Squarespace DNS Records for Better Security
TL;DR:
- Squarespace includes free SSL certificates for basic security on all sites
- You can add extra DNS records through third-party providers for stronger protection
- Manage DNS settings in your Squarespace dashboard unless you're using DNS Connect
- Key security records include CAA, DS, DNSKEY, and TLSA records
- Squarespace provides limited troubleshooting support for DNS issues
Getting your Squarespace site properly secured goes beyond the built-in SSL certificate. While Squarespace handles the basics well, adding specific DNS records can give you better control over your site's security.
Understanding DNS Records on Squarespace
Access your domain dashboard in Squarespace and select the domain you want to work with. Each domain gets managed separately, so you'll need to repeat this process if you have multiple domains.
The DNS settings live under your domain management area. This is where you'll add any custom records that go beyond Squarespace's standard setup.
Adding CAA Records
CAA (Certificate Authority Authorization) records tell the world which certificate authorities can issue SSL certificates for your domain. Squarespace handles SSL automatically, but CAA records add an extra security layer.
Here's how to add one:
- Go to DNS Settings in your domain panel
- Under Custom Records, click 'Add record'
- Enter your password or use two-factor authentication
- Select 'CAA' from the record type dropdown
- Put '@' in the Host field
- Add your provider's data in the Data field (format:
0 issue "example.org") - Save your changes
This stops unauthorised certificate authorities from issuing certificates for your domain, even if they somehow get verification.
Setting Up DNSSEC Protection
DNSSEC protects your domain from certain types of cyber attacks by adding cryptographic signatures to your DNS records. Squarespace enables DNSSEC automatically for most domains, but you can customise it if needed.
To add custom DNSSEC records:
- Set up custom nameservers through your DNS provider first
- In your Squarespace DNSSEC panel, add up to eight DS or DNSKEY records
- Authenticate and enter the technical details your DNSSEC service provides
Keep in mind that using custom nameservers disables Squarespace's automatic DNSSEC protection. Make sure your provider's DNSSEC service is solid before making this switch.
Other Security Records Worth Knowing
TLSA Records: These work alongside your SSL certificate to provide extra validation for secure connections. They're particularly useful if you're running sensitive operations through your site.
PTR Records: Mainly used for email servers, these records confirm that your domain's IP addresses are legitimate. If you're planning to send emails from your domain, PTR records help with deliverability.
SSHFP Records: These verify SSH connections to your domain. Unless you're running custom server setups, you probably won't need these.
SVCB Records: These provide additional security certificate information. They're quite specialised and most sites won't need them.
Managing Third-Party Domains
If your domain uses DNS Connect (meaning it's registered elsewhere but pointed to Squarespace), you'll need to manage DNS settings through your domain registrar, not Squarespace. The Squarespace DNS panel won't show custom record options for these domains.
Check your domain setup in Squarespace to see whether you're using DNS Connect or if Squarespace is handling your DNS directly.
FAQs
Do I need extra DNS records if Squarespace already provides SSL?
Squarespace's SSL covers the basics for most sites. Additional records like CAA and DNSSEC are worth considering if you handle sensitive data or run a high-traffic site that needs extra protection.
Can I manage DNS settings for domains registered elsewhere?
It depends on your setup. If you're using DNS Connect, manage DNS through your domain registrar. If Squarespace handles your DNS, you can add custom records through your Squarespace dashboard.
What happens if I mess up my DNS records?
DNS changes can break your site temporarily, but they're usually reversible. Start with non-critical records and test changes on a staging site if possible. Squarespace support can guide you on where to add records but won't troubleshoot complex DNS issues.
How long do DNS changes take to work?
DNS changes typically take 24-48 hours to fully propagate worldwide, though you might see changes sooner in some locations.
Jargon Buster
DNS Records: Instructions that tell the internet how to find your website and handle different types of requests to your domain.
SSL Certificate: A security certificate that encrypts data between your visitors and your website, shown by the padlock icon in browsers.
DNSSEC: Security extensions that add cryptographic signatures to DNS records to prevent hijacking and other attacks.
CAA Record: A DNS record that specifies which certificate authorities are allowed to issue SSL certificates for your domain.
Nameservers: The servers that host your DNS records and respond to queries about your domain.
Wrap-up
Adding security DNS records to your Squarespace site isn't essential for every site, but it's a smart move if you want tighter control over your domain's security. Start with CAA records if you're using a specific SSL provider, then consider DNSSEC if you need stronger protection against DNS attacks.
Remember that Squarespace's built-in security features handle the basics well. These additional records are about going beyond standard protection rather than fixing problems with Squarespace's defaults.