Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

“Survey of DMARC mail security on Mastodon servers makes disappointing findings”

Users should take security into account when choosing a Mastodon server

The Mastodon logo on the Mastodon app login page on an iPhone.
  • Monday 27 March 2023

Numerous new Mastodon servers have recently sprung up. And, unfortunately, they're attracting the interest of scammers. A phishing mail campaign targeting users of the masto.ai server prompted network security specialist Sean Whalen to check whether the domain names of the top 1000 Mastodon servers had DMARC e-mail security protection.

He describes the findings of his survey as disappointing. "The great majority of Mastodon servers don't have a DMARC record at all. My survey shows that most domain operators don't have proper security." As well as urging operators to secure their mail domains, Sean is encouraging Mastodon users to consider a domain's DMARC support status when choosing where to set up their Mastodon accounts.

Federated microblogging platform

Since Elon Musk's acquisition of Twitter, the alternative microblogging platform Mastodon has experienced a boom. In recent months, the number of active users shot up from less than half a million to more than 2.5 million, before falling back to stabilise at about 1.3 million. The platform's current users are mostly early adopters from the activist, technical and academic communities. By way of comparison: Twitter claims to have 450 million monthly users (although the figures are contested).

One crucial difference between the 2 platforms is that Mastodon isn't centralised but federated. In other words, it consists of a network of independent servers (about 10,000 at present), which communicate with each other using the ActivityPub protocol. A new user can either open an account on one of those servers, or set up their own server. In the Netherlands, for example, SURF started a Mastodon pilot for the higher education sector early this year.

SIDN and Mastodon

We previously published an article about SIDN Fund's support for the Mastodon.nl server.

We're also present on the Mastodon network ourselves, using the handles @SIDNlabs@mstdn.social and @sidn@mastodon.nl, although the second of those isn't yet actively posting.

E-mail

Unsurprisingly, the appearance of so many new Mastodon servers, most with their own domain names, has attracted the interest of scammers. A phishing mail campaign targeting users of the masto.ai server prompted network security specialist Sean Whalen to check the domain names of the top 1000 Mastodon servers. He wanted to see how many were using the DMARC e-mail security standard and the supporting standards SPF and DNSSEC. (Use of the latter is recommended in the SPF/DKIM/DMARC standards but not strictly essential.) He didn't investigate DKIM support, because that can't be checked from outside without knowing the name of the DKIM selector (a reference to a DNS record with a public key).

What Whalen found is that only 15 per cent of surveyed Mastodon domains published DMARC policies with active settings – either 'p=quarantine' or 'p=reject'. A further 13 per cent had policies with the (passive) setting 'p=none'. However, a massive 72 per cent of the domains had no DMARC policy at all.

Bar chart showing the number of DMARC policies on the domain names of the top 1000 Mastodon servers.

DNSSEC

DNSSEC, which involves attaching digital signatures to DNS records, was supported by less than 20 per cent of the domain names. Given the low level of international DNSSEC support, that figure is not as discouraging as it might seem at first sight. The Netherlands is a positive outlier where DNSSEC signing is concerned.

The relatively good support for DNSSEC may reflect the fact that many of the domains are new. "If a domain name is hosted by the registrar, DNSSEC is often enabled by default," Whalen explains.

Pie chart showing the number of DNSSEC deployments on the domain names of the top 1000 Mastodon servers.

SPF

Support for SPF, a protocol based on publication of a list of mail gateways that are authorised to send mail on behalf of the relevant domain, is currently 54 per cent. "I had expected that number to be much higher," says Whalen, "because many mail services don't accept mail from domains without valid SPF records."

Pie chart showing the number of valid SPF records on the domain names of the top 1000 Mastodon servers.

Lack of knowledge

Whalen describes the survey findings as disappointing. "A very large proportion of major Mastodon servers don't have active DMARC policies, of even valid SPF records. And the great majority have no DMARC record at all. That's particularly surprising, given that a Mastodon server has only a small number of mail sources: 1 that relays mail from the server itself, and perhaps 1 or 2 for newsletter and mailbox services. It really isn't difficult to configure those sources to use DKIM signatures, or to publish a DMARC record. Yet my survey shows that most operators aren't taking the trouble to secure their mail domains properly."

"I don't think the problem is that they don't care about information security," Whalen clarifies. "I think that they simply lack the knowledge. It would be good if the Mastodon operator community did more to get the message across."

As well as urging operators to secure their mail domains, Sean is encouraging Mastodon users to consider a domain's DMARC support status when choosing where to set up their Mastodon accounts. That would put pressure on operators to take mail security more seriously.