Network security

Secure your website's domain name

Your domain name can be as important to your business as your physical address. If it isn't protected there's a risk online attackers could take over your domain name and impersonate your business.

The risks

If your does not have protections in place, online attackers could take over your domain name.  See our guide on the risks of an unsecured domain name.

Unsecured domain names

This is for businesses that have a website and associated email system. It requires a moderate to high level of technical expertise. We recommend reading it but also checking with your IT provider where necessary.

How to protect your business

If you want to set up a website or a custom email address, you will need to purchase (register) a domain name from a

The .nz domain names and any registrars who offer it, are regulated by the Domain Name Commission (DNC) and InternetNZ.

This guide has the steps you can take to protect your domain name and your domain name system  . They are listed in order of technical difficulty.

The advice is designed to protect your domain name from being taken over or impersonated by cybercriminals.

Keep in mind
  • A domain name is a human-readable web address – such as ownyouronline.govt.nz.
  • An Internet Protocol (IP) address is a machine-readable web address – such as 198.51.100.52 .
  • The DNS turns domain names into IP addresses and back again.
  • DNS records store information that tells computers what to do when someone wants to go to your domain name.
  • When you register a domain name, it is reserved for you for a set amount of time, often a year or two.
  • Registering a domain name is not the same as making a website.

Basic steps

  • Use strong login authentication

    Create long, strong and unique passwords for all accounts associated with your DNS, including your website, email, registrar, and provider.

    Create good passwords

    Create a password policy for your business 

    Turn on two-factor authentication (2FA) for your account, so even if someone has your password, they cannot access your account. 

    Protect your business with 2FA

  • Remember to extend your domain name registration

    Domain names are registered for a limited time and need to be renewed. If your domain name registration expires, someone else could register it and start using it. You can set yourself timely reminders or set up automatic renewals. To avoid failed payments, make sure your payment method is up to date.

Next steps

  • Keep your contact details up to date with your registrar

    Ensure you fill in all your details when you register your domain name and update them if they change. This helps others – such as the National Cyber Security Centre – contact you quickly if there's an issue with your website or one of your services.

  • Keep your DNS records updated

    If your DNS records are not updated, they may still be pointing your domain name to an IP address or service provider that you no longer use. When this happens, someone else might be able to use your domain name for a malicious purpose.

    When pointing DNS records to a service provider, make sure you have an account with them and your domain name gets assigned to your account. 

    When no longer using an IP address or service provider, make sure to remove your old DNS records so someone else can’t use them.

    It can be worthwhile occasionally checking if you still have active accounts with your service providers, and any leftover DNS records are deleted.

More technical steps

  • Protect your email from spoofing

    email is a tactic often used by cybercriminals. To prevent this, set up , , and on your domain name. You should put these protections in place even if you don’t use email with your domain name. You can find information about these measures and how to implement them, in the guide below. 

    Prevent your email from being spoofed

  • Disable or restrict zone transfers

    Zone transfers are used to move from one DNS provider to another, this is useful if one provider becomes unavailable. However, it can allow anyone to easily access all information about your records and .  If your provider lets you, disable or restrict zone transfers to prevent them from being misused.

  • Consider using DNSSEC

    DNS security extensions ( ) help your customers ensure they get the correct DNS response. However, DNSSEC can be difficult to set up and mistakes might break things. Ask an IT professional to help you set up and maintain your DNS.