Home / Blogs

Unpacking the Framework to Address DNS Abuse

As the Internet has grown, so too have the abuses that go along with one of the world’s most transformative technologies. For all of the positives the Internet brings, negatives like phishing, malware and child exploitation are a reality online.

As of December 9, 2019, 48 registrars and registries have signed onto the “Framework to Address Abuse.” This initiative was launched last month by a number of domain name registries and registrars, just prior to the ICANN meeting in Montreal. It addresses many of the most egregious abuses of the Domain Name System (DNS).

Addressing myriad abuses online has been a topic in the ICANN community for years, but as these abuses have become more prevalent and visible around the world, pressure on registrars and registries to take meaningful action has increased. In order to address DNS abuse, it is critical to have a common definition within the community, and the Framework spells out the following types of abuse:

  • Malware (malicious software installed on a user’s device without their consent for the purpose of gaining sensitive information)
  • Botnets (malware infected devices that are commanded remotely to perform certain activities)
  • Phishing (using fraudulent or “look-alike” emails to trick a victim into providing sensitive personal, corporate or financial information)
  • Pharming (redirecting unknowing users to fraudulent sites or services generally through DNS hijacking or poisoning)
  • Spam (unsolicited bulk email where recipients have not provided permission to be contacted)

As it relates specifically to Spam, the Framework includes it only when it is used as a delivery mechanism for the other forms of abuse listed above. Unsolicited email alone does not constitute DNS Abuse. That said, when it is used as a vehicle to perpetuate a phishing attack, for example, it would be considered abuse.

The Framework indicates that registrars and registries must act on these types of abuses. However, it’s also important to note that registrars and registries have limited options when it comes to taking action on abuses in general.

The only real option available for registrars and registries is the “nuclear option,” which essentially entails disabling an entire domain name. Only hosting providers can take action on specific sites or content within domain names, which affords them with much greater flexibility. Registrars and registries need to ensure that when they take action against a specific domain name, there are no unintended consequences.

Often times, a legitimate domain name will have a vulnerability that allows a bad actor to host abusive content on the site. In this case, disabling the entire domain name would also remove legitimate content, as the “nuclear option” removes everything from the Internet connected to that domain.

The Framework also addresses website content issues, which are generally not as clear-cut as the abuses defined above. While it’s important for registrars and registries to have discretion allowing them to potentially act when presented with a claim of content abuse, there are certain categories of content abuse that the Framework indicates should be acted upon. These include:

  • Child sexual abuse materials
  • Illegal distribution of opioids online
  • Human trafficking
  • Specific and credible threats to incite violence

These are all categories that should be acted upon. But again, it’s important to note that the only option available for registrars and registries is the “nuclear option,” which is why it’s critical for hosting providers to be the first point of contact to address content issues.

The Framework is a great first step and a good starting point for conversations within the community. While we have heard from many that it does not go far enough, there is also a strong contingent that believes it goes too far. Given this, it would seem that the Framework strikes a good balance as a starting point.

The Internet has arguably been one of the most significant technologies the world has ever seen. It has enabled the world to be more connected than many ever would have imagined. It also created opportunity for bad actors to find ways to use the Internet to perpetrate bad acts which this Framework attempts to address.

By Matt Serlin, Domain Name Industry Veteran and Advisor

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign