Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Badly configured localhost records create security issues

Delete all localhost labels from your zones

Red open digital padlock amid closed blue digital padlocks
  • Tuesday 9 November 2021

Of the 6.2 million domain names in the .nl zone, no fewer than 1.3 million still have an A record for the localhost label. It used to be mandatory for every zone to have a localhost record, but that requirement was scrapped long ago. Nevertheless, localhost records do need attention, because they make web servers with active users vulnerable to XSS attacks. We advise all registrants and operators (often registrars) to check their domain names' zones for localhost labels and to delete any they find.

Security problem

The recommendation that every zone should include a localhost record goes right back to RFC 1537, written nearly thirty years ago by Piet Beertema (founder of the .nl domain). Section 10 of that RFC (which also covers reverse DNS) says that every domain must have a localhost A record. However, after all these years, even Beertema can no longer remember exactly why. Operators who followed the RFC to the letter – as they were supposed to – added localhost labels to their zones, creating a reference to 127.0.0.1 (the loopback interface) from within their own domains: localhost.example.nl. However, as explained in this article, such records are vulnerable to cross-site scripting (XSS) attacks. An XSS attack involves someone on the same system as the one where a website is running to read site users' HTTP cookies (recording session and authentication data, for example). That's done by opening a 'high' TCP port and directing other system users to an address such as 'http://localhost.example.nl:49152/'. Because www.example.nl and localhost.example.nl have the same main domain, a malicious user who opens a connection with localhost.example.nl (127.0.0.1) also receives cookies intended for www.example.nl.

Localhost exclusively local

RFC 1537 was declared obsolete in 1996 and superseded by RFC 1912. The newer RFC clearly states that localhost should be configured (exclusively) as a special host name (reflecting its local scope). What's more, the host name has to be followed by a dot, so that it is unmistakably a Fully Qualified Domain Name (FQDN):

  localhost.    IN    A    127.0.0.1

Delete all localhost records from your zones

Many years back, in line with RFC 1537, we made inclusion of a localhost label mandatory in .nl domains. Compliance was an absolute technical requirement for the approval of a .nl domain. Although that requirement was withdrawn long ago, we did not explicitly communicate the message that the records should then have been deleted from all .nl zones. Consequently, misunderstanding of the situation has persisted, as the figures given at the start of this article attest. A large number of .nl domains still include bad localhost records, with some companies still even requiring the use of localhost labels. It is therefore high time that we stated unequivocally: you should delete all localhost labels from your zones.