The Current State of DNS Abuse Reporting
By Graeme Bunton, Director of the DNS Abuse Institute
INTRODUCTION
The DNS Abuse Institute (DNSAI) is currently developing a Centralized Abuse Reporting Tool (CART). This tool is intended to provide a single platform to report DNS Abuse by outlining the evidence requirements for each abuse type, properly formatting and enriching the request details provided, and then forwarding it to the appropriate registry or registrar. The goal is to standardize reliable processes to improve both the act of reporting abuse and the abuse reports that registrars and registries receive.
As part of it’s requirements gathering, the DNSAI researched the reporting processes of the largest registries and registrars in order to better understand how they accept reports of abuse. Publicly available information from registry and registrar websites was collected to obtain data on their abuse reporting implementations and processes. In an attempt to mimic the experience of an abuse reporter without prior knowledge of the registry or registrar, the search for information always started on each registrar or registry homepage, followed by more extensive site navigation when required, or a separate google search if insufficient information was found on the website.
Note that the data only reflects the information found at the time of searching and not necessarily what may currently exist. Factors such as language and large or complex websites may have effectively hidden some of the information sought, but in this case it could also be reasonably assumed that abuse reporters would be similarly impacted.
It should also be noted that this work was not intended as an audit, and was not conducted with an eye towards any applicable ICANN contractual obligations. Further, a substantial amount of the information we were looking for goes above and beyond what ICANN accredited registrars and registries are required to do. The data includes results from ccTLDs that are entirely outside of the ICANN contractual regime.
FINDINGS
Research was conducted on the top 50 registrars by the number of registered domains, comprising over a quarter of all registered domains, and a significant majority of gTLD domains.
Research was also conducted on the 32 registries that operate the 15 largest TLDs by names under management as well as the 30 largest gTLDs by names under management. This represents a majority of all domains.
Remember, these results were gathered by beginning to search through the relevant registrar or registry sites and expanding from there, so it is possible that additional resources exist but were not found after reasonable diligence. That said, if we were unable to locate the resource after reasonable diligence, it is likely an abuse reporter would have the same experience.
The data collected from registrar and registry websites indicated the following:
| Information available on abuse reporting | % of Registrars | % of Registries |
| Dedicated abuse reporting page | 78% | 47% |
| Link to abuse reporting page from their homepage | 46% | 34% |
| Required search beyond the homepage or a separate google search to find the abuse reporting page | 32% | 12% |
| No abuse reporting page located | 22% | 53% |
| Abuse contact email | 74% | 56% |
| Abuse email contact was not listed on the abuse reporting page, but found via the contacts page, site search, or google search | 20% | 19% |
| Webform for abuse reports | 54% | 25% |
| Only webform is available (no email, etc) | 14% | 6% |
| Webform has a single set of response fields for all abuse types | 22% | 19% |
| Abuse contact mailing address | 4% | 22% |
| Abuse contact telephone number | 16% | 12% |
| No abuse contact | 10% | 34% |
| Specification of abuse types | 64% | 25% |
| Evidence requirements for each abuse type stipulated | 40% | 9% |
| Separate processes for law enforcement and the use of court orders/subpoenas | 22% | 3% |
OBSERVATIONS
A significant majority of the registrars, but only around half of the registries, provide an abuse reporting page and abuse email contact, which is likely due to the fact that registrars are normally the first point of contact when reporting DNS Abuse. The data suggests that new gTLD registries have the most, and most accessible information on DNS abuse reporting, in comparison to legacy and ccTLDs.
Where there was a homepage link to the abuse reporting page, it was almost always found in the footer. The abuse contact details (email or other) were often absent from the registry or registrar ‘Contacts’ page. Likewise, the abuse reporting process, including expected timelines, was mostly not specified.
Notably more registrars than registries identified the abuse types that could be reported, but they almost all included abuse types go beyond the ICANN Contracted Party House’s agreed definition of DNS Abuse, such as inappropriate content and IP infringement. Some registrars also provided an ‘other’ option. Evidence requirements were less likely to be given by the smaller top 50 registrars and seldom provided by registries in general.
Separate processes for law enforcement and court orders/subpoenas were largely not published by registrars or registries, though it is impossible to know how many have direct relationships with law enforcement agencies in their jurisdiction with which such information is shared.
Overall, there appears to be an inconsistent handling of abuse reporting, by both registrars and registries. A majority of registrars are providing more than just the basics of a contact, but useful information on how reports should be properly submitted and transparency around what to expect next is often missing. It is also a concern that a notable minority of registries, and a lesser, but still significant, minority of registrars, appeared to have no abuse contact at all.
Conclusions
Given the variety in business models, size, jurisdictional requirements, and approaches to abuse mitigation, it’s not at all surprising that we see a diversity in approaches to abuse reporting. Nor is it surprising that this ecosystem makes it difficult to report abuse in a meaningful way.
What’s not obvious is that building systems to accept useful reports is difficult. There are trade-offs between making a reporting mechanism easy to use, like simply providing an email address, and ensuring that a report is actionable by implementing mandatory evidentiary requirements. Perfecting this balance is not a core competency for most organizations, including registrars and registries.
A mechanism to report abuse that is both usable to a layperson, and useful to a registrar is the fundamental premise of the CART. We’re deeply focused on ensuring the user experience for abuse reporters is simple and captures useful, relevant information. We’re also ensuring that all reports that pass through the CART are sent to the relevant party, with helpful information that enables meaningful decisions on abuse.
The problems with reporting abuse are evident in the numbers above, and our work to resolve them is well underway.
[1] https://domainnamestat.com/statistics/registrar/others
[2] https://www.statista.com/statistics/265677/number-of-internet-top-level-domains-worldwide/
[4] https://rrsg.org/wp-content/uploads/2020/10/CPH-Definition-of-DNS-Abuse.pdf
You may also like
Best Practice: Making Phishing Reports Useful
