Domain Incident Response Playbook

## When to Use This Playbook This playbook covers active domain security incidents: situations where your domain's registration, DNS, or email infrastructure has been — or may have been — compromised or tampered with. Use it when: - You receive an unauthorized transfer or DNS change notification. - Your website is redirecting to an unexpected destination. - Email to your domain is being intercepted or failing. - You cannot log in to your registrar account. - A monitoring alert indicates unexpected changes to your domain (Domain Threat Monitoring). Speed matters. Domain incidents that are not contained quickly allow attackers to redirect large volumes of traffic, intercept email, or transfer the domain out of your control entirely. The faster you act, the better your recovery options. ## Phase 1: Detect and Triage (Minutes 0–15) **Confirm the incident is real.** Monitoring alerts and anomalous behavior can have non-malicious explanations (misconfiguration, expired certificate, propagation delay). Before escalating, verify: 1. Run WHOIS Lookup Tool on your domain. Check registrant details, nameservers, and EPP status codes. Compare against your records. Any unexpected change is a confirmed incident. 2. Query your DNS records directly using DNS Record Helper or a command-line tool. Are your A, MX, and NS records returning the expected values? 3. Attempt to log in to your Domain Registrar account from a clean device on a trusted network. Can you access it? **Classify the incident type:** - **Account compromise**: You cannot log in, or you can log in but see changes you did not make. - **DNS hijacking**: DNS records changed but you still control your registrar account. - **Unauthorized transfer initiated**: Your domain is in the process of being transferred away. - **Domain deleted or expired**: The domain is no longer registered. - **Email compromise**: Your MX records were changed, or you are receiving evidence of email interception. ## Phase 2: Immediate Containment (Minutes 15–60) Act in order of urgency: ### If Your Registrar Account Is Compromised 1. **Change your password immediately** from a clean device (one that has not been used to access the compromised account, and preferably not on the same network). 2. **Revoke all active sessions** in your registrar account settings if the option is available. 3. **Re-enroll 2FA** — the attacker may have added their own 2FA or removed yours. See Two-Factor Authentication for Domain Accounts. 4. **Call your registrar's fraud or abuse line directly** — not support chat, which may be slower. Explain you have an active account compromise. Ask them to freeze account changes. 5. **Audit all domains** in the account for unauthorized changes. ### If DNS Records Were Changed 1. If you still control your account, **revert the DNS changes immediately**. Correct your A, MX, and NS records. 2. Note the attacker's server IPs from the changed records — these are evidence and may be reported to threat intelligence services. 3. **Check DNS propagation** — changes can take up to 48 hours to propagate fully. Users may still be hitting the attacker's server during this window. Communicate with affected users if the attack involved phishing or credential theft. ### If an Unauthorized Transfer Was Initiated Domain transfers typically have a 5-day window during which the current registrant can cancel the transfer. Act immediately: 1. **Log in to your registrar account** and cancel the pending transfer if your account is still accessible. 2. **Contact your registrar's abuse team** to flag the unauthorized transfer and request it be halted. 3. **Contact the gaining registrar** (visible in the WHOIS transfer record) and file an unauthorized transfer complaint. 4. If the transfer has completed, proceed to Phase 3. ### If Your Domain Was Transferred or Deleted This is the hardest scenario to recover from. Your options: 1. **Contact the gaining registrar** immediately. Under ICANN Transfer Dispute Resolution Policy, unauthorized transfers within 60 days can be challenged. Provide documented proof of ownership (registration history, payment records, identity documents). 2. **File a complaint with ICANN** at icann.org/resources/pages/complaints. ICANN can apply pressure to registrars and registries. 3. **Contact your country's ccTLD registry** if applicable — ccTLD registries sometimes have faster dispute resolution mechanisms for domestic registrants. 4. **Consult a domain law attorney** for legal action if the registrar and ICANN processes are insufficient. ## Phase 3: Communicate With Affected Parties Domain incidents can impact your users, customers, and partners. Timely communication limits reputational damage. **Internal team**: Notify your security team, IT, communications, and executive leadership immediately. Assign roles: incident commander, technical responder, communications lead. **Customers**: If your domain was used in a phishing attack or credentials may have been compromised: - Notify affected users as quickly as possible. - Advise them to change passwords if they may have entered credentials on a spoofed site. - Provide clear instructions on how to identify the legitimate site going forward. **Partners and services**: Notify SaaS providers, payment processors, and other services that authenticate via your domain. Some may need to take action (token revocation, session invalidation) on their end. **Law enforcement**: For significant financial fraud or large-scale phishing, file reports with your national cybercrime authority (FBI IC3 in the US, Action Fraud in the UK, etc.). Reports may be required for insurance claims. ## Phase 4: Recovery Verification Before declaring the incident resolved: 1. **Confirm DNS records are correct** across multiple resolvers and geographic locations. 2. **Verify email is routing correctly** — send test messages and confirm delivery. 3. **Check that your SSL certificate is valid** and serving from your intended server. 4. **Review all account users and API keys** — remove any unauthorized access. 5. **Confirm domain lock status** — re-enable all applicable lock flags. 6. **Rotate credentials** — change passwords for your registrar account, DNS provider, and any services that authenticated via the compromised domain. ## Phase 5: Post-Incident Review Within a week of resolution, conduct a post-incident review: 1. **How did the attacker gain access?** Identify the root cause (phishing, credential stuffing, SIM-swap, registrar vulnerability, expired domain). 2. **What controls failed?** Were 2FA, domain locks, and monitoring all in place? If not, why not? 3. **What was the detection timeline?** How long between the attack and detection? How can you reduce this? 4. **What is the remediation plan?** Implement the missing controls from Domain Security Checklist. 5. **Document everything** — for insurance, legal action, and internal knowledge. Domain incidents are painful, but they are also forcing functions for improving security. The organizations that recover best are those that learn from the incident and systematically close the gaps it revealed.