Why you should never let outside agencies control your primary DNS
All dispatches
DNS and Domain Security14 Nov 202513 min read

Why you should never let outside agencies control your primary DNS

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

For UK SMEs looking to stay ahead in the modern workplace, understanding DNS and domain security is fundamentally important. It's not just a technical detail; it's a foundational element of your business's digital identity, operational continuity, and overall cyber resilience. Ceding control of your primary DNS to an outside agency, whether a web designer, marketing firm, or even a previous IT contractor, introduces significant risks that can jeopardise your online presence, data security, and even your compliance with regulations like GDPR. This comprehensive, evergreen guide walks you through the core concepts, common pitfalls, and practical steps you can implement today to ensure your IT infrastructure remains secure, compliant, and firmly under your business's control.

What is DNS and Why is Primary Control Critical?

DNS, or the Domain Name System, is often referred to as the internet's phonebook. Every time you type a website address like "blacksheepsupport.co.uk" into your browser, DNS is the system that translates that human-readable name into a machine-readable IP address (e.g., 192.0.2.1) that computers use to find each other on the internet. Without DNS, the internet as we know it simply wouldn't function.

Your "primary DNS" refers to the authoritative records that dictate where your domain's services – your website, email, online applications, and more – are hosted. This control typically resides with your domain registrar or a dedicated DNS hosting provider. When we talk about primary control, we mean having direct, unfettered access to manage these critical records.

Why is this so critical for your UK SME?

  • Centralised Identity: Your domain is your digital identity. Controlling its DNS means you control where your customers find you, where your emails are delivered, and where your online services reside.
  • Operational Continuity: Any change, update, or migration involving your website, email provider, or other cloud services will require DNS modifications. Direct control ensures these changes can be made swiftly and accurately, minimising downtime and operational disruption.
  • Security Foundation: DNS is a common target for cyber attackers. If an attacker gains control of your DNS, they can redirect your website to a malicious clone, intercept your emails, or launch other sophisticated attacks. Your primary DNS records are the gatekeepers of your online assets.
  • Business Agility: The ability to adapt quickly to new technologies, switch service providers, or launch new digital initiatives hinges on your capacity to manage your DNS records independently.

A proactive IT strategy doesn't just reduce risk—it significantly increases operational efficiency and ensures your business can adapt and thrive in the ever-evolving digital landscape.

The Risks of Ceding Primary DNS Control to Third Parties

Many business owners underestimate the profound financial and operational impact of neglecting this area. Whether you are aiming to prepare for future cyber threats or just looking to optimise your costs, understanding this topic can save thousands of pounds annually and prevent catastrophic business disruption.

Loss of Operational Control and Agility

When an outside agency holds the keys to your primary DNS, you become dependent on their responsiveness and availability for any critical changes.

  • Delays and Downtime: Need to update your website's IP address, migrate your email to a new provider, or implement a new cloud service? You'll have to wait for the third party to action the changes, which can lead to frustrating delays, extended downtime, and lost productivity.
  • Vendor Lock-in: Switching web designers, marketing agencies, or IT providers can become a nightmare. If the previous agency controls your DNS, they might be slow to transfer it, charge exorbitant "release fees," or even hold your domain hostage, effectively preventing you from moving your services elsewhere. This can severely impact your business's flexibility and long-term strategic planning.
  • Impact on Business Agility: In a fast-paced market, your SME needs to be agile. Being unable to make swift changes to your digital infrastructure can stifle innovation and prevent you from capitalising on new opportunities.

Significant Security Vulnerabilities

DNS is a critical layer of your cybersecurity defence. Losing control here opens the door to a host of serious threats.

  • DNS Hijacking: An attacker could gain control of your DNS records and redirect your website to a malicious site designed to steal customer data, spread malware, or impersonate your business.
  • Email Interception and Phishing: If an attacker can modify your Mail Exchange (MX) records, they could redirect your incoming emails, allowing them to read sensitive communications or launch highly convincing phishing attacks against your clients and employees. This also impacts the effectiveness of critical email security records like SPF, DKIM, and DMARC.
  • DDoS Attacks: While less direct, a compromised DNS provider could be used to facilitate DDoS attacks against your domain, rendering your website and online services inaccessible.
  • Third-Party Weaknesses: Your security posture is only as strong as its weakest link. If the third-party agency has lax security practices, their compromise could directly lead to the compromise of your domain.

Data Privacy and Compliance Concerns (UK Context)

For UK SMEs, data protection and regulatory compliance are paramount, particularly under the General Data Protection Regulation (GDPR) and the guidance from the Information Commissioner's Office (ICO).

  • GDPR Implications: If your DNS is compromised and customer data is redirected or exfiltrated, it could constitute a data breach. This would trigger stringent reporting requirements to the ICO within 72 hours, potentially leading to significant fines and reputational damage.
  • Cyber Essentials: Achieving Cyber Essentials or Cyber Essentials Plus certification, often a requirement for government contracts and a strong indicator of good cybersecurity practice for all UK SMEs, mandates secure configuration of all internet-facing services, including DNS. If an outside agency controls your DNS, you lose direct oversight and control over this crucial security element.
  • Reputational Damage: A compromised website or email system erodes customer trust and can cause irreparable harm to your brand's reputation.

Undermining Business Valuation

While perhaps not an immediate concern, a business whose core digital assets are not fully owned and controlled by the business itself presents a significant red flag during due diligence for mergers, acquisitions, or even securing investment. It complicates asset transfer and signals potential underlying operational weaknesses.

Common Mistakes UK SMEs Make with DNS Management

Even with the best intentions, many UK SMEs fall into common traps regarding DNS control. Recognising these mistakes is the first step towards rectifying them.

  1. Relying on Default Settings Without Professional Configuration: Many domain registrars or hosting providers offer basic DNS settings. However, these defaults often lack advanced security features like DNSSEC or proper configurations for email authentication (SPF, DKIM, DMARC), leaving your domain vulnerable. A "set it and forget it" approach is a recipe for disaster.
  2. Failing to Train Staff on Exactly What This Means for Their Day-to-Day Workflow: Employees, particularly those in marketing or IT support, might need to interact with DNS settings. Without proper training on the critical importance of secure access, strong passwords, and multi-factor authentication (MFA), they can inadvertently become a weak link in your security chain. They also need to understand the implications of phishing attempts targeting DNS credentials.
  3. Ignoring Periodic Audits to Verify Compliance: DNS records are not static; they evolve as your business grows and services change. Neglecting regular audits means you might miss outdated records, unsecure configurations, or even unauthorised changes. Regular checks are vital for compliance with security standards and maintaining a robust posture.
  4. Assuming a Web Designer or Marketing Agency Owns It: It's common for a web designer or marketing agency to register a domain on behalf of a client to facilitate website setup or marketing campaigns. However, if they register it in their name or under their account, your business doesn't legally own the domain. Always ensure the domain is registered directly in your company's name and that you have full administrative access to the registrar account.
  5. Using Personal Accounts for Domain Registration/DNS Management: An employee might register a domain using their personal email address or credit card. If that employee leaves, accessing or transferring control of the domain can become incredibly difficult, leading to potential business disruption and legal complications. All domain-related assets should be registered to the company, using company contact details.
  6. No Centralised Management or Documentation: In larger SMEs, different departments or individuals might have access to various parts of your IT infrastructure. If DNS management is fragmented, with no central point of oversight or comprehensive documentation, it creates confusion, increases the risk of misconfiguration, and complicates incident response.

Establishing and Maintaining Secure DNS Control: Practical Steps

Taking back and maintaining control of your primary DNS is a crucial step towards robust cybersecurity and operational independence. Here's a structured approach:

1. Identify Your Current Primary DNS Registrar and Provider

The first step is to understand who currently holds the reins.

  • Who is the Registrar? Use a WHOIS lookup tool (e.g., from Nominet for .uk domains) to find out who your domain is registered with and the administrative contact details. Ensure these details are your business's and not those of a third party or former employee.
  • Who is the DNS Host? Your domain registrar often provides DNS hosting, but sometimes you might use a separate service (e.g., Cloudflare, Amazon Route 53, or even your web host). Identify where your authoritative DNS records are actually managed.

2. Consolidate and Secure Control

Once identified, ensure your business has full, direct control.

  • Transfer Ownership: If the domain is registered under a third party's name, initiate a formal transfer of ownership to your business. This may involve legal agreements and administrative processes.
  • Create a Dedicated Business Account: Ensure the domain registrar and DNS hosting accounts are under your business's name, using a generic company email address (e.g., domains@yourcompany.co.uk) rather than an individual's email.
  • Implement Strong Security:
    • Unique, Complex Passwords: Use a robust password manager for all domain and DNS accounts.
    • Multi-Factor Authentication (MFA): This is non-negotiable. Enable MFA on every account with DNS access.
    • Limit Access: Grant administrative access only to essential personnel (e.g., senior IT staff or your Managed Service Provider). Use role-based access control where available.

3. Implement Robust DNS Security Practices

Go beyond basic settings to harden your DNS.

  • DNSSEC (DNS Security Extensions): This adds a layer of authentication to DNS, helping to prevent cache poisoning and other spoofing attacks. Enable DNSSEC on your domain if your registrar and DNS host support it.
  • SPF, DKIM, and DMARC for Email: These records are vital for email authentication, preventing spammers and phishers from spoofing your domain. Ensure they are correctly configured and regularly reviewed to protect your email reputation and prevent fraudulent emails.
  • Regular Monitoring: Set up alerts for any unauthorised changes to your DNS records. Many domain registrars or third-party DNS monitoring services offer this functionality.
  • Choose a Reputable DNS Provider: If your current DNS hosting is basic, consider moving to a more secure and reliable provider, potentially as part of a managed IT service.

4. Regular Audits and Reviews

DNS configurations are not a "set it and forget it" task.

  • Periodic Review: Schedule quarterly or bi-annual reviews of all your DNS records. Check for outdated or unnecessary entries, which can be security risks.
  • Verify Ownership and Access: Confirm that all administrative contacts and access permissions are current and correct. Remove access for former employees or contractors immediately.
  • Align with Cyber Essentials: Regularly check that your DNS configurations meet the requirements for Cyber Essentials certification, demonstrating a commitment to fundamental cybersecurity practices.

5. Staff Training and Awareness

The human element is often the weakest link.

  • Educate Key Personnel: Train any staff who might interact with DNS accounts (even indirectly) on the importance of security, recognising phishing attempts, and reporting suspicious activity.
  • Internal Policies: Establish clear internal policies for requesting and approving any DNS changes, ensuring a paper trail and proper authorisation.

Working with Third Parties Responsibly

While you should never let outside agencies control your primary DNS, it's perfectly normal and often necessary to collaborate with them. The key is to delegate responsibility without ceding ownership.

Delegation vs. Ownership

Understand the distinction:

  • Ownership: Your business holds the ultimate administrative control over the domain registrar account and the primary DNS hosting account.
  • Delegation: You can grant specific, limited access or delegate specific sub-domains or DNS zones to a third party for a particular service. For example, you might delegate DNS for a specific marketing sub-domain to your marketing agency, allowing them to manage records for landing pages without touching your main domain's records.

Clear Agreements and Limited Access

When engaging with any third party that needs to interact with your DNS:

  • Service Level Agreements (SLAs): Ensure your contracts clearly define roles, responsibilities, and expected response times for any DNS-related tasks.
  • Data Processing Agreements (DPAs): If the third party processes any data related to your domain or its users, ensure a DPA is in place to comply with GDPR.
  • Grant Only Necessary Permissions: Provide the absolute minimum level of access required for them to perform their task. For example, a web designer might only need access to change an A record for your website, not full administrative control over your entire domain.
  • Revoke Access Promptly: Once a project is complete or a contract ends, immediately revoke any access permissions granted to the third party.
  • Documentation: Maintain meticulous records of all DNS changes, who made them, and why. This audit trail is invaluable for troubleshooting and security investigations.

By following these guidelines, you can leverage the expertise of external agencies while maintaining firm control over your business's critical digital assets.

Key Takeaways

  • Your Domain is Your Business's Digital Identity: Full ownership and direct control over your primary DNS are non-negotiable for operational continuity, security, and brand integrity.
  • Avoid Vendor Lock-in: Ceding control to third parties can lead to significant delays, costs, and even the inability to switch providers.
  • Security is Paramount: DNS is a common attack vector. Direct control allows you to implement critical security measures like DNSSEC, SPF, DKIM, and DMARC, protecting your website and email from hijacking and phishing.
  • Compliance Matters: For UK SMEs, managing your DNS securely is vital for GDPR compliance, preventing data breaches, and meeting Cyber Essentials requirements.
  • Proactive Management: Regularly audit your DNS settings, secure your accounts with strong passwords and MFA, and train your staff.
  • Delegate, Don't Abdicate: Work with third parties by granting limited, specific permissions for defined tasks, always retaining ultimate administrative control.
  • UK Context: Be mindful of specific UK regulations and certifications, like ICO guidance and Cyber Essentials, when securing your digital infrastructure.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch