Overview
UltraDNS user accounts provide access to the UltraDNS Managed Services Portal, where users may view or manage domains, DNS records, DNSSEC settings, zone transfer settings, reports, users, groups, permissions, certificates, web forwarding, and other account-level features.
The impact of unauthorized access depends on the permissions assigned to the user.
A user with read-only access may be able to view account or DNS information, while a user with higher permissions may be able to change DNS records, update domain settings, manage users, or change security-related configuration.
This article provides best practices for protecting UltraDNS user accounts and reducing the risk of unauthorized access, account takeover, and recovery issues.
Why Account Security Matters
UltraDNS account security is not limited to the password used to log in.
A secure UltraDNS user account also depends on the security of the email address, recovery information, trusted devices, browsers, networks, and people who have access to the account.
If an unauthorized party can access your mailbox, saved passwords, recovery answers, or trusted device, they may be able to complete password reset or account recovery workflows.
Protecting these related systems is part of protecting the UltraDNS user account.
Understand Your UltraDNS Login Method
UltraDNS users may authenticate using different login methods depending on how the account is configured.
Directusers log in to the UltraDNS Managed Services Portal with a username and password.Direct-2FAusers log in with a username, password, and two-factor authentication.SAMLorSSOusers authenticate through their organization's Identity Provider.API Onlyusers are intended for REST API access instead of direct portal access.
Protect the login method assigned to your user account.
If your account uses direct login, protect your UltraDNS password and enable multi-factor authentication when available.
If your account uses SAML or SSO, protect the Identity Provider account used to access UltraDNS.
Enable Multi-Factor Authentication
Multi-factor authentication, also called MFA or 2FA, adds a second verification step during login.
UltraDNS supports SMS Multi-Factor Authentication and QR Code Multi-Factor Authentication for direct portal logins.
Once enabled, each login attempt requires a six-digit verification code before portal access is granted.
Account administrators can also require MFA for all users on an UltraDNS account.
If MFA is required and your user account is not configured for MFA, you may be prompted to complete MFA setup during login.
UltraDNS SAML and UltraDNS MFA cannot be enabled together.
If your account uses SAML, authentication occurs through your Identity Provider, and your organization should enforce appropriate authentication controls through that Identity Provider.
Protect the Email Address on Your UltraDNS User Account
The email address associated with an UltraDNS user account may be used for account notifications, support communication, password-related workflows, and security-related communication.
Protect that mailbox with a strong, unique password and MFA.
If your mailbox is compromised, an unauthorized party may be able to access information or workflows related to the UltraDNS user account.
Keep your UltraDNS contact information current.
If a user leaves the organization, changes roles, or loses access to the mailbox associated with the user account, the account should be reviewed and updated before access is needed in an urgent situation.
Use Strong, Unique Passwords
Use a unique password for each UltraDNS direct user account.
Do not reuse the same password across UltraDNS, email, identity provider, registrar, cloud, or personal accounts.
Reused passwords create risk because one compromised service can expose unrelated accounts.
If a reused password appears in a breach, attackers may try that same password against UltraDNS or against the identity provider used for SAML access.
Use a trusted password manager to generate and store long, unique passwords. Protect the password manager with a strong master password and MFA.
Avoid Saving UltraDNS Passwords in Shared Browsers
Do not save UltraDNS passwords in browsers or devices used by other people.
This includes shared workstations, contractor devices, family computers, public computers, and unmanaged laptops.
Browser-saved passwords can create risk if the device is stolen, compromised by malware, left unlocked, or used by someone else.
For UltraDNS access, use a dedicated password manager with strong protection and avoid leaving UltraDNS portal sessions signed in on shared or unmanaged devices.
Use Trusted Devices and Networks
Access the UltraDNS Managed Services Portal only from trusted devices that are protected with a screen lock, current security updates, and endpoint protection.
Avoid logging in to UltraDNS from public Wi-Fi, public computers, hotel business centers, internet cafes, or unmanaged devices.
If your organization requires a VPN, managed device, approved network, or identity provider access policy for UltraDNS administration, use that approved access method.
Keep Recovery Information Private
Treat recovery answers, MFA backup codes, support verification details, API credentials, and account verification details as sensitive information.
Do not store recovery information in plain text, send it by email, share it in chat, or reuse answers that are publicly known or easy to guess.
Do not send passwords, MFA codes, private keys, API secrets, TSIG secrets, or full credential exports in a support ticket.
Review Users, Groups, and Permissions
UltraDNS permissions determine what a user can view, change, create, delete, or grant within the portal.
Review users, groups, and permissions regularly.
Remove or deactivate users who no longer need access, including former employees, contractors, vendors, or users who have changed roles.
Pay special attention to users assigned to groups with elevated permissions, such as Owner, Administrative, DNS Administration, Security Administration, or any custom group with write, create, delete, or grant permissions.
Where possible, give users only the access required for their role.
Avoid using shared user accounts because shared accounts make it harder to audit who performed a change.
Protect API Only Users and Automation Credentials
UltraDNS accounts may include users or credentials used for REST API access or automation.
Protect API credentials with the same level of care as portal credentials.
API access may allow changes to DNS records, zones, pools, or other configuration depending on the permissions assigned to the user.
Rotate API credentials if they may have been exposed.
Remove API-only users or automation credentials that are no longer required.
Monitor UltraDNS Account Activity
Review account activity after major DNS changes, employee departures, device theft, suspicious emails, password resets, access changes, or unexpected DNS behavior.
Pay attention to changes involving:
- Users, groups, and permissions
- Passwords or authentication settings
MFAenablement or disablementSAMLorSSOconfiguration- DNS records
- Name server records
MXrecords and email routing- Zone transfer settings
- DNSSEC settings
- API-only users or automation credentials
- Certificate Management or HTTPS Web Forwarding records
Prepare for Lost or Stolen Devices
If a device with UltraDNS access is lost or stolen, act quickly to reduce the risk of unauthorized access.
- Change the password for the affected UltraDNS user account, if direct login is used.
- Change the password for the mailbox associated with the UltraDNS user account.
- Revoke active sessions where the applicable service supports session revocation.
- Review UltraDNS users and remove or deactivate unknown or unauthorized users.
- Review recent UltraDNS account activity for unexpected changes.
- Rotate API keys, tokens, TSIG keys, or automation credentials if they may have been exposed.
- Enable or reconfigure MFA if the lost device was used for UltraDNS authentication.
- Notify your internal security or IT team.
Secure DNS and Email Routing Changes
DNS records can affect website availability, application access, domain validation, and email routing.
For that reason, UltraDNS access should be treated as security-sensitive even for users who are not account administrators.
Unauthorized changes to name servers, MX records, TXT verification records, forwarding records, DNSSEC settings, or zone transfer settings may affect where services resolve, where email is delivered, or who can complete domain validation and account recovery workflows.
Review DNS changes carefully and limit write permissions to users who need to make those changes.
What to Do If You Suspect Unauthorized Access
If you believe an UltraDNS user account was accessed without authorization, secure access before making unrelated DNS or account changes.
First, secure the affected UltraDNS user account, the mailbox tied to the account, and any SAML or Identity Provider account used to access UltraDNS.
Then review account activity and identify the specific changes that need to be investigated or reversed.
When contacting UltraDNS Support, provide clear and specific information:
- The UltraDNS account name or account ID, if known
- The affected UltraDNS username
- The domain or service affected
- The email address currently associated with the user account
- The email address you currently control
- The exact change or activity you are disputing
- The approximate date and time of the activity
- Whether the mailbox, device, MFA method, or SAML account may have been compromised
Do not include passwords, MFA codes, private keys, API secrets, TSIG secrets, or full credential exports in the support request.
Recommended Security Baseline
At minimum, every UltraDNS user account should follow this baseline:
- Use a strong, unique password for direct UltraDNS login.
- Enable MFA when available for direct login accounts.
- Protect the mailbox tied to the UltraDNS user account with MFA.
- Protect SAML or SSO accounts through the Identity Provider.
- Use a trusted password manager.
- Do not store UltraDNS passwords in shared browsers.
- Do not share UltraDNS user accounts.
- Review UltraDNS users, groups, and permissions regularly.
- Remove or deactivate former users immediately.
- Use trusted devices and networks for UltraDNS access.
- Monitor account activity after suspicious events.
- Keep recovery information and verification details private and current.
Summary
UltraDNS user account security depends on more than a password.
Protecting an UltraDNS user account also requires securing the mailbox, trusted devices, recovery methods, browsers, networks, SAML or SSO access, API credentials, and permissions connected to that account.
Strong unique passwords, MFA, secure email access, trusted devices, limited permissions, and regular user access reviews reduce the risk of unauthorized access and help prevent recovery delays during urgent security events.