Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Poor domain name management leads to another data leak in the youth care sector

Five lessons every organisation should learn

  • Tuesday 6 October 2020

A data leak caused by failure to take proper precautions when withdrawing a redundant domain name. Three years ago, the Dutch national police had one. Eighteen months ago, RTL News reported that the Utrecht Youth Services Agency had made the same mistake. And, last week, the Youth Support Centre made the headlines when it came to light that similar domain name mismanagement had left the details of thousands of clients – many of them children – open to unauthorised access. So, why does this keep happening and how can it be prevented?

A domain name: small, but important

What leads to these mistakes? It's partly to do with the nature of domain names. They're quick and easy to register... and to cancel. Within many organisations, there are no hard and fast rules about who can register them, and domain names are treated as consumables. When, in point of fact, they're not. Easily acquired it may be, but a domain quickly becomes the basis for countless e-mail addresses, websites and applications. Casting aside a domain name as soon as it's no longer wanted gives scammers the opportunity to get hold of it and put it to malicious use.

Example: password reset scam

One way of abusing a discarded domain name is for password reset scamming. Consider the following simplified example. An organisation changes its name. A new domain name is registered to match, and the old one is cancelled. Knowing that the organisation's staff have access to a password-protected system, a criminal gang registers the discarded domain name. It's then easy for the crooks to create an email address matching a known employee's address in the old mail domain, and use it to ask the protected system to reset that employee's password. If the old e-mail address is still linked to the employee's user account, the system will accept the reset request and send a new password to that address. So the new password goes to the crooks, and with it access to that sensitive system. That's what happened in the recent Youth Support Centre leak. Journalists at RTL News were able to use e-mail addresses linked to the Centre's old domain name (e.g. a.n.other@jeugdriagg.nl) to get hold of passwords and other login details.

Five lessons

Good domain name management isn't rocket science. And cybersecurity often isn't either. The Youth Support Centre case teaches five easy lessons:

1. Don't cancel a domain name as soon as you switch to a new one

Parking a redundant domain name is cheap. And, as long as it's still yours, no one else can abuse it in the ways described above. Over time – albeit sometimes several years – old e-mail addresses and links will be updated or removed from most systems as a matter of course. In the meantime, you can monitor traffic to the old domain, enabling you to see when it's dried up, meaning disposal is safe.

2. Keep a record of the domain names your organisation has and what they're used for

Domain names are used for all sorts of purposes: individual mailboxes, automated mail distribution, system logins, and so on. Knowing how a domain name is used enables you to see what needs updating in the event of a switch, and what kind of traffic to look out for once the switch has been made. Make sure you've got a complete overview: some organisations have thousands of domain names, maybe registered by hundreds of individuals. If you've lost track, the Domain Name Portfolio Checker will help you sort out your .nl portfolio at least.

3. Tell your staff about the switch

Make it clear to everyone that, from a given date, e-mail addresses at the old domain are being withdrawn. So incoming mail that uses an old address shouldn't be trusted. That will promote awareness and protect against social engineering.

4. Look out for malicious registrations and login attempts

In order to use your organisation's name for malicious purposes, a crime gang will typically register a matching or lookalike domain name. They can then use that name to, for example, seek access to protected systems. Tools such as SIDN BrandGuard help you tackle malicious registrations by alerting you to any suspicious new domains, anywhere in the world. Meanwhile, monitoring login attempts enables you to see whenever a malicious or outdated e-mail address is used to seek access.

5. Use multi-factor authentication

In the cases mentioned above, it probably wouldn't have been possible to use a discarded domain name to compromise security if the relevant systems had required a second login factor as well as a password. Those journalists, for example, might have needed the relevant employee's phone in order to log in. Our five lessons have been brought to the fore by another highly regrettable incident, where sensitive personal information was exposed to unauthorised access. An incident that was entirely and easily avoidable. Let's hope it was the last of its kind.