Frequently asked questions

The Domain Name System (DNS) is often described as the phonebook of the internet. When someone types your website address into a browser, DNS is the system that translates that human-readable name (like sokomi.com) into the numerical IP address that servers use to locate and deliver your content. Without DNS, the internet as we know it would not function.

For organisations, DNS is a critical piece of infrastructure that directly affects website availability, email delivery, security posture and brand reputation. A misconfigured or insecure DNS setup can lead to website outages, email delivery failures, vulnerability to phishing attacks and loss of customer trust. DNS is not just a technical concern, it is a business continuity requirement.

Sokomi helps organisations design, deploy and manage DNS infrastructure that is secure, resilient and compliant with modern standards including DNSSEC, DNS-over-HTTPS and NIS2 requirements.

DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds a layer of authentication to DNS responses. In simple terms, it allows a DNS resolver to verify that the answer it receives to a query has not been tampered with in transit. Without DNSSEC, DNS responses can be spoofed or manipulated by attackers in what is known as DNS cache poisoning, redirecting your visitors to fraudulent websites without their knowledge.

DNSSEC works by digitally signing DNS records using public-key cryptography. When a resolver receives a signed response, it can verify the signature against the published public key, confirming that the data is authentic and has not been altered.

For most organisations, the answer is yes, you should implement DNSSEC. It is increasingly considered a baseline security requirement, particularly for organisations operating in regulated sectors such as finance, healthcare and government. The NIS2 Directive also places expectations on essential and important entities to ensure the integrity and authenticity of their DNS infrastructure. Sokomi can assess your current DNSSEC deployment, identify gaps and manage the full implementation lifecycle.

These are two distinct roles within the DNS resolution process. An authoritative name server holds the definitive DNS records for a domain. When a query arrives for a domain it is authoritative for, it responds with the answer directly from its own records. Think of it as the source of truth for a specific domain.

A recursive resolver, on the other hand, is the intermediary that handles the lookup process on behalf of the end user. When you type a URL into your browser, your device sends the query to a recursive resolver (typically operated by your internet service provider or a third-party service). The resolver then queries multiple authoritative servers in sequence, starting from the root zone, until it finds the answer, and returns it to your device.

Sokomi provides both Secure Authoritative Name Server (Secure ANS) and Encrypted DNS Resolver services. The Secure ANS ensures your domain records are served from hardened, geographically distributed infrastructure with DNSSEC signing. The Encrypted Resolver provides DNS-over-HTTPS and DNS-over-TLS resolution, protecting query data from interception.

Traditional DNS queries are sent in plain text over the network, which means anyone with access to the network path (such as an internet service provider, a public Wi-Fi operator, or a malicious actor) can see which domains you are looking up. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are protocols that encrypt DNS queries to prevent this kind of surveillance and tampering.

DoH wraps DNS queries inside standard HTTPS connections (port 443), making them indistinguishable from regular web traffic. DoT uses a dedicated port (853) with TLS encryption. Both achieve the same goal of encrypting DNS queries, but they differ in how they interact with network infrastructure. DoH is harder to block or filter because it blends in with HTTPS traffic. DoT is easier for network administrators to identify and manage.

For organisations concerned about data sovereignty, privacy and compliance with European data protection requirements, encrypted DNS resolution is increasingly important. Sokomi operates encrypted DNS resolvers that keep query data within European infrastructure.

DNS plays a central role in email authentication. Three key DNS-based protocols work together to verify that an email genuinely originates from the domain it claims to be from: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance).

SPF publishes a DNS TXT record listing the IP addresses authorised to send email on behalf of your domain. DKIM uses a DNS-published public key to verify a cryptographic signature attached to each outgoing email. DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do with emails that fail authentication checks (reject, quarantine or allow) and provides reporting back to the domain owner.

If these records are misconfigured, missing or incomplete, your legitimate emails may be rejected or flagged as spam by receiving servers. Conversely, if you have not published a DMARC policy, attackers can send emails that appear to come from your domain with no mechanism for the recipient to detect the fraud. The DNS Healthcard scans all three protocols as part of its Email Authentication category.

The DNS Healthcard is a comprehensive diagnostic assessment that evaluates your domain’s security posture across six categories: DNS Record Integrity, Email Authentication (SPF, DKIM, DMARC), DNSSEC Validation, SSL/TLS Health, Vulnerability Scanning and Compliance Scoring. It runs over 80 automated checks and produces a single percentage score that represents your overall domain health.

Unlike point solutions that focus on one area (such as email authentication alone), the Healthcard provides a holistic view of your domain infrastructure. Each category is weighted according to its impact on your overall security posture, and the results include specific, actionable remediation guidance for every issue identified.

Learn more on the DNS Healthcard product page.

If your domain scores 90% or above on the DNS Healthcard assessment, it qualifies for Certified Domain Protection status. This is a verifiable certificate that confirms your domain infrastructure has been assessed by Sokomi and meets a high standard across all six security categories.

The certificate can be used to demonstrate compliance to auditors, regulators, partners and clients. It is particularly valuable for organisations operating under NIS2 obligations, ISO 27001 alignment requirements or sector-specific regulations that expect evidence of DNS security practices. The certification is valid for a defined period, after which a re-assessment is recommended to maintain the status.

The automated scan itself completes within minutes. The full assessment, including analysis, scoring and the generation of a detailed report with remediation guidance, is typically delivered within one business day. For organisations with large or complex domain portfolios (multiple domains, sub-domains, different registrars or hosting providers), the assessment may be extended to ensure comprehensive coverage.

Following the initial assessment, Sokomi can work with your team to implement the recommended remediations and then re-scan to verify improvements. Many clients see their score improve from below 60% to above 90% within a matter of weeks.

Domain management covers every aspect of owning and operating domain names. This includes registration and renewal across multiple registrars, DNS record configuration and maintenance, WHOIS/RDAP data management, registry locking to prevent unauthorised transfers, DNSSEC deployment and key management, SSL/TLS certificate provisioning and renewal, compliance reporting (GDPR, NIS2), role-based access control for team members, and portfolio-level strategy including consolidation, rationalisation and defensive registrations.

For organisations with more than a handful of domains, this quickly becomes complex. Different domains may be registered with different registrars, hosted on different infrastructure, and managed by different teams. Sokomi provides a centralised platform and advisory service that brings all of this under a single point of control with full audit trails and compliance reporting.

Without a strategy, domain portfolios grow organically and become difficult to control. Common problems include domains expiring because renewal was missed, inconsistent DNS configurations creating security vulnerabilities, former employees retaining access to registrar accounts, domains registered with multiple registrars with no central view, and defensive registrations that were acquired reactively but never integrated into a coherent portfolio.

A domain management strategy addresses all of these by establishing clear policies for registration, naming conventions, security baselines, renewal workflows and access governance. It also includes a portfolio audit to identify redundant, underused or at-risk domains. The result is reduced operational risk, lower costs and a portfolio that actively supports your brand and business objectives rather than creating liability.

Registry locking is a security feature that prevents unauthorised changes to a domain’s registration data at the registry level. When a domain is registry-locked, any attempt to modify DNS settings, transfer the domain to another registrar or change the registrant details is blocked unless the lock is explicitly removed through a verified process.

There are different levels of locking. A standard registrar lock (clientTransferProhibited) prevents transfers but can be removed by anyone with access to the registrar account. A registry lock adds a layer above this, requiring manual verification (often including out-of-band confirmation) before any changes are permitted. This makes it extremely difficult for an attacker to hijack the domain even if they gain access to the registrar account.

For any domain that is critical to your business (your primary website, email domain, customer-facing services), registry locking is strongly recommended. Sokomi can assess which domains in your portfolio should be registry-locked and manage the locking process on your behalf.

The NIS2 Directive (EU 2022/2555) places significant cybersecurity obligations on DNS service providers and TLD name registries, which are explicitly listed as essential entities. Key requirements include implementing robust cybersecurity risk-management measures (including encryption, access control, incident detection and response), reporting significant incidents to the national CSIRT within strict timelines, ensuring supply-chain security for contracted providers, and maintaining evidence of compliance through audits and documentation.

Sokomi’s advisory team supports DNS providers and domain-dependent organisations through NIS2 readiness assessments, gap analyses, and the implementation of technical and organisational measures required to meet the directive. Our Advisory service line covers NIS2 in depth.

GDPR compliance for domain data is multi-layered. Registration data (WHOIS/RDAP) contains personal data that must be protected while still meeting ICANN policy requirements for legitimate access by law enforcement, IP holders and researchers. Customer data processed through our management platforms is subject to Article 28 processing agreements, appropriate technical and organisational measures, and retention schedules aligned with legal obligations.

Our approach is documented in our Privacy Policy. Key points: personal data is processed on the lawful bases set out in Article 6, international transfers use adequacy decisions or Standard Contractual Clauses, and data subjects can exercise their Article 15–22 rights through our Data Protection Officer at team@sokomi.com.

Sokomi’s primary infrastructure is hosted in the European Union, and our default position is EU-resident processing. Where we use third-party services that involve US processing (for example, a SaaS analytics vendor), the transfer is covered either by a European Commission adequacy decision (such as the EU-US Data Privacy Framework where the vendor is certified) or by Standard Contractual Clauses supplemented by a transfer impact assessment.

For clients with sovereignty requirements that exclude US processing entirely, our Infrastructure Hosting and DNS Engineering services can be deployed on fully EU-resident stacks without US-exposed components. Please discuss your specific requirements with us so we can confirm an appropriate configuration.