University of Twente Student Theses


Governmental domain name management : policy versus practice

Kobes, W.J. (2023) Governmental domain name management : policy versus practice.

[img] PDF
Abstract:Domain names and the domain name system (DNS) are two core technologies that provide a backbone to the internet. Domain names are often used to present websites, or for sending and receiving e-mail. The domain name system allows for the translation from human-readable domain names to computer-readable IP addresses. Since the introduction of this technology in the early 1980s, additional technologies have been developed that extend or secure the DNS. Extra security settings have to be configured to ensure domain names are up to date with current cyber security requirements. To be able to use a domain name, it has to be registered at a licensed domain name registrar. Domain name registrations usually come with a yearly upkeep fee. In case a registration is terminated, the domain will be freed for new registrations. Organizations, companies and governments tend to own multiple, in some cases many, domain names. Overseeing these domain names can be challenging. Especially for governments, often with a highly-decentralized structure, centralized domain name management requires adequate policy-making. This thesis studied how domain name management is performed by the Dutch government. The first contribution of this work is to identify three categories of cyber security risks that involve domain names from the perspective of domain name owners. In (sub)domain takeovers, adversaries gain control over a domain name that is supposed to be in control of the victim. The risk of impersonation and typosquatting involves adversaries that attempt to abuse domain names similar to those of their victim, with small differences like common typing mistakes or optically similar characters. The third category is non-compliance with current security standards. Several security standards need to be implemented at the domain name level and are required to allow the secure use of websites and e-mail. The Dutch government published a wide range of policy documents that involve domain name management. As a second contribution, this work reconstructs the policy theory of domain name management policies in the Dutch government. In general, the topic is seen in three policy fields: archiving, communication and security & compliance. Policies about archiving deal with how domain names and their websites should be collected and stored to comply with legislation. Communication policies, like a central domain name policy, aim to make domain names clear and recognizable for citizens. Lastly, security & compliance policies are in place to ensure governmental domain names are resilient and compliant with current standards. After analyzing governmental domain names in practice, several shortcomings are identified that may impose cyber security risks. These risks can be partly attributed to not adhering to policies, and partly to existing policies being insufficient to cover all identified risks. A third contribution of this thesis is the use of novel techniques to discover domain names that belong to the government. Based on the previous findings, this thesis provides concrete recommendations for the Dutch government which can be used to improve its domain name management.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science, 88 social and public administration
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page