Why you should never let outside agencies control your primary DNS
All dispatches
DNS and Domain Security14 Nov 20257 min read

Why you should never let outside agencies control your primary DNS

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

In the complex ecosystem of modern business IT, your domain name is your digital front door. It is the foundation upon which your email, your website, and your brand reputation are built. Yet, time and again, we see UK SMEs inadvertently handing over the keys to this kingdom to third-party agencies—web developers, marketing firms, or SEO consultants—by allowing them to control the primary Domain Name System (DNS). While it might seem convenient to let your agency "handle the tech stuff," losing control of your DNS is a significant business risk that can lead to catastrophic operational downtime, security breaches, and a complete loss of brand autonomy. At Black Sheep Support, we believe that your DNS should be treated as a core business asset, owned and managed by you, the business owner.

Understanding the DNS: The Internet’s Phonebook

To understand why you must retain control, you first need to understand what the DNS actually does. In simple terms, the DNS is the internet’s phonebook. Every time a client sends you an email or a customer visits your website, their computer performs a DNS lookup to translate your human-readable domain name (e.g., yourcompany.co.uk) into an IP address (a string of numbers that computers use to find each other).

When you let an outside agency control your DNS, you are essentially letting them hold the keys to your digital identity. If they decide to change providers, go out of business, or make a configuration error, your entire digital presence can vanish in minutes. For a UK SME, this isn't just an inconvenience; it is a direct hit to your revenue and your compliance obligations under the UK GDPR.

The Risks of "Agency-Managed" DNS

When an agency holds the login credentials for your domain registrar or DNS management portal, you are entering into a "black box" arrangement. Here are the primary risks you face:

  1. Vendor Lock-in: If your relationship with an agency sours, they may use your DNS control as leverage. We have seen cases where agencies have refused to hand over access until "final invoices" are settled, effectively holding the business hostage.
  2. Configuration Blind Spots: Agencies are often experts in marketing or design, not cybersecurity. They may make DNS changes—such as updating SPF, DKIM, or DMARC records for email security—without understanding the broader security implications.
  3. Lack of Transparency: If your DNS is managed through an agency’s personal account rather than your own company account, you have no audit trail. You cannot see what changes were made, when they were made, or who made them.
  4. Operational Dependency: If the agency’s point of contact is on holiday or leaves the company, and you don’t have access to your own DNS settings, you are powerless to fix urgent issues like email delivery failures or website outages.

The Security and Compliance Implications

In the UK, the Information Commissioner’s Office (ICO) expects businesses to maintain control over their data and infrastructure. If a third party mismanages your DNS and leads to a phishing attack or a website defacement, the buck stops with you.

DNS Hijacking and Phishing

If an attacker gains access to your DNS through a compromised agency account, they can redirect your traffic. They could point your emails to a server they control, intercepting sensitive client communications. This is a nightmare for data protection compliance. Furthermore, they can set up fake pages that look like your legitimate site to harvest customer credentials.

Cyber Essentials Alignment

For UK SMEs aiming for Cyber Essentials or Cyber Essentials Plus certification, you are required to demonstrate control over your IT environment. Relying on an outside agency to manage your DNS records without your direct oversight creates a "shadow IT" scenario that makes achieving these certifications—and maintaining a secure posture—significantly more difficult.

Best Practices for Managing Your Digital Identity

You do not need to be a network engineer to maintain control. You simply need to adopt a "Business-First" approach to your digital infrastructure.

1. Own the Registrar Account

Always register your domain name using a company-owned email address (e.g., admin@yourcompany.co.uk or a dedicated IT-admin alias). Never allow an agency to register the domain in their own name. You are the legal owner of the domain; your records at Nominet (for .uk domains) should reflect your business details, not the agency’s.

2. Implement Role-Based Access Control (RBAC)

If you must give an agency access to make technical changes, use a registrar or DNS provider that supports granular user permissions. Most reputable providers allow you to invite a user with specific, limited permissions. This allows the agency to do their job without having full "God-mode" access to your account.

3. Use Two-Factor Authentication (2FA)

This should be non-negotiable. Ensure that your DNS management portal is protected by 2FA. If an agency insists on having access, ensure that they are also bound by your security policies, including the use of 2FA on their own access accounts.

4. Maintain an Audit Log

Regularly review the DNS records for your domain. Your IT support provider or an internal lead should have a clear record of what every TXT, MX, and CNAME record does. If you see a record you don’t recognise, investigate it immediately.

When to Involve Your IT Partner

Managing your own DNS does not mean you have to do it alone. It means you are the "gatekeeper" who authorizes changes. A professional managed IT partner, like Black Sheep Support, acts as an extension of your team.

We recommend that your DNS should be managed by your primary IT support provider, not your marketing or web agency. Why? Because your IT provider understands the holistic impact of DNS changes on your security, email deliverability, and network stability. If a marketing agency needs a new DNS record for a campaign, they should submit a request to your IT support team, who will verify the change, implement it securely, and document it for your records. This creates a "checks and balances" system that protects your business from accidental misconfigurations and malicious changes alike.

Key Takeaways

To ensure your business remains secure and autonomous, keep these core principles in mind:

  • Ownership is Non-Negotiable: Your domain and DNS management console should be under your company’s legal control at all times.
  • Segregate Roles: Separate your marketing/web development vendors from your infrastructure/IT support vendors. Never give marketing agencies administrative control over your core network settings.
  • Use Professional Tools: Avoid free or "included" DNS services provided by small agencies. Use enterprise-grade DNS management tools that offer audit logs, 2FA, and granular user permissions.
  • Document Everything: Maintain a "Source of Truth" document that lists every DNS entry and its purpose. This is essential for business continuity and disaster recovery.
  • Compliance Matters: Remember that under UK GDPR, you are responsible for the security of your digital infrastructure. Outsourcing the "doing" does not outsource the "responsibility."

By taking these steps, you move from a position of vulnerability to one of resilience. You ensure that no matter which marketing agency you hire or fire, your digital foundation remains stable, secure, and under your command. Don't let your digital presence be a hostage to someone else's workflow; reclaim your DNS today.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch

Related dispatches

The role of managed DNS in network performance
DNS and Domain Security

The role of managed DNS in network performance

# The role of managed DNS in network performance For UK SMEs looking to stay ahead in the modern workplace, understanding dns and domain security is fundamenta...

Securing your domain registry against unauthorized transfers
DNS and Domain Security

Securing your domain registry against unauthorized transfers

# Securing your domain registry against unauthorized transfers For UK SMEs looking to stay ahead in the modern workplace, understanding dns and domain security...

How DNS filtering stops staff clicking malicious links
DNS and Domain Security

How DNS filtering stops staff clicking malicious links

# How DNS filtering stops staff clicking malicious links For UK SMEs looking to stay ahead in the modern workplace, understanding dns and domain security is fu...