By Graeme Bunton, Director of the DNS Abuse Institute

I recently had a registrar approach me with a genuine interest in doing more to address DNS Abuse, but was unsure of where they should start. DNS Abuse is a complex problem, and there’s no clear entry point to begin addressing it. This registrar is not alone; there are numerous registries and registrars that are increasingly concerned about abuse and need help getting started.

This post is the first in a three-part series that will attempt to provide reasonable, bite size introductions to the key components of developing anti-abuse practices. This first post is dedicated to providing a reasonable legal basis, or basic DNS Abuse Policy, for addressing abuse. The next two will address the useful tools for managing DNS abuse and the procedures for actual mitigation.

This policy was developed in concert with the Internet and Jurisdiction Policy Network (I&J), and we’re grateful for their contributions and support. I&J has some tremendous content in this space including their Toolkit: DNS Level Action to Address Abuses, which I’d encourage anyone interested in abuse mitigation to take a look at.  The DNS Abuse Institute is also an active participant in the I&J Domains Contact Group. 

DNS Abuse-Specific Policies

Most registrars have some form of ‘Terms of Service’ or ‘Acceptable Use Policy’  published on their websites. These typically give registrars the discretion to terminate service for a broad set of reasons.

Posting and adopting a specific abuse policy provides a couple of advantages, primarily around clarity and protection. A clear abuse policy, and a reputation for enforcing it, is a disincentive  to bad actors to use a service.  A registrar or registry also has a much stronger degree of legal protection when it acts on abuse if such abuse is covered in its respective policy. 

Before we walk through how the generic policy is intended to function, I’ll offer a few notes on how it was created. First, we’re creating this generic policy specifically so any registrar or registry can feel free to use/modify/implement it as they see fit. That’s why the policy is creative commons licensed, specifically the CC By 4.0 license which allows anyone to share and adapt the material so long as it’s done with attribution to the DNSAI. Second, we’re in the process of converting it to Markdown and placing it in Github.  This should hopefully enable those interested to modify, fork, and interact with the policy.  The goal is to enable a modular approach so that different harms may be included or excluded to meet each user’s needs.

Our intention is to use these mechanisms for sharing and adapting content with similar DNSAI work in the future.

Intro

The first paragraph is a straightforward introduction. While this policy is focused on DNS Abuse, many registrars and registries will address other harms, and there is a placeholder for where a registry or registrar may wish to detail other categories of harms if they so choose.

This Anti-Abuse Policy (“Policy”)  is established for all domain name registrations for which [NAME] serves as the [Registrar/Registry Operator].  This Policy focuses on technical abuses of the Domain Name System (DNS) (“DNS Abuse”). [Registrar/Registry may choose to detail categories of Website Content questions it addresses, such as Child Sexual Abuse Materials]

Definitions

The second section is a list of harms and their definitions that a registry or registrar will act upon.

DNS Abuse causes security and stability issues for domain name Registrars, Registry Operators, Registrants and users of the Internet as a whole. This Policy prohibits the following technical abuses[1] in [Registrar/Registry Operator’s] domain name registrations:

• Malware is malicious software, installed on a device without the user’s consent, which disrupts the device’s operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software. 

• Botnets are collections of Internet-connected computers that have been infected with malware and commanded to perform activities under the control of a remote administrator. 

• Phishing occurs when an attacker tricks a victim into revealing sensitive personal, corporate, or financial information (e.g., account numbers, login IDs, passwords), whether through fraudulent or ‘look-alike’ emails, or luring end users to copycat websites. Some phishing campaigns aim to persuade the user to install software, which is in fact malware. 

• Other technical abuses of the DNS that may reasonably be perceived to impact the stability or security of the DNS or the [Registrar/Registry Operator’s] domain name registrations (e.g., pharming, fast flux hosting, and illegal access to other computers or networks). 

• Spam is unsolicited bulk email, where the recipient has not granted permission for the message to be sent, and where the message was sent as part of a larger collection of messages, all having substantively identical content. Spam is not unto itself DNS Abuse, but is included as a category under this Policy for the instances when Spam serves as a delivery mechanism for the other forms of DNS Abuse. 

Actions and Reasons

The last section outlines the actions a registry or register may take, as well as the reasons behind them.

Actions under this Policy

[Registrar/Registry Operator] reserves the right to take appropriate action for any domain it determines violates this Policy, including the right to deny, cancel, or transfer any registration or transaction, or place any domain name on [Registrar/Registry Operator] lock, hold, or similar status, that it deems necessary in its discretion:

1. That violates the terms of this Anti-Abuse Policy;

2. To protect the integrity and stability of [Registrar/Registry Operator’s] domain name registrations; 

3. To comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; or

4. To avoid any liability, civil or criminal, on the part of [Registrar/Registry Operator], its affiliates, subsidiaries, officers, directors, and employees.

And that’s it. Simple, and easy to adapt. You can download it as a PDF here, or make a copy of the google doc here.

[1] The definitions for Malware, Botnets, Phishing, and Spam are from the Framework to Address Abuse, which relies on the definitions provided by the Internet and Jurisdiction Policy Network’s Operational Approaches, Norms, Criteria, Mechanisms.