Comprehensive and Useful DNS Info and Resources
The Institute strives to serve as a resource for all interested stakeholders fighting DNS Abuse, whether they are registries, registrars, security researchers, or any other interested party. To this end, the Institute will:
- Maintain a resource library (below) of existing information and practices regarding DNS Abuse identification and mitigation.
- Coordinate educational resources for registries and registrars.
- Publish abuse reporting standards (e.g., what is needed for a “good” notification on abuse).
- Publish resources for “notifiers,” (e.g., parties making referrals on DNS Abuse) that make the notifications more actionable.
- Identify criteria that suggest action on abuse referrals, including consideration of proportionality and collateral damage.
- Publish academic papers and case studies on DNS Abuse.
- Conduct webinars on specific issues relating to DNS Abuse.
The Institute is pleased to provide and maintain a Resource Library on publications related to DNS Abuse. These documents advance the conversation regarding DNS Abuse and help educate registries and registrars as to how to address it. These resources also may prove useful to someone that wants to learn more about DNS Abuse and how to tackle it.
The Framework to Address Abuse
The Framework to Address Abuse is a document developed by registry operators (both “generic” and “country-code”) and registrars that defines DNS Abuse and sets forth when a registry or registrar must take action (instances of identified DNS Abuse), as well as those limited and egregious categories of website content abuse when a registry or registrar should take action.
Internet and Jurisdiction Policy Network Publications
The Internet and Jurisdiction Policy Network’s Domain and Jurisdiction Contact Group has published a number of very helpful and informative documents addressing both questions of DNS Abuse as well as dealing with website content abuse questions at the DNS infrastructure level. These resources help inform people and organizations that want to report abuse in making those reports more actionable as well as information to registries and registrars in identifying and addressing abuse.
- In 2019, I&J published this foundational document. This is a comprehensive work on issues relating to DNS Abuse and website content abuse questions. It examines the role of “Operators” (registries and registrars) and their role in DNS infrastructure. It examines the impact of acting via the DNS to address both DNS Abuse and website content abuse questions.
In 2020, I&J also put out a series of smaller one/two page documents covering specific topics.
- Effect of Action at the DNS Level
- This document notes the impact of using the DNS to take action to mitigate a threat, including issues such as collateral damage. It includes graphics for what happens when a domain is locked or suspended.
- DNS Operator’s Guide to Action on Technical Abuse
- This document focuses on questions like identification, evaluation, choice of action and remediation for DNS Abuse.
- Due Diligence Guide for Notifiers
- This document helps inform what sorts of due diligence someone making a complaint or notification should take before referring the issue to a registry or registrar.
- Choice of Action
- This document notes the limited tools available to a registry or registrar to address abuse and describes the effect of each action. .
- Procedural Workflow for Addressing Phishing and Malware
- This is a very interesting document that works as a flowchart/decision tree for both registries or registrars when they receive a referral for phishing or malware.
- Minimum Notice Components for Abuse
- This sets forth what must go into an effective notification for DNS Abuse.
- Typology of Technical Abuse
- Effect of Action at the DNS Level
Security Framework for Registry Operators
This document Framework for Registry Operators to Address Security Threats (the “Security Framework”) was jointly published between the Public Safety Working Group (a consortium of law enforcement agencies from around the world) and gTLD registries in 2017. It describes what different actions a registry operator can take when it has identified a security threat. It also delineates an implicit hierarchy of notifiers where, for instance, a particular law enforcement agency might have a particularized expertise (e.g., identifying domain generating algorithms). It also sets forth expected communications between law enforcement and registries when a security threat has been identified.
ICANN Competition, Consumer Trust, And Consumer Choice Review, Final Report
The ICANN Competition, Consumer Trust, And Consumer Choice Review (CCT RT) was created when “ICANN’s Affirmation of Commitments (AoC) called for a regular review of the degree to which the New Generic Top-Level Domain (gTLD) Program promoted consumer trust, choice and increased competition in the Domain Name System (DNS) market.” The CCT RT published its Final Report in 2018 and made several policy recommendations. It should be noted that the CCTRT utilized an early definition of “DNS Abuse” that included issues relating to website content abuse. Its definition of “DNS Security Abuse” tracks more closely to currently understood definitions of “DNS Abuse.” The CCT RT Final Report is available here.
In 2017, a study commissioned by the CCT RT was published, titled Statistical Analysis of DNS Abuse in gTLDs – Final Report. This report compared abuse trends in legacy gTLDs and new gTLDs and across the entire DNS at that time.
Specification 11(3)(b) Advisory
This “Advisory, New gTLD Registry Agreement Specification 11 (3)(b)” was developed jointly between ICANN and gTLD registries in 2017. Specification 11(3)(b) is a part of the base Registry Agreement that requires gTLD registries to conduct periodic analysis for security threats and maintain data for purposes of reporting on those identified threats. The Advisory defines “Security Threats” very similarly to DNS Abuse and describes what technical analysis for registries should look like. It also describes the use of Reputation Service Providers and details the reports ICANN expects from registries under Specification 11(3)(b).
The Council of European National Top-Level Domain Registries (CENTR) is a consortium of predominantly European ccTLDs. CENTR seeks to promote and participate in the development of high standards for ccTLDs to the benefit of its members and the Internet.
CENTR has published a document titled “Domain Name Registries and Online Content” that provides a thorough explanation of a registry operator’s role in the infrastructure of the DNS. CENTR has also published a video that provides a similar explanation, as it relates to the DNS infrastructure and dealing with website content online.
ICANN’s Domain Abuse Activity Reporting Tool
ICANN maintains “DAAR,” its Domain Abuse Activity Reporting tool. As ICANN describes it, “The overarching purpose of DAAR is to develop a robust, reliable, reproducible, and replicable methodology for analyzing security threat activity that can then be later used by the ICANN community to facilitate informed policy decisions.” DAAR “identifies and tracks domain names identified as threats to the security of the domain name ecosystem, known as DNS Abuse.”
Since 2018, ICANN has published monthly DAAR reports that summarize the scope of DNS Abuse identified across gTLDs. Those reports are available here.
Anti-Phishing Working Group (APWG) Phishing Activity Trends Report
The APWG publishes a quarterly update on observed phishing activity reported by its member organizations, partners, and third-parties. The current quarterly phishing report and prior reports are available here.
FIRST Best Practice Library
FIRST is the Forum of Incident Response and Security Teams. FIRST maintains its Best Practice Library “to assist FIRST Team Members and public in general in configuring their systems securely by providing configuration templates and security guidelines.” The FIRST Best Practice Library is available here.
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) strives “to work against botnets, malware, spam, viruses, DoS attacks and other online exploitation.” M3AAWG maintains a series of its best practices, available here.
Spamhaus Botnet Threat Reports
The Spamhaus Project “is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware and botnets”. Spamhaus publishes an annual Botnet Threat Report, describing trends and data in observed incidences of botnets.
Spamhaus also publishes quarterly updates on its observed botnets.