough to just set domains up correctly at the beginning. They also need to be properly and continuously managed over time. If not, they are vulnerable to attack or damage.

The potential business risks and impacts of an attack can be serious. Domain vulnerabilities can cause:

  • all digital services, emails and websites to stop working
  • sensitive data to be put at risk
  • users to be deceived with malicious or incorrect information
  • users to be defrauded by websites or emails they think are real

This page contains descriptions of the kind of issues the Protecting Public Sector Domains Team looks for. There are also links to more detailed explanations and issue types.

Managing the lifecycle of a domain

Most namespaces require domains to be renewed on a regular basis. It is the responsibility of the domain holder to make sure the domain is renewed on time.

Managing expiring domains

If you do not renew a domain name before it expires, it will be automatically suspended by the registry operator. This would be Nominet in the case of a .gov.uk domain.

All services related to that domain or any subdomains will stop operating. This means: 

  • users can’t access digital services and websites
  • emails don’t get delivered
  • staff can’t log in to email or other internal services that rely on the domain

If other organisations refer to an expired or outdated domain, those links will no longer work. This means that:

  • users will be unable to complete actions or navigate to the services or websites they need
  • there may be damage to an organisation’s reputation 

Follow this guidance on Renewing .gov.uk domains on time.

If an unused domain is in a managed public sector namespace like .gov.uk it can be allowed to expire, because the registry owner is able to control what domains are created.  For .gov.uk this is the Central Digital and Data Office (CDDO).

 

Domains outside public sector control

If the domain you are using is not in the control of the public sector, like .org.uk or .com, you must consider the potential impact of it being re-registered by a malicious third party.

There is a considerable risk of misuse or reputational damage if any domain registered by a public sector organisation is allowed to expire. If the domain is in a managed public sector namespace the risk is mitigated because a malicious third party cannot re-register the domain. If the domain is in another namespace like .org.uk or .com, then there is no way to protect against third party registration after expiry. You should keep this type of domain indefinitely, unless you are completely sure there is no risk of misuse or reputational damage should a third party register it. 

 

Decommissioning your .gov.uk domain

If you no longer need a domain and there are no remaining dependencies, you must request its removal through your registrar or allow it to expire safely. You should allow time to tell any affected organisations so that they can update links and references. 

Follow this guidance on Ending the use of a domain name.

 

Managing dangling resources and lame delegations

Dangling resources are DNS records pointing to resources that no longer exist or don’t respond to that domain.

Dangling name server (NS) records are sometimes called ‘lame’ delegations. This means the name server doesn’t exist or isn’t configured as authoritative for that domain.

The most common dangling records are CNAMEs (Canonical Names). This is a type of record that is used to:

  • redirect an entire domain, for example if you want several websites owned by the same organisation to point to one primary website
  • redirect part of a website to an external resource or service

If you do not remove dangling resources or lame delegations when they are no longer needed, a domain or subdomain can be easily hijacked.

If the domain is hijacked, the attacker can:

  • register a domain or a resource for free in a cloud service or at very low cost
  • create a webpage or service that looks legitimate and claims to be your organisation 
  • deceive users with malicious or incorrect information
  • defraud users by asking them to pay for services
  • redirect email traffic without anyone knowing, depending on the domain
  • set up a fraudulent email service
  • damage your organisation’s reputation 

Read more about keeping your domain secure 

 

Managing name servers

A name server translates the numbers of the IP address into domain names. They provide the ‘directory’ for the name, like a phone book. Like the domains themselves, servers need to be set up correctly and managed over time.

There are different ways that you might run name servers. You may:

  • run your own 
  • have a hosting company run them for you
  • use cloud-based name servers from a provider like Amazon or Cloudflare

Name servers can have performance issues or fail completely and stop responding to requests, or can be misconfigured. As a vital part of your infrastructure, regular monitoring means you can detect and fix issues before the domain stops working completely. 

If you use third party companies to run your name servers, it is particularly important that you still make sure:

  • name servers are configured properly and resilient 
  • the domains used by your name servers are registry locked
  • the registry points to the right name servers

If a name server is not set up or managed properly it can cause: 

  • emails to bounce and be returned to sender
  • intermittent access to digital services and websites
  • a higher risk of being maliciously hijacked

 

Managing domain related email issues

Email authentication and security depends on working name servers and a number of correctly configured DNS records. All public sector organisations should register with the MyNCSC service to ensure their records are correctly configured.

Poorly configured mail server records can lead to:

  • delivery failure for inbound email
  • delivery failure for outbound email
  • email spoofing and phishing
  • malicious third parties intercepting in and outbound email

 

Managing web issues


Web vulnerabilities can create significant risks to public sector domains resulting in:

  • data theft
  • service disruption
  • reputational damage
  • misinformation

Organisations should use monitoring services like NCSC’s Web Check service to find and fix common security vulnerabilities in websites they manage. 

 


How to check for and fix domain and DNS issues

There are a number of tools you can use when investigating domain-related issues. This will help you to confirm an issue is real and check if it has been fixed.

The most commonly used tool is dig, a network administration command-line tool for querying the Domain Name System (DNS).

Dig is part of the BIND toolset and can be installed on most desktop computers. If you can’t install it, there are a number of web-based alternatives including:

A number of other online tools will help you check and test various aspects of DNS configuration:

  • DNS Checker – checks if a change has propagated to all common resolvers, or if DNS records are inconsistent between name servers.
  • Zonemaster – an independent checker for common DNS issues
  • intoDNS – another checker for DNS and email issues
  • DNSSEC Checker – check for issues with DNSSEC configurations
  • DNSViz – a DNS zone visualisation tool, particularly for DNSSEC configuration
  • DNS Twist – check for current similar domains that could be used for phishing

 


Other useful related tools

Check your cyber security – a set of NCSC tools for ad-hoc checks on IPs, websites, email services, and browsers.

CyberChef – a set of GCHQ tools for analysing and decoding data without having to deal with complex tools or programming languages – includes tools to lookup DNS records, and to easily extract domain names or email addresses from larger datasets.

urlscan.io – load websites in a sandbox to check for issues or performance

Safe Browsing site status – a Google tool to check if a site is safe to visit

 

Some useful guides to fixing DNS problems include:

https://gcore.com/learning/how-to-troubleshoot-dns-issues/

https://www.itjones.com/blogs/dns-troubleshooting-and-security-basics-of-computer-networking

https://tinydns.org/common-dns-server-errors/

https://futuramo.com/blog/common-dns-issues-and-their-solutions/

https://www.forbes.com/advisor/business/what-is-dns-failure/

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now