Executive Summary

Last year, amendments were made to the contract that governs domain name registrations - the Registrar Accreditation Agreement, or RAA - to tackle growing abuse of the domain name system.

Data analysis of how things have changed since then indicates that while there has been improvement in tackling abuse rates, particularly how long it takes for action to be taken, that uptick has been slow and gradual. Our initial results cover registry and registrar mitigations from early September 2024 to March 2025 and indicate the mitigation rate for both the initial (11%) and current mitigation (21%) rates for a 24-hour period are low. We chose the 24 hour point for measurement to reflect the short life-span of malicious domains - translating to a short time for the ecosystem to mitigate harms while attacks are running. Research by Raffaele Sommese et al indicates that the lifespan of malicious domains is on average 4-6 hours, echoing Paul Vixie’s observation that such domains lead ‘short, brutal lives’ 

At the current rate of progress, it would take until at least 2033 for domains reported as abusive to be tackled within 24 hours.

The picture across the industry is that some registrars are able to consistently react faster to reports of DNS Abuse while others struggle to do so. This suggests there is wide variation in the tools available to registrars. As such, easier access to abuse intelligence along with the tools necessary to act on it is key to improving what are currently weak mitigation rates across the industry as a whole. 

Introduction

As part of its mission to advance understanding of the DNS’s impact on cybersecurity, policy and technical standards, the DNSRF (Domain Name System Research Federation), is undertaking research on the effectiveness of these RAA Abuse Amendments. Using DNSRF tools, we have been documenting how quickly DNS Abuse mitigations are being carried out by numerous parties.  With the RAA amendments in force, our initial focus will be on mitigations that can be actioned and easily associated with both Registries and Registrars.  However, in the future we will add additional parties “downstream” from domain name registration, including hosting providers/web hosters, reverse proxy providers, subdomain providers, domain owners and the like.  

In 2013, ICANN (the Internet Corporation for Assigned Names and Numbers), introduced a set of obligations designed to prevent “DNS Abuse”; the umbrella term defined by ICANN encompassing phishing, pharming, malware, botnets, and any spam acting as a delivery mechanism for these other harms. The obligations, including policies and obligations for monitoring and reporting abuse are set out in the main contract between ICANN and domain name sellers: the Registrar Accreditation Agreement or “RAA”.

In 2024, ICANN updated the Registrar Accreditation Agreement and committed to enforcing their original obligations set out to prevent cyberattacks and clarifying how this should be accomplished. This involves stricter compliance monitoring and penalties for registrars who fail to take action against DNS abuse.

When registrars have “actionable evidence” that a domain is being used for DNS Abuse, they are obliged to “promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt” the abuse. If there are “well-founded reports of Illegal Activity” then the situation “must be reviewed within 24 hours” and the registrar “take necessary and appropriate actions.”

Methodology

The DNSRF has been collecting relevant abuse reports associated with phishing and malware. Phishing reports have been sourced from OpenPhish, APWG, Malware Patrol, and URL Abuse. Malware Reports have been sourced from URLHaus, Malware Patrol, and URL Abuse. Spam reports have been excluded from our study. 

To ensure a granular level of reporting, we deduplicate reports daily.  This means that if we receive multiple reports for the same domain name on different days we would count them more than once.  This is important when measuring the mitigation action taken by contracted parties in the 24-hour timeframe as it would allow us to capture scenarios where actors may not have taken action until multiple reports have been seen on different days.  

In addition, as our current focus is on actions taken by only registries and registrars, we have removed reports associated with subdomain providers and URL shorteners.  Future versions of this study will add these back in, allowing a more complete picture of who is involved in mitigation abuse and how that mitigation has happened.  

For each unique abusive domain name, we measure the abuse time-to-live - the time between the malicious URL being blocklisted and the abuse being mitigated. We consider abuse to have been mitigated only when specific actions are taken by the registry or registrar, causing the domain name to no longer resolve.  

Specifically, the following criteria to indicate that abuse has been mitigated by either the registrar or registry:

Registrar:

• Addition of “clientHold”, disabling the domain name 
• Removing the name server, disabling the domain name
• The domain is past its expiry date and so no longer routes
• The domain is deleted by the registrar and enters a redemption grace period 

Registry:

• Addition of “serverHold”, as with a clientHold, will prevent the domain from routing.

For each abuse report, we calculate the abuse mitigation status at 0 days (upon first report) and then at 1,3,7,14,30,60, 90 and 365 days, respectively. Where no mitigation has been detected after 356 days, we consider the report unmitigated and stop checking. According to ICANN’s RAA Abuse Amendments, we would expect to see more mitigations happening within 1 day, in order to meet compliance criteria. More importantly, given that most DNS abuse occurs in a 24-hour window between activation and when abuse infrastructure is abandoned, we believe the 24-hour abuse rate is a key metric approximating impact on internet users.  

Finally, using this methodology, we also measure the general trend in mitigation rates over time.

Mitigation Rate Findings

Our initial results cover registry and registrar mitigations from early September 2024 to March 2025. The findings suggest that the mitigation rate trend within a 24-hour period is increasing. However, both the initial (11%) and current mitigation (21%) rates are low.  The average mitigation times for reports are well above 24 hours, and therefore, currently not compliant with the ICANN RAA Abuse Amendment provisions.

Percentage of Mitigations Occurring within 24 Hours:

For all reports of DNS abuse that have been mitigated within 24 hours, the mitigation rate trend has increased from an average of 11% in September 2024 to 22% in March 2025. This means that for every report of DNS abuse occurring daily, more than 78% are unmitigated within 24 hours.

Percentage of Mitigations Occurring within 7 days:

The rates improve when we look at the percentage of mitigations occurring within 7 days.   7-day mitigation rates have increased from an average of 18% in September 2024 to 48% in 2025. This means that more than 52% of abuse reports are unmitigated in a 7-day window.  Given that this period allows for additional time for entities for the abuse investigation, it is logical that the rates would be higher than the shorter 24-hour period.

The increase in mitigation rates for both the 24-hour and 7-day period could suggest that the ICANN RAA Abuse Amendments are impacting mitigation response times.   However, as mentioned above, the longer abusive domains remain unmitigated, the more harm they cause internet users.  

Overall Average Mitigation Times: Eight Days

The overall average mitigation time of a report is 8 days. The average time for a registrar to mitigate a report is 8.2 days, whereas the average time for registry mitigation is 7.8 days. Both times are well beyond the time frame needed to minimize the impact of abuse on internet users.

Registry and Registrar Mitigation Analysis

The following sections report on the actions of registries and registries both as a whole and individually for the entire reporting period. We will not name individual registries or registrars for this update but simply report on high-level findings. Future iterations of this analysis will include “league tables” that include, for example, an analysis of the entities with the best and worst mitigation rates. We will also track their movement (up and down) in these tables.  

Comparison of Mitigation Actions by Actor: 24-hours, 3-Days and 30-Days

When we look deeper into which actor, registry or registrar has taken action for the entire reporting period, we find that in the first 24 hours, registries are taking more action than Registrars.

However, this percentage changes as the period increases from 24 hours to 7 days and finally to 30 days.

Breakdown of Registrars by Mitigation Rate

The following chart shows the percentage of registrars by mitigation rate.  For this analysis, we only included registrars with at least 50 unique domain name abuse reports for the entire period.

Ideally, the “More than 40%” slice of the doughnut should be the largest, meaning that most registrars resolve most of the flagged abuse issues within a day.  However, currently, a majority of registrars have a 24-hour mitigation rate of less than 10%, followed by those who have a rate between 11 and 20%.   The situation improves slightly when we expand the mitigation timeframe to 7 days: the higher mitigation rate slices increase, indicating overall registrar rates are improving. However, there is still lots of room for improvement.  

Breakdown of Registry by Mitigation Rate

When we look at the mitigation rates for registries for the entire time period, we see similar movement between the 24-hour and 7-day pie charts.

So as above, we expand the mitigation time to 7 days, the higher mitigation rate slices increase, indicating overall registry rates are improving also. 

Conclusion and Next Steps

There is considerably more work to be done in terms of mitigating DNS Abuses. Even after 7 days, only 52% of abuse reports remain unmitigated, and the overall average mitigation time for a report of DNS abuse is 8 days. This is well beyond the time frame needed to minimize the impact of abuse on internet users. In addition, it is well above the gold standard 24-hour period specified in ICANN’s RA Abuse Amendments.

Our findings suggest that there is a wide variation in the tools available to registrars. As such, easier access to robust intelligence and mitigation resources to reduce discrepancies in response times.

While there have been upward trends across all time periods, both at the registry, registrar and overall levels, it is too early to tell if the updates to the RAA are the reason. Future iterations of our work will include additional downstream actors such as hosting providers, reverse proxy providers, and subdomain providers to provide a more comprehensive view of DNS abuse mitigation.

The DNSRF will continue to track abuse mitigations, with a final report scheduled to be published in June 2025.

 1- https://www.icann.org/resources/pages/registrars/registrars-en