Guidance

What to do if your domain name is compromised

Check who to contact if you think your domain is compromised.

Domain names are regularly attacked and sometimes compromised within the DNS system. You should protect your domain name and take action if attackers have compromised your domain name.

If you think your domain name is compromised you must do the following immediately.

  1. Check what services are affected, for example websites, emails and digital services.

  2. Contact your registrar or DNS provider immediately to get help.

  3. If your registrar or DNS provider has changed without your permission, this may be part of the compromise and you should contact the new one.

  4. Report the incident to the National Cyber Security Centre.

  5. Contact the GDS Domains Management team.

What can happen to a compromised domain name

If attackers compromise your domain name you must follow the steps above to recover it. If you do not, attackers could:

  • change name servers

  • intercept and access standard and encrypted traffic

  • re-route, intercept and spoof email

  • redirect websites

  • create and host web email or digital services that look legitimate

  • add DNS records to authenticate the domain’s other services - for example a bulk email service

  • create real SSL certificates

  • spoof servers to capture internal data

  • set long Time-to-live (TTL) records so changes they make take longer to undo

Published 19 December 2019