Home / Blogs

The State of DNS Abuse: Moving Backward, Not Forward

ICANN’s founding promise and mandate are optimistic—ensure a stable and secure internet that benefits the internet community as a whole. Recent months, however, have highlighted the uncomfortable truth that ICANN’s and the industry’s approach to DNS abuse is actually moving backward, ignoring growing problems, abdicating on important policy issues, and making excuses for not acting. Further, the impending failure of ICANN’s new WHOIS policy to address cybersecurity concerns will add fuel to the fire, resulting in accelerating DNS abuse that harms internet users across the globe.

ICANN, though, has an opportunity here to not disappoint its community by taking courageous steps toward doing the right thing about DNS abuse. First, it needs to fully enforce its contracts with those registries and registrars that routinely harbor bad actors and have excessive rates of abuse. It should also demand that any new WHOIS policy helps, not hinders, cybersecurity professionals mitigating DNS abuse in a timely manner.

DNS abuse still grows without check in the face of COVID-19

DNS abuse growth continues unabated and the community sectors concerned with abuse have urgently expressed their worries for some time now. The Business Constituency (BC) sounded this alarm last fall and others—including the GAC—are on record with impatient statements to ICANN that abuse really can’t be ignored.

COVID-19 scams have magnified the problem. Criminal opportunists, to no one’s surprise, are exploiting public fear and leveraging the DNS to lure victims. WIPO documents a surge in cybersquatting case filings and, according to the National Association of Boards of Pharmacy, “rogue pharmacy” scams—which now are pushing unproven COVID-19 treatments—are rampant at domain names sponsored by notoriously lax registrars. Google reported a dramatic surge in COVID-19 related abuse, citing 18 million daily malware and phishing emails related to COVID-19 during one week in April.

Even more recently, registry provider Neustar reports “an increase in the overall number of attacks as well as in attack severity . . .” In addition to noting that it has “mitigated more than double the number of attacks in Q1 2020 than in Q1 2019,” Neustar also reported “an increase in DNS hijacking, a technique in which DNS settings redirect the user to a website that might look the same on the surface but often contains malware disguised as something useful.”

Law enforcement has taken notice, of course. According to the FBI, reports received at its Internet Crimes Complaint Center more than doubled in April—reports of crimes that resulted in hundreds of millions of dollars of damage.

COVID-19 Response: Law Enforcement Perspective (Source: FBI)

While a few responsible registrars and registries have recently addressed abusive COVID-19 domain names in coordination with law enforcement, this response was not universal. Voluntary frameworks do not replace ICANN’s responsibility to ensure that all registrars and registries participate in DNS abuse mitigation efforts, as requested by a growing consensus of stakeholders.

Warnings from ICANN’s Stakeholders Ignored

The BC wasn’t the first to raise the red flag on DNS abuse. Look back in time—in this instance, almost five years—and one can see abuse has been the subject of countless forms of advice from experts from the security sector, governments, community members and others exercising their mandate under the Bylaws to advise the ICANN Board.

January 2016 – SSAC (SAC77)ICANN should collect and disseminate information about known categories of how domain registrations are used for abusive and fraudulent purposes.
November 2016 – GAC (Hyderabad Communique)GAC questions Board on ICANN’s plans for abuse mitigation.
June 2018 – SSAC (SAC101)Security practitioners’ and law enforcement’s ability to mitigate cybercrime and DNS abuse has been negatively affected.
September 2018 – CCTRT Final ReportICANN Org should work with registries and registrars to add provisions to contracts aimed at preventing DNS abuse.
October 2018 – GAC (Barcelona Communique)Not having reasonable access to WHOIS data is prolonging the exposure of victims to crime and abuse.
October 2018 – SSAC (SAC 103)SSAC recommends requirements for new gTLDs include robust abuse mitigation measures.
December 2018 – SSAC (SAC 104)The current lack of definition of reasonable access impacts the ability of security actors to fight abuse and cybercrime.
September 2019 – GAC (Statement on DNS Abuse)Protecting the public from security threats and DNS Abuse is an important public policy issue.
November 2019 – GAC (Montreal Communique)The Board shouldn’t proceed with a new round of gTLDs until after implementation of recommendations on DNS abuse mitigation.
December 2019 – ALACDNS Abuse is a key factor eroding confidence in a single, trusted, interoperable Internet.
March 2020 – SSAC (SAC 110)It’s clear the domain name system is under continual pressure from various forms of abusive and fraudulent behaviours, and the position is not improving.
March 2020 – GAC (ICANN67 Communique)GAC reiterated previous advice calling for implementation of community recommendations in light of previous advice on abuse mitigation.
June 2020 – GAC (ICANN68 Communique)Governments, ICANN, and the Community must take a multi-pronged approach to combating DNS abuse.

Yet, the ICANN Board has largely ignored calls for action.

ICANN Org has facilitated a lot of talking—it scheduled a cross-community discussion on abuse during its Montreal meeting last November and another one during its virtual meeting in June. Between those meetings, though, the ICANN Board responded with a wary letter to the BC defending its ticketing record and only this May, through a memorandum of understanding (MOU) with FIRST, seemingly acknowledged the rampant abuse problem and the need to do more than simply rely on best practices offered up by its contracted parties.

However, we’re left with no tangible result from these discussions, except the insistence by ICANN Org leadership that anything related to fighting abuse must come from the community—a community where parties with outsized influence block meaningful anti-abuse measures.

The Ball is in ICANN’s Court

If nothing changes, the pattern will continue, DNS abuse will persist as it has, and policy groups will continue to punt on new DNS abuse requirements, despite objections. ICANN Org must break out of its rut and secure real tools for mitigating abuse, which includes a robust WHOIS system to identify and proactively respond to DNS abuse. The current proposals by an expedited policy group (known as the EPDP) that refuse to treat phishing-related WHOIS requests with urgency are woefully inadequate (for example, responses to queries can be expected within ten business days). Phishing attacks are mitigated in hours, not days, to protect people from identity theft and financial ruin. This is just one of many problems with the new EPDP WHOIS policy to be shortly teed up for approval.

The ball is now squarely in the Board’s court to demand that ICANN Org show leadership and do what it is supposed to do as an accrediting body meant to oversee the DNS. While confidence in ICANN’s capabilities continues to erode, there’s still an opportunity to remedy things for the better—it requires leadership, a firm direction, and community collaboration, but it’s not too late to act.

By Mason Cole, Internet Governance Advisor at Perkins Coie

Filed Under


Yet ICANN's monitoring shows a stable trend Theo Geurts  –  Jul 24, 2020 11:22 AM

Yet ICANN’s monitoring shows a stable trend and in certain cases a downtrend.

While I am sure of the FBI numbers reporting an increase in complaints and victim count and victim loss, I am not so sure of a direct relationship of DNS abuse.

ICANN’s WHOIS Debacle is Obstruction of Justice Greg Thomas  –  Jul 24, 2020 9:33 PM

ICANN’s inability to provide access to non-public registrant data for law enforcement is nothing less than obstruction of justice. 

ICANN’s failure here is near-certain to spur Congressional action in search of solutions.  Read more about this and the alarming implications of ICANN’s corruption and capture by special interests.

The Internet’s Insider Threat Greg Thomas  –  Jul 25, 2020 7:55 PM

Since the link apparently isn’t working in my last comment, I’m posting my full thoughts here.

The Internet’s Domain Name System (DNS) is a key enabler of technologies, such as cloud computing, that facilitate so much of what we do today and also will underpin the systems and solutions that power us into the future. At the same time, growing awareness of the significance of the DNS as the root zone of the global Internet — which is a critical lens through which to see the diplomatic maneuvering by China and Russia within international organizations and the rapid rise of DNS-focused attacks perpetrated by cybercriminals — means the DNS is seen increasingly as a strategic geopolitical chess piece. This trend is unlikely to change anytime soon and the DNS can no longer be managed as if it were solely the technical province of engineers.

Despite its starring role at the core of the Internet, the DNS has never enjoyed much in the way of marquee billing and neither does it attract the level of attention or headlines as do many of the comparatively bit players that deliver content and services at the Internet’s edge. In part, this is because users aren’t interested in the “how” of content and services delivery. But it’s also because the managers of the DNS — ICANN and its contracted parties — prefer the benefits of anonymity. Would-be regulators and other curious outsiders are kept at bay with an element of mystique manufactured from policies and procedures that are complex-by-design and made further inaccessible to all but an insular club of special interests that, like an itinerant court of Versailles, gathers three times per year at ICANN meetings held in exotic and ever-changing locales. Membership in this self-important society is populated heavily by corporate representatives and government officials as well as the NGOs, academics, and other assorted at-large and non-commercial “stakeholders” that are sponsored to be there by corporate and government interests. 

These in-person meetings are a core element of ICANN’s exclusionary management style for the DNS, which belies the lofty, yet ultimately empty, doublespeak about inclusive stakeholder representation and bottom up multistakeholder policy-making. The importance that ICANN places on exclusive face-to-face summits is on full display in the Goals for Fiscal Year 2021 of ICANN CEO Goran Marby. In a recent post about his priorities, Marby begins by conceding that “(t)he world around ICANN is changing, and ICANN needs to evolve with it.” He goes on to indicate that the Goals were created in partnership with ICANN’s Board—making clear that this isn’t some rogue operation.

Mr. Marby’s very first goal is to, “(w)ork with Supporting Organizations and Advisory Committee leaders, community members, and the Board to define and implement a phased plan to return to face-to-face meetings.” He explains that, “(f)ace-to-face meetings have always been an important part of ICANN’s DNA.” So, while the world is evolving and innovating with Internet-enabled remote participation technologies for events and meetings, the steward of the Internet’s root zone is prioritizing a return to expensive, exclusive, and ecologically unsound face-to-face meetings.

Why? Well, ICANN must restore junkets because they: 1) pacify the community with spectacle and revelry; 2) exclude most non-sponsored potential attendees (one recently published estimate pegged the travel costs to attend ICANN’s three meetings each year at $30,000); and, 3) represent a critical control mechanism that ICANN and its contracted parties rely on for hands-on managing and influencing of DNS policy-making.

Similarly to the actual court at Versailles, ICANN’s roving version is about controlling a particular group of people—French monarchs kept an eye and ear on pesky nobility; ICANN’s focus is on special-interest stakeholders. Restoring in-person meetings is given top billing before many things that should be higher priorities. For instance, although fixing ICANN’s multi-million dollar budget hole is finally mentioned in Goal #9, there is no mention of resolving the negligent failure to provide access to registrant data to law enforcement and others with legitimate need-to-know — a shortcoming that is likely to spur Congressional action. Nor do these goals even pretend to address the governance dumpster fire of ignoring thousands upon thousands of community comments in order to relax or remove pricing safeguards for .com and .org, respectively. Inarguably, these are more significant and deserving of higher priority than restoring ICANN’s traveling circus.

As mentioned above, at least one of ICANN’s governance failures is likely to spur Congressional action in search of solutions. This isn’t ideal and should be seen as a substantial black mark on the community’s performance record for managing the DNS.  ICANN’s former CEO Fadi Chehadé recently published an op-ed in the Jordan Times titled “Geeks Not Government.“ His call for keeping the Internet independent of government interference is a lovely sentiment but quickly becoming at risk of seeming quaint and outmoded.

Fadi’s article is also rather disingenuous considering that he has done more than any other person to create the conditions by which government intervention is becoming seen as necessary. Lest anyone forget, it was Fadi who traveled to Brazil for a meeting with now-disgraced former president Dilma Rousseff and where, referring to her U.N. speech excoriating the U.S., he declared that “she spoke for all of us; she spoke for the world.” (author’s note: she didn’t speak for this correspondent.)

While in São Paulo he also instigated NetMundial, which became a Leftist forum for Communists and dictators to voice their views on how to make the Internet a better place. More recently, his attempted looting of the DNS by acquiring the .org domain name registry was so riddled with red flags that California’s Attorney General was forced to intercede on behalf of the public interest.

Some longtime community leaders have expressed their view that the state Attorney General shouldn’t have gotten involved — that even a wrong decision from ICANN about whether or not to approve the .org change of control was preferable to one made with direct government influence.

This creates a Hobbesian dilemma where, essentially, Fadi and like-minded stakeholders are holding a gun to the head of the free and open Internet and demanding, “let us take what we want or the Internet gets it.” The problem is that ICANN has allowed itself to become mortally compromised and the resulting governance failures are leading many to conclude that only government intervention can mitigate the worst abuses. Unfortunately, this is a very slippery slope because at some point the question becomes about why the geeks are running things if they do such a bad job that government intervention is required. The status quo, which Fadi and others defend, has been corrupted into laissez-faire governance that permits ICANN insiders and special interests to profit privately from public interest infrastructure.

This state of affairs makes a mockery of private sector leadership of the DNS and multistakeholder governance — which the United States has placed strategic geopolitical bets on for the future of the Free World — only works when the public interest hasn’t been supplanted by the self-interest of its custodians.

Preserving our free and open Internet is predicated unavoidably on the stakeholder community being ready, willing, and able to: 1) refuse to accept the bad-faith substitution of self-interest for the public interest by ICANN, it’s subcontractors, and other special interests; 2) reject conflicted policy and contractual outcomes that result from illegitimate or flawed processes; and, 3) speak truth to power by questioning the questionable decisions and self-serving actions of ICANN, contracted parties, community leaders, and others that ill-serve the free and open Internet by eroding the legitimacy of private sector-led multistakeholder Internet governance.

The recent Twitter hack brought into stark relief the threat to technology platforms posed by insiders. Similarly, without a significant reboot coming from within, our current trajectory terminates with existential crisis and government intervention at the Internet’s root — an inside job for which we’d only have ourselves to blame.

Invalid link Patrick Mevzek  –  Jul 28, 2020 10:48 PM

“Since the link apparently isn’t working in my last comment”

You are missing the “:” after the scheme.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix