Home / Blogs

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

The Ever-Evolving Problem of DNS Abuse

For several years, many within ICANN circles have raised concerns about the escalating nature of domain name system (DNS) abuse. While some strides were made toward a safer DNS, new data—this time from a comprehensive study of DNS abuse by the European Union—demonstrates that abuse remains a frustratingly obstinate problem that requires urgent attention.

We’ve seen some registries and registrars testing innovative industry-led initiatives in an effort to address the issues. Unfortunately, as recognized by the European Union and others, these have taken us only so far. Much more is required of ICANN—the global coordinator of DNS policy—to take on this problem and make a measurable dent by adopting the common-sense recommendations in the EU report.

The longstanding abuse problem persists

As the EU report highlights, DNS abuse cuts a wide swath. The report analyzed 1.68 million abused names1—a staggering number that even without further context represents pervasive abuse rates. Actions of bad actors show no signs of abating.

Interestingly—and industry insiders have known this for some time—abuse tends to concentrate in certain top-level domains (TLDs) and/or with certain registrars. According to the EU study:

  • The two most abused new gTLDs together account for 41% of all abused new gTLD names in the second quarter of 2021.
  • The top five most abused registrars account for 48% of all maliciously registered domain names.

As mentioned, voluntary industry measures are laudable, but their reach is constrained. In fact, two of the three “most abused” registrars are signatories to the DNS Abuse Framework, the industry initiative launched in 2019 to try to mitigate abuse.

Building on the EU findings, our experience at Appdetex managing enforcement efforts for major brands and companies shows further that while worthy of applause, industry self-regulation goes only so far. As part of our service, we often notify registrars and registries of DNS abuse, following the procedures spelled out in the DNS Abuse Framework. The results, unfortunately, suggest that known abuse often goes unaddressed, and even signatories to the framework lag in their responses to abuse notifications—or in some cases, abuse complaints are outright ignored. In 2021, for example, we found that some registrar abuse complaint mitigation rates ranged as low as 25% of submitted notifications; even for framework signatories and for non-signatories sometimes the rate hovers at 0%. Registry framework signatories were more active in their mitigation work, with a much higher resolution rate of 93%, though again, non-signatory rates were worse, at only 34%.

Debates over definitions stall action

As a precursor to considering mitigation strategies, a working definition of DNS abuse has long been debated. Domain name registries and registrars—known in the ICANN sphere as contracted parties—have sought to exactingly limit the definition to malware, botnets, phishing, pharming and spam (as a method of distributing the first four types of abuse). Contracted parties argue this is appropriately scoped.

Naturally, this doesn’t address all forms of abuse. But then, what is abuse, if not only the above? One could recall as an analogy the U.S. Supreme Court Justice Potter Stewart, who famously said about trying to define obscenity:

I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description ... But I know it when I see it.

Similarly, it would be difficult to believe this industry doesn’t know domain name abuse when it sees it, and accordingly, abuse cannot reasonably be limited to an over-restrictive definition. To do so would be to ignore the changing nature of abuse and the new abuse vectors that emerge. As ICANN’s Security and Stability Advisory Committee (SSAC) noted in SAC115 (emphasis added):

These categories have been adopted within the ICANN realm in specific contracts, but do not represent all forms of DNS abuse that exist, are reported, and are acted upon by service providers. New types of abuse are commonly created, and their frequency waxes and wanes over time. Thus, no particular list of abuse types will ever be comprehensive.

If the community insists on defining abuse, that definition must be suitably broad enough to remain flexible and responsive to the evolution of abuse. So far, however, ICANN Org and contracted parties have not taken up the advice of the SSAC experts appointed to provide, well, expert advice. Thus, while some are hung up on a restrictive definition, the bad guys are getting smarter and more prevalent.

Conversely, the EU report finally proposes a definition of DNS abuse that is appropriately inclusive:

Domain Name System abuse is any activity that makes use of domain names or the DNS protocol to carry out harmful or illegal activity.

No doubt, some will balk at definitional inclusivity and tell us that too wide a definition is unworkable. But as we’ve seen, a too-narrow definition hasn’t helped solve what is a very wide problem, either. It would be wise to define more broadly and, if necessary, narrow over time.

Warnings have been brushed aside for over six years

Security experts not only have long warned about abuse but have prescribed various ways to at least begin to address it. For instance, more than six years ago, in SAC077, the SSAC wrote (emphasis added), about ICANN’s proposed marketplace health index:

The SSAC notes that to develop and maintain effective metrics of security and stability of the gTLD ecosystem, ICANN will have to undertake auditing activity, including mandating future disclosure of aspects of registry and registrar operations and behavior, in a form that emphasizes consumer protection over industry norms.

This is something ICANN Org has not done. In fact, it’s been made clear to the community from various directions that ICANN is woefully behind on its deliverables to the community—including those like the above, intended to inform all of us about the health of the DNS and where fixes are advisable.

Even as recently as 2020, during the opening of the COVID-19 pandemic when abuse rates spiked upward, industry observers pointed to the community’s response to security threats and abuse, labeling it as “weak tea.”

This industry has some catching up to do, or it will see solutions imposed on it.

What CAN be done about DNS abuse

The EU report calls for some reasonable practices registries and registrars can and should take to mitigate DNS abuse. These include:

  • Verifying the accuracy of domain name registrant data;
  • Developing tools for identification of names that infringe on intellectual property rights;
  • Using predictive algorithms to prevent abusive registrations;
  • Monitoring abuse rates with the cooperation of regulatory bodies and independent researchers; and
  • In conjunction with ICANN Org, be financially rewarded for lowering abuse rates.

There’s little reason contracted parties and ICANN Org can’t take these steps today in the name of DNS health.

The EU study’s authors recommend further steps toward abuse mitigation:

  • Public identification of registries and registrars with higher-than-normal rates of DNS abuse;
  • Revocation of accreditations for those whose abuse rates continually exceed predetermined thresholds;
  • Employment of DNSSEC; and
  • Harmonization by gTLDs of the regulations and practices of ccTLDs with lower rates of abuse.

These last four steps are not out of reach, either. We know the Danish .DK registry has been inordinately successful in keeping abuse at bay, mainly by verifying the identity of its registrants. The .EU registry employs an anti-abuse mechanism known as APEWS, which allows domain name registrations to proceed but pre-emptively identifies potential problem registrants.

Even a few forward-thinking entities are more proactive about anti-abuse measures. Radix Registry, for example, reviews registrations for potential abuse. Among other steps, Radix reserves rights to cancel a domain registration:

  • where the Registered Name Holder fails to keep Whois information accurate or up-to-date;
  • if the Registered Name use is abusive or violates the acceptable use policy, or a third party’s rights or acceptable use policies, including but not limited to the infringement of any copyright or trademark; or
  • where the Registered Name is found to have been registered as part of a set of any pattern-based registration which has shown abusive trends in the past, or is part of a present or ongoing abusive campaign, including but not limited to domains registered using any domain generation algorithms, scripts, dictionaries, etc., whether detected by Radix or a registrar.

Most registrars and gTLD registries have yet to employ these types of implementable solutions, even as their effectiveness has been widely demonstrated.

Conclusion

It’s obvious that ICANN is overburdened as an organization, to say the least. However, ICANN Org must prioritize its workload in an effort to stave off further governmental incursion, volunteer burnout, and frustration with lack of outcomes. In this instance, the EU report is chock full of facts and practical suggestions ICANN can immediately deploy, and ICANN is well overdue to take a hard stand against DNS abuse.

The concern is that ICANN Org and industry will continue with their messaging to date—that only so much can be done with (by ICANN Org’s admission) weak contractual enforcement provisions, that contracted parties aren’t in a position to take wider action against DNS abuse, and that various roadblocks prevent meaningful measures.

The time for excuses has passed. The DNS community, suffering from a deluge of abuse and without much recourse in the face of intransigence, needs action from contracted parties and ICANN Org. The EU report is a great place to start, and we look forward to good faith engagement in exploring its anti-abuse recommendations.

  1. European Commission, Directorate-General for Communications Networks, Content and Technology, Paulovics, I., Duda, A., Korczynski, M., Study on Domain Name System (DNS) abuse, 2022, https://data.europa.eu/doi/10.2759/616244 (p.53)  

By Mason Cole, Internet Governance Advisor at Perkins Coie

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

"DNS Abuse" might be an overloaded term Mark Delany  –  Mar 5, 2022 12:42 PM

I thought the article was going to discuss operational abuse of DNS servers with amplification attacks, interception, DDOS and the like. But no, you’re talking about policy abuse of name registration services.

Can I suggest that the term “DNS Abuse” might be too ambiguous or too overloaded to really attract the most appropriate audience? Perhaps “Domain Name Governance Abuse” or maybe “Lax Registry Rules Abuse”?

I know it’s a nit, but this forum is about precision and targeted content.

Is Facebook considered one of the 'bad actors'? George Kirikos  –  Mar 5, 2022 12:43 PM

When you write about these so-called “bad actors”, are you talking about companies like Facebook? As you might be aware, Facebook was fined $5 billion by the FTC:

https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions

and has been fined by other governments too, for various activities. I’m pretty sure their “harmful activities” were enabled by domain names, using the broadest definition above…

Or, is it that some entities are entitled to full due process under the law, but others aren’t entitled to full due process under the law? How do you select those who aren’t entitled to full due process under the law?

Confused Frederick Felman  –  Mar 16, 2022 10:37 AM

Are you asserting that FB/Meta is engaged in DNS abuse?

The CP working definition of DNS Abuse Volker Greimann  –  Mar 5, 2022 4:35 PM

is correctly scoped. You are just appempting to shoehorn all abuse that occurs on the internet into that definition when it really amounts to content abuse - which is:
a) outside the remit of ICANN
b) better addressed where the offending content is hosted or distributed (hosting services and mail services)

You know _abuse_ when you see it would be the correct wording but apparently you do not know to differentiate it from abuse that specifically abuses the DNS, e.g. malware, phishing/pharming and botnets, as well as certain forms of spam. If new forms of DNS abuse arise, they will certainly be looked at and added to the definition if appropriate.

On the other hand, the definition included in the EU report _is_ so broad that it is unworkable, and this sadly taints the entire report, which otherwise provides many good points. Almost any use of the internet these days “makes use of domain names or the DNS protocol”:
a) Fraulent phone calls? Yep! Most telephony is on the internet.
b) Spearphishing mails? Hard to send those without using the DNS.
c) Fake stores? Have to be reached by a domain name, be it compromised or purposefully registered for this.
d) Hacking your NAS? Clearly!
e) DDoS? Hello DNS!

As to the solutions:
1) verification is a red herring. It will provide no additional benefit as the real criminals are too smart to be caught out by this. All this does is lead to more incidences of identity theft and impersonation. On the internet, all cats are gray and can make themselves appear whoever they want to be, no matter what levels of verifications you introduce. All this does is increase the cost of the end users who register the domains they need for their hobbies, businesses, communications, or fun.
2) “identification of names that infringe on intellectual property rights”? It usually is not the registration of the domain itself that constitutes the violation, but its use. Anyone can and should be able to register any domain name incorporating a famous brand and set up a legitimate site that does not infringe upon the IP rights of that brand.
slutsofinstagram.com was genius while it existed. No infringement in sight. [brand]killedmyparents.com could be fair game if the parents of the registrant were really killed by a product [brand] produces. How do you want contracted parties or ICANN to regulate what even courts struggle with? No, this needs to remain relegated to the courts or the UDRP (and URS).
3) Predictive algorithms? If someone invents one that prevents all unjust preventions, please shot it to us.
4) Financial incentives? As registrars or registries we usually have no control over whether or when a criminal may choose us for their services. Sometimes it is a reseller of a reseller that is used (unwillingly) for that kind of activity. Sometimes it is just a promotion you run. This also could be abused by some. In any case it may violate the equal treatment requirements.
5)  Monitoring? Believe it or not, but many are already doing just that, but in the end it remains a game of whack a mole. Usually, abuse is not stamped out, it is just moved somewhere else for a time, until it comes back once they figured out how to circumvent your new practices.
6) Public identification? Sounds like providing advice to criminals where to best execute their plans…
7) Revocation of accreditations? As stated before, in many cases, CPs have no control who usues their services for what. We chop off the head of the hydra again and again, but still it lives. We should be helping those parties that struggle with fighting this, not punishing them. This proposal will just serve to concentrate the market around the big players who can affort to throw more resources against this problem than smaller ones can.

8) the ccTLD ID verification practices usually only apply to registrants in very specific jurisdictions. Once you try to expand them to an internation or worldwide registration base, they tend to no longer work so well as the data is not readily available everywhere.


Next thing you are going to propose that any registrant shall only get two domains total?  (I am not kidding, this is actually a policy in the wild right now).

Contracted parties are usually just as much victims of DNS abuse and other internet abuse as everyone else. Forcing them to jump through additional hoops for little to no effective benefit will just victimise them more.

As to the cases where “Radix reserves rights to cancel a domain registration”, this is probably already the practice of all registrars and laid down in their registration terms.  I see nothing substantially different from common practice here…

You used to know all of this. Maybe you forgot…

That said Volker Greimann  –  Mar 5, 2022 4:43 PM

Contracted parties are open to working with the community to find better ways to address DNS abuse (and other abuse within our remit) in a meaningful and productive way. We are participating actively in various intitiatives such as TOPDNS, the DNS Abuse Institute, many of us are working with various organizations to address DNS Abuse and other abuse of our services.

Definition of DNS Abuse Volker Greimann  –  Mar 5, 2022 4:44 PM

Here is a good summary of the history of the definition of DNS abuse at ICANN: https://icannwiki.org/DNS_Abuse

Why working with the hoster is often more efficient Volker Greimann  –  Mar 5, 2022 4:46 PM

Here is a nice little article that makes the case that the worst offender for hosting malware on the internet is actually... ...Microsoft! https://www.theregister.com/2021/10/18/microsoft_malware_brand/

Theo Geurts  –  Mar 6, 2022 2:01 AM

Let’s not conflate a few million URLs with domain names.

Looking at the Threatfox data from that period shows 986 URLs from Google.com, so how we count and what we count is very important within this discussion, but so far the ICANN community ignores the fact that the majority of DNS abuse is happening on the URL level.

Inability to Replicate Study George Kirikos  –  Mar 6, 2022 5:01 AM

Academia has a so-called “replication crisis” for research. This “study”, for lack of a better term, suffers major methodological problems.

First, it’s being called the “EU study” above, but page 4 clearly disclaims that, noting that it “reflects the views only of the authors”—an IP lawyer and 2 professors. It’s not the position of the EU itself.

Much of their so-called “primary research” relies on questionnaires (often to IP interests), yet they do not tell us even the basics, like how many people responded, what the questions were, the statistical significance,  sample size, confidence intervals, error margins, how it was randomly sampled, etc. This is what one would expect from an actual *scientific* study, but this does not appear in the report, or in the separate Appendix 1 (click on the “Related Publications” tab to get to the Appendix).

It appears to me that they just interviewed a bunch of their pals, and summarized a wish-list—how else can one characterize this “research”? It’s yet another collection of unrepresentative anecdotes—this is not science, given it can’t be replicated.

If you really want to laugh, take a look at pages 42-43 of the Appendix 1. In order to compute the estimate size of each registrar, they “collected registration information for approximately 241 million domain names (96% of all active domains we enumerated). We were able to parse the registration information and match the domain names of about 85% of the RDAP/WHOIS records to their respective registrars.”

Is that some kind of a joke? ICANN has long published monthly registry reports at:

https://www.icann.org/resources/pages/registry-reports

and one can get the EXACT number of registrations for each registrar, without parsing the WHOIS. For example, the dot-com transactions report for November 2021 is at:

https://www.icann.org/sites/default/files/mrr/com/com-transactions-202111-en.csv

and one can see (third column of a spreadsheet) precisely the number of domains held by each registrar for that gTLD (e.g. 007Names, IANA ID #91, had 6002 dot-coms, to pick a random registrar). This can be done across all gTLDs, and one need not rely on WHOIS lookups at all (of course, for ccTLDs, this approach would not work).

These so-called “experts” didn’t appear to be aware of this basic fact. They flooded the WHOIS system with hundreds of millions of unnecessary requests to get an estimate of registrar market share, rather than parse the available CSV files of the ICANN Registry Monthly Reports which has the precise numbers for gTLDs.

[This error was repeated on page 25 of the same Appendix, where they rely on the zone files, rather than use the precise ICANN Registry monthly reports.]

I could go on and on, but I think I’ve made my point—this is classic “garbage in, garbage out.”

George Kirikos  –  Mar 6, 2022 5:19 AM

Actually, on page 54 of the main report, I did find the total number of responses to the surveys: - 67 registrars/registries/hosting providers/DNS operators - 126 IP rightholders, practitionars, associations, business intelligence and brand protection companies. Hardly statistically significant, and again they didn't reveal the questions that were actually asked, confidence intervals, error margins, etc. Statisticians would laugh at these results.

Hit a nerve …! Frederick Felman  –  Mar 16, 2022 10:26 AM

Mason - you know that you are on the right track, when you get this level of discourse and negative comments on an article in circle ID! Nice work!

Interesting theory... Volker Greimann  –  Mar 16, 2022 10:32 AM

Having one’s arguments and incorrect claims countered means one is right? That’s alternative facts…

Incorrect… Frederick Felman  –  Mar 16, 2022 10:41 AM

… by your judgement not popularly accepted. You are clearly economically biased and have been drinking icann cool aid for too long. Step away and put on the hat of the average internet user.

Volker Greimann  –  Mar 16, 2022 10:49 AM

The average internet user must be properly educated not to fall for criminals online, just like the average man on the street must be educated not to fall for street criminals.

Agreed! Help Users! Frederick Felman  –  Mar 16, 2022 11:02 AM

Spectacular idea Volker! Ordinary people have learned not to trust people who conceal their identity. Let's help end-users educate themselves and make good decisions through transparency! You should advocate for requiring complete, accurate, and transparent registration records for all sites engaging in commercial activity. That simple move would help educate end-users and keep bad actors from hiding in anonymity.

Change the law then Volker Greimann  –  Mar 16, 2022 11:36 AM

That data should be where it belongs: On the website, as is mandated all across the EU. Publication of personal information of registrants (or their employees) without legal basis is sadly impossible under the GDPR. But most end-users don't know what whois is anyway.

comercial entity name address and phone illegal? Frederick Felman  –  Mar 16, 2022 11:47 AM

last reading, no privacy protection for commercial entities under GDPR or any other privacy laws, so your comment is false. As long as we are here... should isp's be required to take down any commercial site without easily found information about the underlying entity ... ?

Complexities of differentiation Volker Greimann  –  Mar 16, 2022 3:15 PM

While legal entities have no protection under GDPR, their employees whose data has been used in the whois records since time immemorial do. Furthermore, there is no easy way to determine which registration belongs to a legal entity and which one belongs to a natural person. Hence all data needs to be protected equally to prevent unwanted disclosures.

Shameful waste of time and energy... Frederick Felman  –  Mar 17, 2022 8:36 AM

There are a million reasons anyone can imagine for not creating a safer and more transparent DNS. However, you keep coming back to narrow edge cases with simple workarounds at scale. We live in a web world where this problem is solved billions of times a day. Every e-commerce platform does it daily. Sadly, ICANN policy (-not-) makers can’t imagine much less implementing a solution for the domain naming system in over three years—what a waste of time, money, and ultimately a shameful charade. I have no ax to grind in this matter other than safety and security for folks like my mom. No registrar name company, brand protection company, “non-profit,” nor industry association is paying me to say this, no one—nor am I profiting from what I say. Can you and the others opposing a safer, more transparent internet say that? Doubtful.

Shameful waste of time and energy... Frederick Felman  –  Mar 16, 2022 6:15 PM

There are a million reasons anyone can imagine for not creating a safer and more transparent DNS. However, you keep coming back to narrow edge cases with simple workarounds at scale. We live in a web world where this problem is solved billions of times a day. Every e-commerce platform does it daily. Sadly, ICANN policy (-not-) makers can’t imagine much less implementing a solution for the domain naming system in over three years—what a waste of time, money, and ultimately a shameful charade. I have no ax to grind in this matter other than safety and security for folks like my mom. No registrar name company, brand protection company, “non-profit,” nor industry association is paying me to say this, no one—nor am I profiting from what I say. Can you and the others opposing a safer, more transparent internet say that? Doubtful.

intended as a reply to volker Frederick Felman  –  Mar 17, 2022 8:35 AM

I'll repost as such.

The DNS is safe and transparent Volker Greimann  –  Mar 17, 2022 10:25 AM

...it is the use thereof and the content thereon that is not.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign