Security news that informs and inspires

New DNS Abuse Institute Tackles Malicious Activity


The Public Interest Registry launched the DNS Abuse Institute to coordinate efforts by domain registrars and internet registries to stomp out abuses of the domain name system.

The Institute "will bring together leaders in the anti-abuse space to fund research, publish recommended practices, share data, and provide tools to identify and report DNS Abuse," PIR said in the announcement. An example of such tools would be collaborative blocklists or improved reporting mechanisms.

DNS Abuse

The Internet Corporation for Assigned Names and Numbers (ICANN) describes DNS Abuse as malicious activity that “routinely threatens and affects domain name registrants and end-users by leveraging vulnerabilities and features of all aspects of the Internet and DNS ecosystems (protocols, computer systems, domain registration processes, users, etc). When at scale, some of these nefarious activities may threaten the security, stability and resiliency of the DNS infrastructures.”

The Institute’s focus is on malicious activity—such as malware, botnets, phishing, pharming, and spam—and how they intersect with DNS. Phishing would be considered DNS Abuse in those cases where the attackers modified DNS entries to direct users to their sites. Pharming refers to how users can be redirected to fraudulent sites or services, typically through DNS hijacking or poisoning. Spam itself is typically not considered DNS Abuse on its own, but it is included on the list for those attacks when it is used as a delivery mechanism for the other attacks.

The pandemic has led to an increase in DNS Abuse. Scammers wrapped their malicious activities around COVID-19 related topics, such as rogue pharmacy scams to push unproven COVID-19 treatments and fake vaccines. Google reported 18 million daily malware and phishing emails related to COVID-19 during one week in April. The World Intellectual Property Organization reported handling nearly 48,000 cases of typosquatting between March and June.

“The abuse of the Domain Name System threatens to undermine trust in the Internet,” wrote PIR vice-president and general counsel Brian Cimbolic and DNS Abuse Institute director Graeme Bunton.

A Call for Collaboration

All the ways DNS can be abused is pretty well known, but fixing it has been a slow process. Many registries—organizations managing top-level domain names such—and registrars—organizations selling domain names—have attempted to solve the problem, but this isn’t really a problem that can be dealt with individually. The DNS Abuse Institute is intended to act as a centralized resource for coordinating efforts between registries and registrars to work together. The Institute will also encourage collaboration between technical and academic groups working on DNS abuse issues to develop new methods and innovations that would otherwise be impossible for a single entity to design on their own.

“No single organization has all the answers. From the outset, we intend to work closely with other organizations in the anti-abuse space, including technical organizations, and thought leading organizations, like the Internet and Jurisdiction Policy Network,” Cimbolic and Bunton wrote. Bunton is the former head of policy at telecommunications company Tucows.

The Institute will focus on three foundational areas: innovation, collaboration, and education. The Institute will encourage innovation by working with registries and registrars to define recommended practices, provide funding to conduct innovative research on security and DNS abuse, and develop practical solutions. The Institute’s education efforts includes maintaining a resource library of existing information and practices regarding DNS Abuse identification and mitigation, promulgating abuse reporting standards (e.g., what is needed for a "good" notification on abuse), and publishing academic papers and case studies on DNS Abuse. And finally, the Institute will serve as a networking forum and a central sharing point for technical and academic organizations, registries, registrars, and security researchers interested in collaborating on ways to fight DNS abuse.

The Global Cyber Alliance already works on providing businesses and governments tools to slow and stop DNS abuse. The new institute is “highly complementary to our efforts,” said Leslie Daigle, the global technology officer of the Global Cyber Alliance.

Abuse Framework

PIR helped spearhead the Framework to Address Abuse last fall with eleven signatories, outlining recommended practices for registries and registrars dealing with DNS Abuse. A little over a year later, there are now 48 registrars and registries who joined and pledged to follow the principles. PIR, which manages the .org top-level domain, has implemented the Framework, such as making daily comparisons of newly created .org domains against various DNS Abuse Reputation Block Lists and performing regular “sweeps” of the entire .ORG zone for examples of abuse. DNS Abuse. The process has resulted in successfully removing more than 1,900 images related to child abuse from .org since March 2018, PIR said last year.

“We know that PIR cannot eradicate DNS Abuse single-handedly, but efforts such as this new Institute can make a significant impact across the DNS,” Cimbolic and Bunton wrote.

The Institute has created a free and confidential support line ( to help registries and registrars with questions relating to abuse issues and is currently forming an advisory council of interested stakeholders from across the DNS community. As part of its focus to bring relevant stakeholders together, the Institute will hold its first forum, State of DNS Abuse: Trends from the last three years and current landscape, on March 16.

“DNS Abuse continues to be a significant challenge, so addressing this issue is more important now than ever,” Bunton said.