All default Canarytokens use o3n.io (for example, 45e51129ec7e.o3n.io). Adding in a Custom Canarytoken Domain further obscures Canarytokens and increases the belief that this link/URL belongs on your network.
We also auto-generate and auto-renew the certificates for you, so you don't need to worry about this.
Requirements
You will need:
- Access to log on and make changes to your Canary Console
- Access to create or get records created in your public DNS Zone/Domain
How to change the default Canarytokens domain
Step 1: Log in to your Console
Log in to your Console.
Step 2: Open Global Settings
Click on the Gear icon and select Global Settings from the dropdown.
Step 3: Enable Custom Canarytokens Domains
Select Canarytokens and enable Custom Canarytokens Domains.
Step 4: Create domain records
You will be asked to create 2 records in your Zone (Let's assume your custom domain is docs.staging-kb.thinkst.com).
1. First, create the Name Server Record:
docs. is used in this example, but you can use anything here.
docs.staging-kb.thinkst.com NS ns1.docs.staging-kb.thinkst.com2. Then go ahead and create the Address Record
ns1.docs.staging-kb.thinkst.com A {{Consoles IP — Which can be found in the Custom Canarytoken Domain Tab}}3. Click Save, and you're ready to test your new Canarytokens domain.
Step 5: Test the domain
You are now ready to test your Custom Canarytoken Domain
Updating or creating new Canarytokens
Newly created Canarytokens on your Console will use the newly created Custom Domain. If you already have Canarytokens in the field, they will still work correctly; however, they won't have the newly created domain in the embedded URL. You can simply re-deploy or replace them should you wish to use the newly created domain.
FAQ
I can trigger a Canarytoken on an external network, but not on my internal network?
The possible cause is that your internal network can't resolve your Custom Domain (docs.example.com). To get around this, you need to add an A record to your internal DNS, which points to docs.example.com.
How can I add HTTPS support for triggering the custom Canarytokens domain?
This will be added automatically after a short delay while the domain is set up to be issued with TLS certificates. The support team will reach out if there are any issues with the domain. If unsure, reach out to our support team.
What is a CAA DNS record, and how could it block enabling HTTPS on your custom domain?
A Certification Authority Authorisation (CAA) record can be set on a domain, which allows only a set list of Certificate Authorities (CAs) to issue TLS certificates for that domain and any subdomain. If the Canarytokens custom domain is a subdomain of a domain with a CAA record, and that record does not allow the LetsEncrypt CA to issue certificates, the Console won't be able to automatically set up HTTPS for the domain. Using a subdomain of a different domain without a CAA record (or with a CAA record that permits LetsEncrypt) will allow this to work. If unsure, get in touch with us.