How does domain name registration work?Copy article link
You can create a new website or other Internet service without registering a domain name. For example, you could create a new blog and publish it through someone else's domain, such as
example.wordpress.org. However, you might instead want your very own domain name, perhaps at
example.org. To make this happen, you will have to register
example.org in the DNS.
When you register a domain name, your registrar adds it to the set of domain names on the Internet DNS. In reality, of course, it's a bit more complex. So let's see how it really works.
Registrants, registries, registrars, and ICANN
There are four main players in the process of registering a new domain name:
- The registrant
- The registrar
- The registry
This may be you! The domain registrant is the person or company who would like to register a new domain name. This may be the owner of a small business, the IT department of a large corporation, or an individual person who wants to register a name for their personal blog.
A domain registrar is a company that sells services to allow end users to purchase and manage their own domain names in the DNS. A registrar leases domain names and provides the services necessary to insert that domain name into the global DNS.
Domain names are leased on a yearly basis, not bought outright. If the lease is not renewed, the domain name will be removed from the DNS and will become available for someone else to lease.
As mentioned earlier, registrars are companies that sell domain name registration services. Domain registries, on the other hand, are databases of DNS names under each of the TLDs. Each registry is operated by a different organization. For example, VeriSign operates the registry for the
The registrant is the customer who wishes to register a new domain name. The registrant engages a registrar to create and manage registration of a domain name. And finally, the registrar works with the registry to actually create the NS records in the TLD for the new domain name.
As the registrant for a new domain name, you will need to work only with a registrar. The registrar will work with the registry on your behalf.
All this, at a very high level, is overseen by ICANN (Internet Corporation for Assigned Names and Numbers). ICANN is a non-profit organization with headquarters in California. Formed in 1998 by the US government, ICANN transitioned in 2017 to a global multi-stakeholder model. ICANN manages domain name registries and IP addresses to ensure the stability of the Internet and to foster competition and customer choice. ICANN also oversees operation of the Internet root zone. ICANN also grants accreditation to registrars.
Accreditation by ICANN is a long and complex process. Each registrar pays a fee to apply, plus a yearly accreditation fee, and also a quarterly fee. These fees go towards the operation of ICANN itself. Some of the requirements include:
- A solid business plan
- Financial solvency
- A secure and robust network architecture
- A plan for good customer service
- Processes to prevent domain name abuse
The DNS begins at the root zone
"." and flows downwards into the top-level domains (TLDs). As we discussed in our article on zone delegation, the DNS resolves names starting at the root and moving downwards through delegations. The root zone and the TLDs are involved in resolving every single DNS name on the Internet!
Originally, the TLDs included the single label domains we are all familiar with today such as
mil, and others. Today, these TLDs are called Generic Top-level Domains (gTLDs) because they are associated with a theme rather than a nation.
There are also over 300 Country Code Top-level Domains (ccTLDs). Each ccTLD is for a specific nation such as
au. Some ccTLDs have become popular names for business because they are catchy. For example, the ccTLD
fm is for the Federated States of Micronesia but is often used by FM radio stations and podcasts, and the ccTLD
io is for the British Indian Ocean Territory but has become popular with technology companies and startups (because IO is the acronym for Input/Output).
What happens when you register a domain name?
As a new domain's registrant, here are the steps you will need to follow and the events that will occur in the background:
- Select a registrar
- Select a new domain name and create a zone
- Claim the new domain name with the registrar
- Registrar sends NS records to the registry
Select a registrar
A registrant may use any registrar they wish, but not all registrars support all registries. Some newer TLDs and some ccTLDs may operate with only a few registrars, or perhaps even only one registrar.
Enable strong MFA on your registrar account to protect your domains from hijacking.
Select a new domain name and create a zone
You may have a domain name in mind already, or you may use search tools provided by your registrar to see what names are available.
Once you have selected your new domain name, you must create a DNS zone for it. Your registrar may offer this as a service. Or you might prefer to create and manage the DNS zone yourself using a DNS hosting provider, or even on your own DNS servers.
If you are going to register
example.org then you or someone acting on your behalf must create that zone somewhere. There must be an SOA record at the root of the zone, which must contain an administrative email address for the zone in the Responsible Person field and the host name of a DNS server authoritative for the zone in the Primary Name Server field. The zone must also have at least two NS records at the root of the zone. Each NS record must list a DNS server authoritative for the zone.
It is important to set up the zone correctly so that the new domain will function properly. Some registrars will validate the zone before they will publish NS records in the appropriate registry to protect their customers from accidental misconfigurations. Also note that a zone that is not set up correctly may cause the domain to be flagged as a potential source of spam or suspicious activity.
Some registrars may allow you to claim a domain before creating the zone. Check with your registrar for the details of their exact process.
Claim the new domain name with the registrar
Log onto the web portal of your registrar using your account and purchase the new domain name for at least one year. The cost may run anywhere from a few dollars up to several hundred dollars per year, depending on the registrar and the new domain's TLD. The registrar may perform validation that your DNS zone has been properly created before allowing you to complete this step.
Part of this process will be to set contact information for the domain. This is called Whois information after the name of the Internet directory where it is stored. ICANN requires that all domains have owner information including the name of a person or company, a physical mailing address, and other information. Your registrar will insert this into the registry on your behalf, but it will be hidden for privacy.
Registrar sends NS records to the registry
Once you have submitted the domain registration request to the registrar and paid for one or more years of lease, your work is complete. The registrar will communicate your request along with the NS records for the new domain to the registry for the TLD. The changes will propagate through the network infrastructure of the registry and become visible to the DNS on the Internet. This process may take as little as 20 minutes up to several hours, or longer depending on the registrar and the registry.
If at some point in the future you change the NS records for the domain, you must change them with your registrar as well. This change will also take minutes to hours to propagate to the DNS servers authoritative for the TLD. NS record changes for a domain should be done carefully and incrementally, with consideration for the TTLs of the records and the propagation time for the registrar and TLD.
This is a good kind of hacking. "Domain hacking" is coming up with a clever domain name that incorporates the TLD as part of a word or phrase. For example, ta.co redirects to Taco Bell's main website and n.pr redirects to National Public Radio's (NPR) main website. These domain hacks use the ccTLDs of Colombia and Puerto Rico, even though neither is tied to those locales.
Different ccTLDs have different restrictions on who may register domains with them. Some welcome registrants from across the globe, but other ccTLDs require registrants to have ties to the country or territory of the ccTLD.
Changing an existing domain
After registering the domain, there are two major types of changes that might be made to DNS records for the domain:
- Changes to DNS records within the zone
- Changes to the zone's NS records
example.org has been registered, then at any time the DNS administrator may add or change DNS records inside the zone. For example, to add or update records at
www.example.org. This includes all records other than type NS at
example.org itself. This type of change can be made in the zone at any time. No changes by the registrar are necessary, and it is not necessary to inform the registrar that changes in the zone are being made.
If the NS records at the root of the zone are changed, however, this must be communicated with the registrar. This type of change can be very tricky and if not done correctly can result in a lame delegation and outage for the domain.
There are a number of strategies that can be employed to safely change NS records. These may involve making a single NS record change at a time, with a pause between stages to ensure that nothing has gone wrong. Good monitoring and a plan to roll the changes back if something goes wrong are strongly recommended.
ICANN supports transferring domains from one registrar to another, and transferring ownership from one party to another as part of its mandates to promote competition and customer choice.
Transferring ownership of an existing domain replaces the current owner of the domain in the registry with a new owner. Each registrar has their own process to ensure that the request is legitimate. Generally, both parties must agree to the transfer via a secure mechanism.
The owner of a domain may also transfer the domain to a new registrar. You might transfer to a new registrar if you are unhappy with the service provided by your current registrar.
There are some restrictions on this. For example, a domain transfer request may be denied if the domain is less than 60 days old to prevent abuse by malicious parties.
Many registrars offer the ability to "lock" the domain to the registrar due to incidents of malicious domain hijacking in the past. The registrar will automatically refuse any request to transfer the domain to another registrar while a domain is locked.
Domain locking is a good safeguard against domain hijacking, where a malicious party attempts to fraudulently transfer the domain to another registrar, so they can take it over. The domain can be unlocked at any time. This requires an additional factor of authentication.
Keeping domains safe
It's important to keep your domains safe. An attacker may attempt to hijack your domains through social engineering or other means, to steal data from your customers or to use your domain for some other nefarious purpose.
There are a few things that DNS administrators can and should do to keep domains safe:
- Strong passwords: Use unique and strong passwords for registrar accounts.
- Use multi-factor authentication (MFA): Enable strong MFA on registrar accounts. Note that MFA based on text (SMS) is not particularly strong.
- Use domain locking: Domain transfer is rare, so keep domains locked to the registrar whenever possible.
- Don't allow domains to expire: Once the lease expires, another party may be able to register the domain. Use auto-renewal for payment and update payment methods when necessary, for example when a new credit card number is issued. You may want to pre-pay for a number of years if the registrar permits.