Home / Blogs

Data, DNS Abuse and What to Do Next

To the annoyance of some, surely, the issue of abuse in the domain name system (DNS) has been high on the list of critical issues in internet governance circles. Personally, in my more than 20 years of internet governance experience, tackling DNS abuse is one of the more important issues I’ve participated in and seen debated. Despite this intense scrutiny, common-sense solutions (such as contract improvements) have been so far elusive, even as they fall squarely within its ICANN’s remit.

At this stage, though, it’s curious as to how DNS abuse became a debatable subject, both in terms of its prevalence and its potential mitigation. It’s not as though anyone thinks it doesn’t exist at all. Phishing, pharming, botnets, malware, infringement, you name it—since the commercialization of the DNS, various types of abuses have sprouted, evolved, become entrenched, evolved further, and grown, all harming users and degrading trust in the internet ecosystem.

Disturbingly, in recent years, there’s been a bit of an information war in terms of the true extent of DNS abuse. In one camp are the few that tell us DNS abuse is abating. In the other camp is seemingly everyone else—technical authorities, security experts, authors of detailed studies, business associations and others, all producing data sets that counter the narrative that we don’t need to act with urgency against abuse.

Even if one were to cast aside the data, however, it would be tough to believe abuse isn’t a pressing matter. Within the ICANN sphere alone, we see numerous initiatives focused on DNS abuse:

  • The DNS Abuse Framework;
  • The DNS Abuse Institute, founded by Public Interest Registry;
  • The ICANN Board’s new committee on DNS abuse;
  • The ICANN Generic Names Support Organization’s (GNSO) small group on DNS abuse; and
  • Myriad other informal ad hoc groups formed to talk about ways to handle the abuse problem.

So if DNS abuse isn’t really a problem, or if it’s receding, why are we all organizing to do something about it?

The fact is that DNS abuse is a problem, an evolving one, and while industry efforts are laudable, it’s beyond time for the next set of solutions.

The data wars

At a cadence of every few months or so, we see publication of a new set of data or a study relating to DNS abuse. It’s been a maddening spectacle. One side says, “DNS abuse really is a problem, and it’s getting serious. Here’s some data to show how.” The other side says, “No it isn’t. Look at our data instead.”

In the interest of helping put the dispute to bed, here’s a quick overview from data by the Cybercrime Information Center—experts who know what they’re talking about—of the current status of abuse as it relates only to the insidiousness of phishing.

Between February and April 2022:

  • There were 303,348 phishing attacks;
  • 223,324 domains were reported for phishing;
  • 147,036 domain registrations were found to be malicious; and
  • Phishing was observed in 519 top-level domains (TLDs).

For the same period, the Center identified 116 domain registrars with a minimum of 30,000 domains under management and at least 25 reported phishing domains. In that sample:

  • 65 registrars had more than 100 reported phishing domains;
  • 32 registrars had more than 500 reported phishing domains;
  • 24 registrars had more than 1,000 reported phishing domains; and
  • Five registrars had more than 5,000 reported phishing domains.

On the registry side, the Center documents that most phishing continues to be concentrated in just a few TLDs. For the February-April period, 132 TLDs with a minimum of 30,000 delegated domains were found to have at least 25 reported phishing domains:

  • 36 TLDs had more than 500 domain names reported for phishing;
  • 25 TLDs had more than 1,000 domain names reported for phishing; and
  • 79 TLDs had more than 5,000 domain names reported for phishing.

If that data isn’t persuasive, have a look at the Anti-Phishing Working Group’s (APWG) most recent quarterly trend report on phishing activity, which reported further growth in phishing activity. The update states that:

  • APWG saw 316,747 attacks in December 2021, which was the highest monthly total in APWG’s reporting history; and
  • The number of recent phishing attacks has more than tripled since early 2020, when APWG was observing between 68,000 and 94,000 attacks per month.

Many in the ICANN community fervently hope such data isn’t dismissed out of hand, as was the European Union’s recent comprehensive study on DNS abuse. Even if one were to try to counter the above with “alternative facts,” this is an opportunity for the community to collaborate instead of merely continuing to parry one another.

What should come next

As pointed out in March, ICANN Org is in a position to help move the community forward on abuse mitigation. It’s been said ad nauseum, but the (applaudable) voluntary measures industry has advanced can go only so far in terms of dealing with bad actors and the parties that harbor their activity.

To do so, as we’ve heard repeatedly for years from ICANN’s Compliance staff and others, ICANN Org must update the Registrar Accreditation Agreement (RAA) and the Registry Agreement (RA) to shore up provisions that enable enforcement against the bad guys.

We’re overdue for an update to these contracts (which haven’t been revised for a decade) in order to give ICANN Org the ability to rid the DNS of a significant amount of abusive activity. After all, ICANN Org is the body that accredits registries and registrars and is charged with setting standards in furtherance of DNS health. To whom else could we possibly look for meaningful, fully reaching and impactful action against DNS abuse?

The argument for contract modernization in this area isn’t taken lightly. ICANN participants are well aware that contract updates can be disruptive to contracted parties, and thus don’t repeatedly insist on opening contracts for addressing pet issues. However, in this instance:

  • The data is clear;
  • ICANN Compliance’s lack of meaningful enforcement tools under existing contracts is similarly clear;
  • ICANN Org is the only actor uniquely positioned to excise the largest possible swath of abuse in the DNS; and
  • The community is clamoring for action (including the Governmental Advisory Committee, dating back to ICANN57 in Hyderabad—five and a half years ago).

When is there a better time to act?

Some have suggested that DNS abuse mitigation must “be left to the community” to address. News flash: This IS the community coming forward. In an environment where no policy has been implemented for more than six years, and the “expedited” policy development process on WHOIS data has dragged on for more than four, a tar pit of endless study, process, and debate will not suffice. The community—and the health of the DNS—deserve far more than that.

DNS abuse is all over the agenda at the ICANN74 meeting next week in The Hague. Hopefully, this time around, good faith efforts to collaborate against this frustratingly persistent problem will prevail and lead to concrete action.

By Mason Cole, Internet Governance Advisor at Perkins Coie

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Brand Protection

Sponsored byCSC