With the growing concern around DNS content abuse, many registries and registrars have started to implement new processes in order to address it. Some have begun publishing transparency reports, creating processes to receive feedback from users and some are even launching content moderation tools.

Check domain trust and safety is a way for organizations that have multiple domains to grant security principals access to resources across different domains. A domain can be trusted by other domains (domain forests), and trusts can be one-way or two-way, and they can also be transitive or non-transitive. Microsoft has a good post on the topic, “Security Considerations for Trusts”.

Assess Domain Trust Levels with Safety Scoring Tools

When a client uses the NTLM authentication protocol, it sends its credentials to a domain controller in the target domain for authentication. This domain controller compares the user account with its security accounts database to find out whether the user can sign in. It looks for any relationships that cross the mapped trust boundaries, including things like DACL ACE entries and membership in local administrator groups.

If there is a trust relationship, the PDC emulator in the target domain checks the security account data to see whether there are any elevated SIDs in the user’s domain that would enable them to act as a security principal in another domain. If there are, it creates a DACL entry with the user’s elevated SID in the target domain and then updates the corresponding account object in the trusting domain. The update is then replicated to the other domain controllers in the trusting domain.