Parked domains reported problematic by Security Scorecard
Let's say you reserved a domain at one of the reputable registrars. You don't link it with the hosting account yet, just own it. The registrar automatically creates nice landing page for it. This means that they created a valid DNS zone file for your domain name, which includes an A record pointing at the web server hosting the landing page, bunch of CNAME records pointing at their www., pop., imap., etc. servers. However, this is only a zone file for a landing page, so MX record may or may not be there and SPF record typically is not there. Now, a company like Security Scorecard scans registrar's records and finds that this specific domain name belonging to your company. The domain name doesn't have SPF record - negative points, has associated IMAP service - negative points, the landing page doesn't enforce HTTPS protocol - negative points. All you did was reserved yourself a domain name, but that scored negatively against your company cyber security or, as they call it, digital footprint reputation.
This leads me to the question directed to people familiar with Security Scorecard, or such like, services - what is the best way to avoid owned parked domain having adverse effect on the Security Scorecard report? Is the private registration the way to go? Or, perhaps, setting invalid address for the DNS server authoritative to that domain, e.g 1.2.3.4? That way the scanner will not get any response at all. Or, maybe it is better to set the authoritative DNS server to the address of actually existing DNS server where the DNS zone file for your domain does not exist. That way the scanner will receive a response "non existent domain", or something to that effect. Any suggestion will be greatly appreciated.
Also, if anyone could direct me to any resources regarding Security Scorecard practices or addressing issues reported by them or maybe just share their experience of dealing with Security Scorecard, I would be eternally grateful.
This leads me to the question directed to people familiar with Security Scorecard, or such like, services - what is the best way to avoid owned parked domain having adverse effect on the Security Scorecard report? Is the private registration the way to go? Or, perhaps, setting invalid address for the DNS server authoritative to that domain, e.g 1.2.3.4? That way the scanner will not get any response at all. Or, maybe it is better to set the authoritative DNS server to the address of actually existing DNS server where the DNS zone file for your domain does not exist. That way the scanner will receive a response "non existent domain", or something to that effect. Any suggestion will be greatly appreciated.
Also, if anyone could direct me to any resources regarding Security Scorecard practices or addressing issues reported by them or maybe just share their experience of dealing with Security Scorecard, I would be eternally grateful.
David Johnson, CD
they are simply trying to drum up business by emailing the administrative contact. If you're not using the domain then who cares what a security report says. Whether or not the security report is scathing or praising it means absolutely nothing since it is not being actively used.
ASKER
We seem to agree that parked domains should not be included on the security report. However, they are there for the reasons I tried to explain and we have to deal with this culprit, because our business partners care what the report says.
then don't park them. point them to another site that you own.
Where are your partners getting this information re the parked domains and how are they associating these domains with your company?
Where are your partners getting this information re the parked domains and how are they associating these domains with your company?
A big underlying issue here is that a security scorecard is something that in many cases is hard to get revised, depending on the scoring company -- I don't have any experience with Security Scorecard specifically. Also, many parked landing pages are used by the registrar/host to advertise their own business. Personally I find it uncomfortable paying a provider to host a landing page that advertises their service.
What I recommend in your situation is to remove the MX record, the "non-www A" record and the "www A record" from your dns settings.
What I recommend in your situation is to remove the MX record, the "non-www A" record and the "www A record" from your dns settings.
ASKER
Lucas, we've made number of changes to the configuration of our online presence then requested revision of the score and are awaiting results. We'll find out how difficult it is to get the score revised pretty soon. We are only at the beginning of our journey with Security Scorecard.
As for removing MX and A records - it seems to be a sound advice. We already discovered that GoDaddy does not allow to set IP address of the authoritative DNS server to non-existent machine or to the DNS server that does not contain the zone file for the given domain name. Our next thought was to either remove bunch of records from the zone file at GoDaddy or move the DNS zone file to one of our hosting accounts and have it modified there. This is work in progress.
Also, you are right about your own domain supporting the registrar's business. Our thoughts also went into the direction of killing the www traffic or setting our own landing page.
As for removing MX and A records - it seems to be a sound advice. We already discovered that GoDaddy does not allow to set IP address of the authoritative DNS server to non-existent machine or to the DNS server that does not contain the zone file for the given domain name. Our next thought was to either remove bunch of records from the zone file at GoDaddy or move the DNS zone file to one of our hosting accounts and have it modified there. This is work in progress.
Also, you are right about your own domain supporting the registrar's business. Our thoughts also went into the direction of killing the www traffic or setting our own landing page.
One thing I've done traditionally is use the free account at CloudFlare to manage DNS for my domains:
https://www.cloudflare.com/plans/
I'm a big fan of their DNS management interface and the CDN aspect of their service when you go live is a nice benefit too.
https://www.cloudflare.com/plans/
I'm a big fan of their DNS management interface and the CDN aspect of their service when you go live is a nice benefit too.
Why not create a landing page of your own for all reserved domain names...
like: This page is reserved by The "X" company...
like: This page is reserved by The "X" company...
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.