DNSimple Security

As a critical component to DNS, domains, and SSL certificates, we take your security seriously. This page illustrates how we handle security. For information about reporting security vulnerabilities, please see our Responsible Disclosure policy.

Password Security

Account passwords are never stored in plain text. We use bcrypt, an industry-standard adaptive hashing function designed specifically for password storage. Each password is combined with a unique, cryptographically random salt before hashing, which protects against rainbow table attacks and ensures that even identical passwords result in different stored hashes.

The bcrypt algorithm is designed to be computationally expensive, making brute-force attacks impractical. We also maintain a password history to prevent password reuse, helping ensure your account stays secure over time.

Encryption at Rest

Sensitive data stored in our systems is encrypted using ChaCha20-Poly1305, a modern authenticated encryption algorithm that provides both confidentiality and integrity protection. This includes:

• SSL certificate private keys: Certificate secrets are stored encrypted and only decrypted when you request download. For more details, see our Private Key Security and Use Policy.
• API access tokens: All access tokens are encrypted before storage using strong encryption.
• SSO credentials: Integration credentials for identity providers (Okta, Microsoft Entra, Google Workspace) are encrypted at rest.

Multi-Factor Authentication

We provide multi-factor authentication for user accounts, adding an essential layer of protection beyond passwords. We support multiple authentication methods:

• Time-based one-time passwords (TOTP): Compatible with authenticator apps like Google Authenticator, Authy, and 1Password.
• Hardware security keys: Support for FIDO2/WebAuthn security keys such as YubiKey.
• Platform authenticators: Support for Windows Hello, Apple Face ID, Touch ID, and Passkeys.

Recovery codes are provided when you enable MFA, ensuring you can regain access to your account if you lose your primary authentication method.

Team Security

For Teams and Enterprise plans, account administrators can enforce multi-factor authentication for all team members. This ensures everyone accessing your account has an additional layer of security enabled. Single sign-on (SSO) integration is also available with Okta, Microsoft Entra, and Google Workspace, allowing you to manage access through your existing identity provider.

Domain Security

We provide several layers of protection for your registered domains:

• Automated transfer locks: Newly registered and transferred domains are automatically locked to prevent unauthorized transfers. The clientTransferProhibited status protects your domains from being transferred without your explicit authorization.
• DNSSEC: Domain Name System Security Extensions cryptographically sign your DNS records, preventing attackers from spoofing your domain's DNS responses and redirecting users to malicious sites. We handle automatic key rotation for domains registered through DNSimple.
• WHOIS privacy: Free WHOIS privacy protection keeps your personal contact information private in public WHOIS records.

API Security

API access tokens are cryptographically generated and stored encrypted. Tokens can be scoped to limit their permissions, and you can create multiple tokens for different purposes. All API communication is secured via HTTPS, and tokens are never logged or displayed in full after creation.

Activity Logging

All significant actions within your account are logged for security and audit purposes. You can review your account activity to monitor for any unauthorized access or changes. Activity logs include information about who performed an action, when it occurred, and from what IP address.

Infrastructure Security

All servers have rigid access control and only provide access to the services that are required on that server. We regularly update our infrastructure to incorporate security patches and updates.

All data is backed up on a regular basis to off-site backups with encryption in transit and at rest.

DDoS Defense

All domains at DNSimple include DDoS defense at no additional cost. Our infrastructure is designed to absorb and mitigate distributed denial-of-service attacks, ensuring your DNS continues to resolve even under attack.

Payment Security

All credit card transactions are processed using secure encryption. Card information is transmitted, stored, and processed securely on a PCI-Compliant network. We use Stripe for processing all payments—we never store your full credit card details on our servers. More information about Stripe's PCI compliance may be found on the Stripe site.