Much debate has ensued over the years about how to define DNS abuse. 

Discussions have focused on whether to adopt definitions that limit DNS abuse to questions pertaining to the core, technical layers of the Internet, or embrace broader perspectives that view malicious and harmful content –ranging from Child Sexual Abuse Material (CSAM), cybercrime or disinformation– as forms of DNS abuse.

A recent study on the subject by the European Commision, University of Grenoble and the Fasano Paulovics law firm has rekindled the debate. The study defined DNS abuse in broad terms as “any activity that makes use of domain names or the DNS protocol to carry out harmful or illegal activity.” Industry associations such as CENTR, the European ccTLD organisation,  have been quick to question this working definition, describing it as inadequate. The argument being that broad definitions overestimate the potential role that the DNS community is able to play in effectively mitigating abuse online, while simultaneously overlooking the role of other stakeholders in the Internet Industry.

Reaching consensus on a definition among the diverse stakeholders involved in the DNS ecosystem has proven challenging. The lack of commonly agreed terminology has reportedly hampered the systematic measurement of DNS abuse and generated disparate expectations about how the DNS community may contribute to mitigate online abuse and cybercrime.

DNS abuse is also a moving target. The technologies used to exploit the DNS for malicious activities are constantly evolving. Botnets and algorithmic generated domains, for example– which did not feature in DNS attacks a few years back– are becoming ever more prominent today. This evolving landscape renders the development of definitions especially challenging.

Beyond definitions: Addressing Intent and harm in DNS Abuse

Malicious activity on the DNS can have a serious impact on Internet users. These potential harms and their perceived connection to cybersecurity strategies have brought renewed attention to the Integrity of the DNS among policy makers.

Beyond efforts to agree on specific definitions, there is industry-wide consensus that providing effective responses to fight DNS abuse requires first paying close attention to intent – that is, specific signs that indicate registrants plan to exploit domain names for malicious activities— and second adopting concrete strategies for addressing harms.

The analysis of potential intent has led industry actors to distinguish between domains that have been registered with the objective of carrying out malicious activity and domain names that were originally legitimate, but that have been compromised. The two cases call for different responses. For example, closely vetting new domain name registrations that appear to be created to conduct malicious activity is emerging as a leading strategy in DNS abuse prevention.

Addressing harm is also informed by efforts to identify malicious activity. A comprehensive understanding of how and why abuse occurs, allows industry stakeholders and public safety officials to identify at what level of the Internet stack an issue is taking place and what actor is best positioned to respond to a specific form of abuse. 

The same goes for preventive measures. The European Commission has reported that differentiating between maliciously-registered and compromised domains has helped identify not only who should act in the face of abuse, but also what type of preventive actions to develop, such as, stepping up efforts to ensure the accuracy of domain name registration.

Learning from industry best practices

While definitions matter, the lack of consensus has not held industry back from taking action on DNS abuse.

European registries and registrars have been specially active. CENTR reports that –while the organisation believes that the DNS abuse occurs only when DNS is the distinctive factor in a malicious act–  the ccTLD community has collaborated with national authorities in tackling policy challenges that are wider in nature. For example, during the pandemic, AFNIC –the registry in charge of managing the .fr– worked closely with the General Directorate for Competition Policy, Consumer Affairs and Fraud Control to support pandemic response in France through the tracking of Covid-related domains.

EURid, the registry manager of the .eu, has implemented several abuse prevention services. For example, the organisation recently launched its Abuse Prevention and Early Warning System (APEWS), which actively screens newly registered domain names, resorting to AI to predict whether a domain name may be used for malicious purposes.

While all gTLDs need to follow the ICANN policies as a baseline, many do more than required, such as deploying additional legal and technical measures to prevent abuse or adopting more sophisticated transparency policies for DNS abuse management. The DotAsia organisation, for example, reported that the registry does a lot more beyond what is outlined in their ICANN contractual obligations to prevent DNS Abuse, and highlighted how conversations about definitions often obscure the fact that the industry is already working hard to do better.

Understanding DNS Abuse: need for more measurement

The European Commision report on DNS Abuse found that “new gTLDs suffer from the highest concentration of abused domains relative to their market share.” However not all new gTLDs were affected to the same extent: according to the report, two new gTLDS (.work and .xyz) accounted for 41% of all abused new gTLD names in the second quarter of 2021.

These types of insights enable a greater understanding of how malicious activity unfolds in the DNS and what to do about it. Measurement and the study of the DNS is essential to enable the development of effective strategies to fight DNS Abuse.

While the DNS community is progressing in this direction, more work remains to facilitate access to DNS data, enable DNS research and strengthen the development of evidence-based regulatory and policy strategies. Emerging initiatives, such as the DNS Research Federation, are in a unique position to explore ways to contribute to the expansion of evidence-based academic literature and shed light on the effectiveness of current industry practices (see Understanding the DNS for informed decision-making: why we need more data and research).

Note: The present article is based on the EuroDIG session “DNS Abuse – the consequences of definitions” of June 20, 2022 organised by the Dynamic Coalition on Data and Trust.