The DNS Abuse Institute

The Domain Name System (DNS) Abuse Institute is tasked with creating outcomes-based initiatives that will create recommended practices, foster collaboration, and develop industry-shared solutions to combat the five areas of DNS Abuse: malware, botnets, phishing, pharming, and related spam. The Institute was created by Public Interest Registry, the registry operator for the .ORG top-level domain.

What Is DNS Abuse?

Addressing abuse of the DNS is a critically important issue for the security and stability of the DNS. In 2019, a number of domain name registries for generic top level domains (“gTLDs,” such as .ORG), country code top level domains (“ccTLDs,” such as .UK), and domain name registrars published a document called the “Framework to Address Abuse.” That document builds from the work of the Internet and Jurisdiction Policy Network (“I&J”) and defines DNS Abuse, noting:

DNS Abuse is comprised of five broad categories of harmful activity insofar as they intersect with the DNS: malware, botnets, phishing, pharming, and spam (when it serves as a delivery mechanism for the other forms of DNS Abuse).  The Internet and Jurisdiction Policy Network’s Operational Approaches, Norms, Criteria, Mechanisms provides the following definitions for each of these activities:


Malware is malicious software, installed on a device without the user’s consent, which disrupts the device’s operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software.1


Botnets are collections of Internet-connected computers that have been infected with malware and commanded to perform activities under the control of a remote administrator.2


Phishing occurs when an attacker tricks a victim into revealing sensitive personal, corporate, or financial information (e.g. account numbers, login IDs, passwords), whether through sending fraudulent or ‘look-alike’ emails, or luring end users to copycat websites. Some phishing campaigns aim to persuade the user to install software, which is in fact malware.3


Pharming is the redirection of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning. DNS hijacking occurs when attackers use malware to redirect victims to [the attacker’s] site instead of the one initially requested. DNS poisoning causes a DNS server [or resolver] to respond with a false IP address bearing malicious code. Phishing differs from pharming in that the latter involves modifying DNS entries, while the former tricks users into entering personal information.4


Spam is unsolicited bulk email, where the recipient has not granted permission for the message to be sent, and where the message was sent as part of a larger collection of messages, all having substantively identical content.5  

While Spam alone is not DNS Abuse, it is included as one of the key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse.  In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme. 

DNS Abuse Institute Mission

While progress on DNS Abuse has been made across the industry, not all registries and registrars have the same level of resources or time available to combat DNS Abuse. Given this gap and a more general need for innovation, education, and collaboration on DNS Abuse across its many stakeholders, Public Interest Registry (operator of the .ORG gTLD) has founded the DNS Abuse Institute. 

The Institute will serve as a resource to help the community identify and report DNS Abuse, establish best practices, fund research on DNS Abuse, and share data. It will strive to work closely with all DNS Abuse stakeholders in the fight against DNS Abuse, including but not limited to technical and security organizations, academic organizations, registries, and registrars. 

The Institute also seeks to build upon the foundations laid by the DNS Abuse Framework and I&J to help develop meaningful solutions, practices, and shared knowledge to combat DNS Abuse for the betterment of the Internet.

The Institute has three core pillars: Innovation, Education, and Collaboration.


Graeme Bunton is the DNS Abuse Institute’s inaugural Director. Graeme joins the Institute with 11 years of DNS Policy experience. He served as Head of Policy of Tucows, was chair of the Registrar Stakeholder Group for four years, and co-chair of both the RRSG Abuse Working Group and the Contracted Party Abuse Working Group. Graeme was one of the driving forces in the creation of the Framework to Address Abuse, which has more than 50 registry and registrar signatories. 

Graeme currently serves on the Board Directors of The i2Coalition (Internet Infrastructure Coalition). Graeme works remotely from Toronto and is an avid cyclist.

I couldn’t be more excited about the opportunity the DNS Abuse Institute provides for the DNS community. Our years of conversation on this topic have highlighted the need for coordinated action, common understanding,  and centralized tools, but until now the mandate and resources didn’t exist. With PIRs foundational support we’re going to do the hard work of making the Internet a safer place.” – Graeme

Advisory Council

The Institute maintains a diverse Advisory Council with expert representation from interested stakeholders related to DNS Abuse, such as gTLD registries, ccTLD registries, registrars, security researchers, and academics on issues related to DNS Abuse. Current Advisory Council members include:

[1] Internet and Jurisdiction, Domains and Jurisdiction: Operational Approaches, Norms, Criteria, Mechanisms (2019) (“I&J Operational Approaches”), page 20 at; see M3AAWG & London Action Plan, Operation Safety-Net: best practices to Address Online Mobile and Telephony Threats (2015) (“Operation Safety-Net”), at[2] I&J Operational Approaches at 20; see “A Glossary of Common Cybersecurity Terminology,” National Initiative for Cybersecurity Careers and Studies, at:

[3] I&J Operational Approaches at 20.

[4] Id.; see Entries for DNS hijacking and DNS poisoning in the Kaspersky Lab Encyclopedia, at

[5] I&J Operational Approaches at 20; see “The Definition of Spam” by The Spamhaus Project, at