Skip to main content

Search

How do I create a custom Canarytokens domain?

Description: All default Canarytokens use o3n.io (for example 45e51129ec7e.o3n.io). Adding in a Custom Canarytoken Domain further obscures Canarytokens and increases the belief that this link/URL belongs on your network.

We also auto generate and auto renew the certificates for you, so you will not need to worry about this!

Note: You will need:

  • Access to log on and make changes to your Canary Console
  • Access to create or get records created in your public DNS Zone/Domain

Follow the steps below to change the default Canarytokens domain:

Step 1:

Log in to your Console.

Console Login.png

Step 2:

1 - Click on the gear icon.

2 - Click on Global Settings.

global settings.png

Step 3:

Select Canarytokens and enable Custom Canarytokens Domains.

CleanShot 2024-09-13 at 12.23.29@2x.png

Step 4:

You will be asked to create 2 records in your Zone (let's assume your custom domain is docs.staging-kb.thinkst.com).

     1. First, create the Name server Record:

Note: docs. is used in this example, but you can use anything here.

  • docs.staging-kb.thinkst.com NS ns1.docs.staging-kb.thinkst.com

     2. Then go ahead and create the Address Record

  • ns1.docs.staging-kb.thinkst.com A {{Consoles IP - Which can be found in the Custom Canarytoken Domain Tab}}

     3. click Save and you're ready to test your new tokens domain.

CleanShot 2024-09-13 at 12.22.59@2x.png

Step 5:

You are now ready to test your Custom Canarytoken Domain

Updating or Creating new Canarytokens

Newly created Canarytokens on your Console will use the newly created Custom Domain. If you already have Canarytokens in the field they will still work correctly however they won't have the newly created domain in the embedded URL. You can simply re-deploy or replace them should you wish to use the newly created domain.

FAQ

I can trigger a Canarytoken on an external network but not on my internal network?

The possible cause is that your internal network doesn't have the ability to resolve your Custom Domain (docs.example.com) to get around this you need to add an  A record to your internal DNS which points to docs.example.com.

 

How can I add HTTPS support for triggering custom Canarytokens domain?

This will be added automatically after a short delay while the domain is setup to be issued with TLS certificates. The support team will reach out if there any issues with the domain. If unsure, get in touch with us.

 

What is a CAA DNS record and how could it block enabling HTTPS on your custom domain?

A Certification Authority Authorization (CAA) record can be set on a domain which allows only a set list of Certificate Authorities (CAs) to issue TLS certificates for that domain and any subdomain. If the Canarytokens custom domain is a subdomain of a domain with a CAA record, and that record does not allow the LetsEncrypt CA to issue certificates, the Console won't be able to automatically setup HTTPs for the domain. Using a subdomain of a different domain without a CAA record (or with a CAA record that permits LetsEncrypt) will allow this to work. If unsure, get in touch with us.

 

 

 

Was this article helpful?
10 out of 13 found this helpful
Return to top