CNCS - Technical Recommendation 01/2020

In this document

Download

PROTECTION OF PARKED DOMAINS

TARGET PUBLIC

READING TIME

DIFFICULTY

This document describes a set of best practices that should be adopted with domains (and subdomains) that are "parked" (also known as parked domains), and that are not used for sending e-mails.

Classification	Date	Document version
TLP: WHITE	01/12/2020	1.0

Title
Technical Recommendation of the National Cybersecurity Centre: Protection of "Parked" Domains

Version History
Version	Date	Reviewer	Comments/ Notes
1.0	01/12/2020	CNCS	Initial version of the document

LIST OF ABBREVIATIONS

DKIM: DomainKeys Identified Mail

DMARC: Domain-based Message Authentication,Reporting and Conformance

DNS: Domain name system

SPF: Sender Policy Framework

INTRODUCTION

A "parked domain" is a domain that is not associated with the sending of mail. It can also be referred to as a parked domain which is used solely for redirection to a main domain / website

Many organisations and individuals register Internet domains without the immediate intention of using them or only for the purpose of using them in a limited context, without being associated with the sending and receiving of email. For instance, a domain may be registered to prevent a malicious agent from acquiring and abusing it (also known as defensive registration), however, a mere domain registration with defensive purposes does not mean that it is protected and may even have the undesired effect of convincing entities with whom it relates that an email sent from that domain is genuine.

In this sense, and without the proper security measures, "parked" domains may be used with relative ease to forge email addresses (email spoofing) and to send phishing messages, undermining confidence in the organisation with which they are associated.

Currently, email service providers use increasingly efficient techniques (including the adoption and validation of the standards referred to in Technical Recommendation 01/19) to authenticate the messages addressed to them. However, in order for such techniques to produce the desired effects, these domains must have a set of identifiers associated to them.

This document aims to describe which identifiers should be used to signal that a domain or sub-domain is not intended to send or receive email messages, thus helping to prevent its abuse.

GENERAL RECOMMENDATIONS CNCS

You should protect your "parked" domains at the same time as you apply protection to those that send e-mails (see Technical Recommendation 01/19), however, it is recommended that you start applying measures with the "parked" domains, as these are easier to protect and once they are correctly configured they do not require additional maintenance.

The implementation of the following four actions is recommended, however, limitations inherent to some management interfaces or systems may not allow this to happen fully. Therefore, it should be applied to as many configurations as possible.

ACTIONS TO BE TAKEN WITH "PARKED" DOMAINS

The following four actions, based on the publication of specific domain name records (DNS)* - SPF, DKIM, DMARC and MX, will inform recipients that no emails should originate from their "parked" domain and that, if any, they should be discarded. The measures shown should be implemented in the order mentioned.

*For a better understanding of these registers please consult Technical Recommendation 01/19

SPF registration
If a domain is not used for sending email it must have a DNS record of the SPF TXT type, associated, known as "naked" -all. An example of such a record is the following: exemplo.pt TXT “v=spf1 -all” This record indicates that no address/server is authorised to send email on behalf of the domain "example.pt". In the case of sub-domains, their protection may take a little longer since a DNS record has to be created for each potential sub-domain which does not need to send email.

SPF registration

If a domain is not used for sending email it must have a DNS record of the SPF TXT type, associated, known as "naked" -all. An example of such a record is the following:

exemplo.pt TXT “v=spf1 -all”

This record indicates that no address/server is authorised to send email on behalf of the domain "example.pt".

In the case of sub-domains, their protection may take a little longer since a DNS record has to be created for each potential sub-domain which does not need to send email.

DMARC Register
If a domain is not used for sending email, it must have a DNS record of type DMARC TXT associated, specifying "p=reject", configured as follows: _dmarc.exemplo.pt TXT “v=DMARC1; p=reject; rua=mailto:rua@ dominioativo.pt; ruf=mailto:ruf@dominioativo.pt” The inclusion of the rua tag is important as it allows the domain owner to receive aggregate reports of possible abuse. The presence of a ruf tag is optional but recommended. As the "exemplo.pt" domain is not configured to receive email, the "rua" and "ruf" tags must specify an address belonging to an active email domain.

DMARC Register

If a domain is not used for sending email, it must have a DNS record of type DMARC TXT associated, specifying "p=reject", configured as follows:

_dmarc.exemplo.pt TXT “v=DMARC1; p=reject; rua=mailto:rua@
dominioativo.pt; ruf=mailto:ruf@dominioativo.pt”

The inclusion of the rua tag is important as it allows the domain owner to receive aggregate reports of possible abuse. The presence of a ruf tag is optional but recommended. As the "exemplo.pt" domain is not configured to receive email, the "rua" and "ruf" tags must specify an address belonging to an active email domain.

NULL MX Record
If you have an A and/or AAAA type DNS record (A/AAAA re- cord) associated with your "parked" domain you must create a "Null" MX record. If this record is not set, a forwarding server may try to send an e-mail message to the IP address specified in the A and/or AAAA record. Therefore, a DNS record of type MX with a priority of 0 (highest priority) and a hostname of ".” must be created: exemplo.pt MX 0.

NULL MX Record

If you have an A and/or AAAA type DNS record (A/AAAA re- cord) associated with your "parked" domain you must create a "Null" MX record. If this record is not set, a forwarding server may try to send an e-mail message to the IP address specified in the A and/or AAAA record.

Therefore, a DNS record of type MX with a priority of 0 (highest priority) and a hostname of ".” must be created:

exemplo.pt MX 0.

DKIM Wildcard Registration
Setting a null or empty DKIM record is not absolutely necessary since the e-mail message would probably be treated in the same way if there were no record at all. However, setting such a record may be useful, since some recipients will treat a null DKIM record with extra care, as it explicitly revokes any cached keys. The following record signals that no email can be signed to your parked domain: *._domainkey.exemplo.pt TXT “v=DKIM1; p=”

DKIM Wildcard Registration

Setting a null or empty DKIM record is not absolutely necessary since the e-mail message would probably be treated in the same way if there were no record at all.

However, setting such a record may be useful, since some recipients will treat a null DKIM record with extra care, as it explicitly revokes any cached keys.

The following record signals that no email can be signed to your parked domain:

*._domainkey.exemplo.pt TXT “v=DKIM1; p=”

Last updated on 15-07-2022

Citizen

Public Administration

Organizations

IT Professionals

Technical Recommendation 01/2020

PROTECTION OF PARKED DOMAINS

LIST OF ABBREVIATIONS

INTRODUCTION

GENERAL RECOMMENDATIONS CNCS

ACTIONS TO BE TAKEN WITH "PARKED" DOMAINS