BLOG

Cousin domains

When I checked in on Facebook this morning there was a discussion from a couple people frustrated by cousin domains. I share their frustration.

Kitten running through field with text “every time a marketing department registers a cousin domain, god kills a kitten”

Cousin domains are a major problem for ISPs trying to protect their users from phishing and other fraud. Because so many companies use cousin domains in their legitimate mail, ISPs can not be strict with them. Instead, they have to expend time and energy to determine if this particular cousin domain is legitimate or not.

It’s time, energy and other resources that could be used better.


6 comments

  1. Martijn says

    They can *not be strict with them, I take it?

    1. laura says

      Thanks. fixed.

  2. Mathieu Bourdin says

    Hi Laura,
    from my experience, marketing dpt are usually more inclined to use their main domain, and are usually easily convinced to use a subdomain (our preferred way to do things).
    The issue is usually more with the IT dpt who gets cold feet when asked to delegate a subdomain or is unable to push the DNS configuration (I just had to wait 3 months, 3 full months, for a client’s IT to publish a DMARC record on a single domain). Sometimes it’s simple pushback (“I’m the tech god here! no one tells me what I should do!”), sometimes it’s security zeal (OK, this we can reason with, and usually find an agreement), or ignorance of established processes (beware the “new guy” who deletes DNS configurations he doesn’t know about “to see what happens”)… This is frustrating for us, but it’s even more so for the client who works on a schedule. Frustration has this knack to breed “creative workarounds” like cousin domains.

    1. laura says

      I know that’s exactly why it’s done.

      I had a bank client once where it took 6 weeks just to figure out which continent the DNS servers handling their domain were on. That was before we had any hope of figuring out who we needed to talk to to get any changes made.

      The reasons for it are understandable and even expedient. They still cause massive problems for ISPs and leave your customers vulnerable to being phished by the guy who registers a cousin domain simply because you haven’t, yet.

  3. Tamara Bond says

    1 million percent what Mathieu said.
    Delegating DNS for a subdomain to us means that we can make sure everything needed is present and correct, but we increasingly see pushback. Our system automates record creation, but often with clients who want to manage their own DNS it’s done manually and the potential for human error (even when it should be a simple copy and paste job) is so high. There are still DNS management platforms out there that don’t support NS delegation for subdomains.
    The majority of DNS issues I’ve seen over the years have been due to human errors – from typos to deleting a record that someone believed to be “unneccessary”. And a fair few instances of the person managing DNS not actually understanding what they’re doing to start with…
    Subdomains are definitely best practice and I’ll always advocate their usage, but I completely understand the use of cousin domains to reduce friction.

    1. laura says

      Oh, I understand the cousin domains, and why it happens. It’s still a big problem.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.