Home / Blogs

Examining Real Examples of DNS Abuse: A Summary Overview of the 2nd DNS Abuse Forum

DNS Abuse Forum 2: Exploring the Edges to Reach Consensus – Discussions around the prevalence and mitigation of DNS Abuse frequently return to differences in its definition. Rather than avoid the issue, the DNS Abuse Institute tackled these definitional questions head-on in our second online forum held on May 25, 2021.

It was not without a little trepidation that I planned the 2nd DNS Abuse Institute Forum to focus on the long-standing and often contentious definitional issues surrounding DNS Abuse. While the risk of getting stuck in the usual entrenched positions was real, it seemed to me that we had an opportunity to provide some clarity and if not change minds, at least provide perspective.

To accomplish this, it seemed important to move the conversation away from the abstract and to focus on real examples of abuse. The goal of these examples was to make clear what abuse looked like in practice, what evidence is often available, and on what basis would a Registry or Registrar need or have the ability to make a choice. Our panelists, Maciej Korczynski, Farzaneh Badiei, and Mason Cole did an exceptional, and entertaining, job of walking us through their perspectives.

Maciej Korczynski, an Assistant Professor at the University of Grenoble in France, and recent appointee to the DNS Abuse Institute’s Advisory Council, started the panel with a deep dive on DNS Abuse. Maciej raised a number of key points often missing from discussions of DNS Abuse. First, that mitigation needs to involve more than just the Registrar or Registry, but also the hosting provider or other involved internet infrastructure providers. Another key insight from Maciej’s presentation was the distinction between maliciously registered domain names and sites that have been compromised. From his research, it appears that a substantial number of domains involved in DNS Abuse, more than half of the domains involved in malware distribution, were attached to compromised websites. The implication of this distinction is that intermediaries like Registries and Registrars should employ different approaches to mitigation appropriate to the type of harm and whether the registration appears to be malicious or if it is tied to a compromised site.

Mason Cole, Internet Governance Advisor at Perkin Coie and current chair of the ICANN Business Constituency, walked us through some of the approaches to defining DNS Abuse, highlighting the deficiencies of a categorical approach and that an increasing number of stakeholders have concerns. Mason proposed an alternative approach to the definition, that rather than attempt to define the harm by the method used, we instead focus on the harms themselves.

Farzaneh Badiei, Director of the Social Media Governance Initiative at Yale Law School, provided an interesting, and unexpectedly hilarious, framework for assessing harms.

Farzaneh put online harms into four categories, a) abuse of the DNS protocol Infrastructure itself, b) using the DNS protocol to abuse a network, c) abuse through registration of domain names, and d) registration of domain names to carry out socially undesirable activities. Farzaneh also argued that a categorical definition of DNS abuse doesn’t help us identify the relevant actors for mitigation. I strongly recommend watching Farzanehs intervention, if only for her choice of examples.

Overall, the panelists and our discussion was excellent, and it raised some interesting issues for the DNS Abuse Institute to ponder. All of the panelists highlighted that addressing abuse can’t happen only at the Registry or Registrar level. While the DNS industry needs to work together, we also need to build stronger, coordinated connections with hosting and cloud providers, as well as with the numbering and ISP communities. The Institute has begun some work in this area, and will continue to find opportunities for collaboration.

Relatedly, it seems that the complexity of harm requires a diversity of responses, even from Registrars and Registries with their limited tools. This could be, for example, identifying ways to ensure rapid action on domains involved in bank phishing or botnets. It could also mean delaying action where the site appears to be compromised and attempting to contact Registrants, webmasters or hosts, and only preventing domains from resolving where those efforts have failed.

Moving Forward

The DNS Abuse Institute needs to ensure its definition of abuse is in line with those of Registrars and Registries and doesn’t have any immediate plans to push for a new standard. However, these definitional discussions have highlighted different ways of thinking about these problems, like working backwards from the harm itself, or by examining what infrastructure is in play. These approaches provide hints that less categorical, and more sophisticated definitions are likely to be more flexible and potentially quite useful in addressing complicated and diverse types of abuse.

If you haven’t, please sign up for the DNS Abuse Institute’s Newsletter at dnsabuseinstitute.org for regular news and insights on this topic.

By Graeme Bunton, Director, DNS Abuse Institute

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex