DNS-003 critical Domain Management

Registrar account security

Registrar accounts have 2FA enabled, access is limited to more than one person, and credentials are stored in a shared secret manager (not one person's email). Registrar compromise = total domain takeover.

Question to ask

"Who has access to your registrar — and is it just one person?"

What to check

  • Ask which registrar(s) are used
  • Verify 2FA is enabled on registrar accounts
  • Verify more than one person has access
  • Check if registrar lock is enabled on critical domains

Related items

DNS-001 Domain inventory maintained

Verification guide

Severity: Critical

Registrar compromise is game over — attacker can redirect your domain anywhere. This is one of the highest-impact account takeovers possible.

Ask user:

  • "Which registrar(s) do you use?" (Cloudflare, Namecheap, GoDaddy, Google Domains, etc.)
  • "Is 2FA/MFA enabled on the registrar account?"
  • "How many people have access to the registrar?"
  • "Where are registrar credentials stored?"
  • "Is registrar lock (clientTransferProhibited) enabled on critical domains?"

Check automatically:

# Check if registrar lock is enabled via WHOIS
whois example.com | grep -i "status"
# Look for: clientTransferProhibited, serverTransferProhibited

Pass criteria:

  • 2FA enabled on all registrar accounts
  • At least 2 people have access (bus factor > 1)
  • Credentials in a shared secret manager (not one person's email)
  • Registrar lock enabled on production domains

Fail criteria:

  • No 2FA on registrar
  • Single person has access
  • Credentials in personal email only
  • No registrar lock on critical domains

Evidence to capture:

  • Registrar(s) used
  • 2FA status
  • Number of people with access
  • Registrar lock status for critical domains

Section

20. Domain & Email Infrastructure

Error Tracking & Reliability

← Previous

DNS-002

Domain expiry monitoring

 Next →

DNS-004

DNS provider consolidated and access audited