DNSAI Compass is an initiative of the DNS Abuse Institute to measure the use of the DNS for phishing and malware.

  • Phishing is an attempt to trick people into sharing important personal information— banking information, logins, passwords, credit card numbers.
  • Malware is malicious software designed to compromise a device on which it is installed.

The technical analysis for this project is performed by KOR Labs.

Read our blog for a short introduction.

Contact us if you have questions, ideas, or suggestions to help us improve this initiative.




CHART 1: Aggregate Trends

This chart provides a high level view on how much DNS Abuse has been identified by our methodology, and how it’s changing over time. 

It shows the absolute volume of unique domains our methodology has identified are engaged in phishing and malware, broken out by category.

CHART 2: Mitigation

This chart is intended to demonstrate how much DNS Abuse we observe as being mitigated on a monthly basis.

The methodology includes a process to determine whether any mitigation has been observed. This involves taking an initial measurement of various factors related to the URL and repeating these measurements for one month. Further details are set out in the methodology.

This results in four labels:

Mitigated: We believe a mitigating action has occurred. This action could be taken by a registrar, registry, a hosting provider, or another relevant actor.

Not Mitigated: We did not detect any indication of mitigation.

Uncategorized: We were unable to determine whether or not mitigation occurred.

Unprocessed: The domains were not processed due to network connectivity or server problems.

CHART 3: Registrar Median Mitigation Time

This chart is intended to show the observed time taken to mitigate phishing and malware, and how it is changing over time. 

For the domains that our methodology determined were mitigated, this chart shows how many registrars had a median time to mitigation in each category. 

After an initial measurement, KOR Labs repeats measurements for one month to determine if mitigation has occurred. The intervals used are (starting at the time of acquiring the URL from the blocklist): 5m, 15m, 30m, 1hr, 2hr, 3hr, 4hr, 5hr, 6hr, 12hr, 24hr, 36hr, 48hr, and then once every 12 hours for one month. 

While we are describing this information as a “median registrar mitigation time”, it should be noted that we do not know definitively that it was the registrar that took action. This data could include mitigation taken by the registry, the host, or any other relevant party. The reference to a registrar is indicative that the domain is under their management.

CHART 4: Malicious vs. Compromised

This chart is intended to show the observed registration type (malicious vs. compromised) and how this is changing over time.  

Our methodology includes three labels:

Malicious: a domain registered for malicious purposes (i.e., to carry out DNS Abuse).

Compromised: A benign domain name that has been compromised at the website, hosting, or DNS level. 

Uncategorized: A domain that our methodology was unable to categorize for a number of reasons, including problems in collecting the metadata necessary to categorize domain names accurately.