Home / Blogs

A New Phase of Measuring DNS Abuse

Today the DNS Abuse Institute (“DNSAI” or the ” Institute”) adds a new level of reporting for our measurement project: DNSAI Compass™ (“Compass”).

With this new level of reporting, we intend to show the spectrum of how malicious phishing and malware is distributed across the DNS registration ecosystem.1 To demonstrate this, we are identifying registrars and TLDs with high and low volumes of malicious domain registrations in their Domains Under Management (DUM), or new registrations.

The metrics we have chosen in this section of reporting were selected to provide a straightforward mechanism to understand DNS Abuse using the data points observed by our methodology. In future reports, we may add additional metrics or combine various data points.

While preparing the report, we faced a number of decisions about the presentation of data and the categorization of the industry. Many of these decisions were not straightforward, so we have included detailed explanations providing our rationale. We remain open to ideas and suggestions and look forward to improving these reports with future iterations. Several key points about this report are outlined below. The PDF is available on our website, where our existing interactive charts are displayed.

If you’d like to talk with us at ICANN77 in DC, please contact us.

Policy of engagement

This reporting about specific parties is published a month behind our aggregate reporting. This slight delay has allowed us to attempt to contact all named registrars and registries prior to the data publication. We believe it is important to speak to registrars and registry operators prior to publication whenever possible. This allows a registry or registrar to provide us with context for its data which we may choose to include in commentary, the opportunity to prepare public communications, and for us to offer support on improving their management of DNS Abuse where appropriate. We welcome contact from those identified in the report to ensure we can engage with them in the future. We also hope to automate this process to allow us to align the aggregate reporting and the specific reporting dates in future reports.

Maliciously registered domain names

To the best of our ability, in accordance with our methodology, all metrics are compiled using only observed maliciously registered domains, and exclude observed compromised domain names.2 This decision was made following significant outreach with the DNS Community and because malicious registrations are typically more directly within a higher degree of control of a registrar or registry operator. We also provide registrars and registries with data relating to compromised domain names within their DUM on a one-to-one basis.

Exclusions

With these metrics, we want to provide the industry with evidence and information on how phishing and malware is distributed across the ecosystem. We have therefore made several exclusions from each table to reduce the risk of including false positives and to increase the focus on the domain registrations with generalizable practices and policies. Excluded registrar credentials and registry operators are listed in Appendices, which are available on our website.

Limitations

It is important to recognize the limitations of this work. We are faced with the universal challenge of understanding malicious activity in society; we can only measure the harms that are identified. In our case, we identify phishing and malware through the source lists we use for Compass, as detailed in our methodology. Identified phishing and malware will always be a subset of all existing phishing and malware. There will also be “false positives,” that is, domain names categorized as phishing and malware that actually aren’t, due to both classification errors and differences in standards. There is also the potential that identified DNS Abuse is biased to particular geographic regions or activities that are more likely to be subject to reporting. Another challenge we encounter is accurately enumerating the number of DUM for each registrar and TLD (which can impact “per 100K DUM” density metrics). Generally, our observed DUM is lower than officially reported DUM for all TLDs and registrars. For additional information on the limitations of this work, please refer to our methodology.

Registrar credentials

Our reporting is indifferent to registrar corporate families, we report on the registrar IANA ID (i.e., at the credential level). This means that some corporate entities will have more than one IANA ID, and they may choose to operate these credentials differently.

Comparing ccTLDs and gTLDs

We report on gTLDs and ccTLDs separately to reflect the fact that gTLDs have a consistent contractual framework,3 and are bound by consensus policies produced through the ICANN multistakeholder process, while ccTLDs are largely unique in their policies, processes, and governance models (e.g., nexus requirements, three-party contracts that include the ccTLD registry, only names for accredited businesses, etc.).

We have used the same methodology for reporting and abuse categorization. However, the absolute numbers of Observed Maliciously Registered Domains and rates of Maliciously Registered Domains Per 100,000 DUM are noticeably lower in the ccTLD table. This is shown in the report; if the relevant ccTLD list (Table 12) and the relevant gTLD list (Table 9) were grouped together, none of the ccTLDs listed in Table 12 would be identified in a similarly structured descending list of observed maliciously registered domains per 100,000 DUM.

We want to make meaningful comparisons between peer groups, which is not easy in an industry as diverse as domain names. We will keep this work under review and are open to improving our metrics and methodology.

We look forward to improving this reporting and working with the DNS Community to better understand, reduce, and prevent abuse. If you would like to provide feedback, please contact us.

Further information about the Institute and Compass

The Institute was created in 2021 by Public Interest Registry (“PIR”) in pursuit of its non-profit mission. The Institute aims to reduce DNS Abuse and empower the DNS Community. The Institute created Compass as a reliable, independent, transparent, and sufficiently granular way of measuring DNS Abuse in order to ultimately reduce it at the DNS level.

Compass is a collaboration with KOR Labs, led by Maciej Korczynski from Grenoble University. The technical analysis for this project is performed by KOR Labs. This data is provided to the Institute. The Institute then works with PIR’s Data Analytics team to create interactive charts for the purposes of writing this report.

  1. Compass reporting currently focuses on the DNS registrars and DNS registry operators. The DNS ecosystem also includes additional parties such as hosting providers, which are typically a more appropriate point of contact for compromised domain names, where a benign domain has been compromised at the website or hosting level. 
  2. DNSAI Compass uses the following definition of compromised: “A benign domain name that has been compromised at the website, hosting, or DNS level.” 
  3. Registry Agreement (RA); Registrar Accreditation Agreement (RAA). 

By Rowena Schoo, Director of Programs and Policy at The DNS Abuse Institute

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign