April 12, 2022

DNSAI Newsletter April 2022

DNSAI News in Brief:

  • We recently shared an update on NetBeacon, our newly renamed centralized abuse reporting tool.
  • The DNSAI responded to a letter from the GNSO Small Team on DNS Abuse, proposing a series of hyper-focused PDPs.
  • DNS Abuse was an important topic at ICANN73, and we contributed substantially to the discussions.
  • European Commission Study on DNS Abuse: good work undermined by bad definitions.
  • ICANN produced a Retrospective Report on DNS Abuse, and it’s worth a read.



ICANN73 is over, and in many ways it felt like an old-fashioned in-person meeting. The DNSAI’s Executive Director, Graeme Bunton, was involved in multiple sessions, and DNS Abuse was on so many agendas that he was bouncing between Zoom rooms all day.

On Monday, Graeme gave a presentation during TechDay—about eight minutes in here—that shared some early thinking and research from the DNSAI on potential approaches to prevent DNS Abuse.  A key component of that work is that it identifies a nice opportunity to leverage existing tools and registrar self-interest in reducing fraud.  We’re excited to dive further into that work later this year.

On Wednesday, Graeme moderated a plenary on DNS Abuse, specifically about the difference between malicious domain name registrations and compromised websites.  We’ve received a lot of positive feedback about the session on the form and content, and it’s worth taking a moment to discuss both.

Plenaries at ICANN meetings are weird. The community submits potential topics, and then picks two or three to run in an un-conflicted time slot during the week. Once selected, there is a community process to turn the proposal into an actual session.  Between proposal and event, there is a lot of room for the interests to contribute.  The RySG’s proposal of this plenary did almost all of the planning work up front.  The goals were clear, the panelists from different stakeholder groups selected, and the agenda set.   We were able to have a successful, productive plenary because the goals, scope, and discussion topics were clear, and we were transparent about our intent to remain rigidly on topic.  We believe it’s a useful model for the community; we can actually get more done, by trying to do less.  

We had four stated goals for the session on compromised websites versus malicious domain registrations:

  • Develop community understanding of why the distinction is important.
  • Develop community understanding of how the distinction could be made.
  • Develop community understanding of what could be done, having made the distinction.
  • Discuss what potential activities could be undertaken, and by who.

Building consensus around that first goal that was the most important.  Relatively early on in the plenary, in both the panel discussion and the chat, we had community consensus that the distinction was important to recognize.  There is much subsequent work to be done on developing approaches to exactly what should be done in either case, but getting everyone to the same place on the why is a huge win. 

The DNSAI is currently leading an effort within the CPH DNS Abuse Working Group to develop a paper on the Malicious Registration versus Compromised Website topic, aiming for publication by ICANN74 in June.


 European Commission Study on DNS Abuse

A recent study on DNS Abuse was published by the European Commission (available here,  with a technical appendix here).  The study is long, makes many suggestions, and has garnered a lot of attention in the community.  There is a lot of value in the study, but unfortunately, it’s very difficult to get past its overbroad definition of DNS Abuse that is the study’s foundation.  The DNSAI has spent considerable time and words on the definition of DNS Abuse, and has argued recently that definitional debates about the edges seem to be getting in the way of making progress on issues at the center of the problem.

The EC Study asserts that DNS Abuse is any harmful activity that makes use of a domain name and/or the DNS protocol. Paradoxically, however, it very clearly asserts that whole categories of harms should not be mitigated at the layer of DNS Abuse.  So, if the domain name isn’t the issue, and the harm isn’t appropriately resolved by domain registrars or registries, how could it possibly be DNS Abuse?  The approach of the EC would have received broader support if it were instead addressing online harms in general, rather than attempting to label all online harms using domains or the DNS as DNS Abuse.

Despite the creaky definitional foundation, there are some important acknowledgements and recommendations within the study. The work inside the technical appendix is the most sophisticated analysis of abuse we’ve seen to date. The report also distinguishes between malicious registrations and compromised websites, and recommends different paths to mitigation—an idea still pretty new to the ICANN community. It also acknowledges that a centralized abuse reporting platform is a necessary component to reducing abuse, and underlines that we need a better, more analytical approach to understanding abuse; both projects the DNSAI is working on.


ICANN DNS Abuse Retrospective Report

Shortly after ICANN73, ICANN produced a retrospective on on the last four years of DNS Abuse trends. Drawing on data from DAAR, it paints an interesting picture of DNS Abuse over time, and one that we haven’t seen clearly before.  We want to commend ICANN for this report. It’s this sort of work that will enable the DNSAI and the ICANN community to focus its work on where it’s most needed.

We will offer an initial thought on DAAR produced reporting. ICANN should really separate out spam reporting from phishing, malware, and botnets.  It’s not that spam isn’t important to measure, but that the volume of spam prevents the reader from seeing any trends in the other harms so measuring it, but visualizing it separately would be helpful. 

The good news is that abuse rates have dropped dramatically since ICANN has been monitoring them, with a substantial decrease between April and July 2019. ICANN mentions that this dramatic decline appears to come from a change in how Spamhaus (a source of data for DAAR) measures spam.  This is a really important consideration, and one the community needs to understand better. Upstream changes in abuse data providers are entirely opaque, and may obscure important underlying trends. 

The less good news is that there was a rise in abuse rates around the start of the COVID19 pandemic, which appears to have been slowly decreasing since December 2020. This highlights that there remains lots of important work to do for both the DNSAI, as well the ICANN community.


Thanks for reading, and as usual, please feel free to reach out directly.

Graeme Bunton,
Executive Director, DNS Abuse Institute