DNSAI Compass

The DNS Abuse Institute launched DNSAI Compass to measure the use of the DNS for phishing and malware. To ensure accuracy and objectivity, KOR Labs, an experienced, independent, third-party, has developed the methodology and conducts the data gathering and technical analysis. Read the background on this initiative. Register to ensure you receive a complementary copy of the Compass reports.

DNSAI Compass Dashboards
Visibility with Context

NEW DNSAI Compass Dashboards are available to registrars and registries to better understand the measure of their DNS abuse and their ability to mitigate compared to peers in the industry.

Compass Dashboards provide registries and registrars access to individualized data on phishing and malware that can be used to track and measure the prevalence of abuse as well as how their processes and policies make an impact over time. The data is sharable and can be used to make internal improvements, report on progress and encourage greater awareness and collaboration on future solutions in the industry.  Read our blog post for more detail.

Registries and registrars interested in accessing the data will need to agree to the DNS Abuse Institute’s Terms and Conditions as well as apply for access via an online form. Requests for access can be made to support@dnsabuseinstitute.org.


Read detailed information about the academically robust methodology used to generate the DNSAI Compass reports, performed by KOR Labs. Access the full document.


Monthly reporting of DNS Abuse data, measurement & analysis



“We appreciate the DNS Abuse Institute’s commitment to capturing the true scope of DNS Abuse.  The transparency of their methodology ensures that their results can be duplicated and trusted.  Their Compass data provides reliable insight and helps registries and registrars understand and collaborate on areas for possible improvement.”

– Alvaro Alvarez, EVP, General Counsel & Secretary, Identity Digital, Inc.

CHART 1: Aggregate Trends

This chart provides a high level view on how much DNS Abuse has been identified by our methodology, and how it’s changing over time. 

It shows the absolute volume of unique domains our methodology has identified are engaged in phishing and malware, broken out by category.

CHART 2: Mitigation

This chart is intended to demonstrate how much DNS Abuse we observe as being mitigated on a monthly basis.

The methodology includes a process to determine whether any mitigation has been observed. This involves taking an initial measurement of various factors related to the URL and repeating these measurements for one month. Further details are set out in the methodology.

This results in four labels:

Mitigated: We believe a mitigating action has occurred. This action could be taken by a registrar, registry, a hosting provider, or another relevant actor.

Not Mitigated: We did not detect any indication of mitigation.

Uncategorized: We were unable to determine whether or not mitigation occurred.

Unprocessed: The domains were not processed due to network connectivity or server problems.

CHART 3: Registrar Median Mitigation Time

This chart is intended to show the observed time taken to mitigate phishing and malware, and how it is changing over time. 

For the domains that our methodology determined were mitigated, this chart shows how many registrars had a median time to mitigation in each category. 

After an initial measurement, KOR Labs repeats measurements for one month to determine if mitigation has occurred. The intervals used are (starting at the time of acquiring the URL from the blocklist): 5m, 15m, 30m, 1hr, 2hr, 3hr, 4hr, 5hr, 6hr, 12hr, 24hr, 36hr, 48hr, and then once every 12 hours for one month. 

While we are describing this information as a “median registrar mitigation time”, it should be noted that we do not know definitively that it was the registrar that took action. This data could include mitigation taken by the registry, the host, or any other relevant party. The reference to a registrar is indicative that the domain is under their management.

CHART 4: Malicious vs. Compromised

This chart is intended to show the observed registration type (malicious vs. compromised) and how this is changing over time.  

Our methodology includes three labels:

Malicious: a domain registered for malicious purposes (i.e., to carry out DNS Abuse).

Compromised: A benign domain name that has been compromised at the website, hosting, or DNS level. 

Uncategorized: A domain that our methodology was unable to categorize for a number of reasons, including problems in collecting the metadata necessary to categorize domain names accurately.