In September 2023, ICANN hosted the DNS Symposium in Da Nang, Vietnam. This included a ‘Day of DNS Abuse Discussions’ with a comprehensive agenda.
This article provides a high level overview for what tackling DNS Abuse looks like from the perspective of a registrar or registry operator. The purpose is to provide guidance for what an operator needs to consider when shaping its approach to preventing and responding to DNS Abuse which is defined as being composed of five broad categories of harmful activity insofar as they intersect with the DNS: malware, botnets, phishing, pharming, and spam (when it serves as a delivery mechanism for the other forms of DNS Abuse).
In writing this document we have drawn on the discussion in Da Nang which focused on the new RAA and RA Amendments. This guidance was created with the anticipation that the contract amendments would be passed by both registries and registrars. The NetBeacon Institute supports these amendments—which have now been passed by a vote of contracted parties—as an historic and crucial step forward for the multi-stakeholder model, the industry, and the fight against DNS Abuse. We congratulate the ICANN organization, the Contracted Parties, and the ICANN Community for this significant accomplishment.
In addition to the Institute speakers, we are grateful for the contributions of our panelists which have been incorporated into this document: James Bladel, Vice President, Government & Industry Affairs GoDaddy; Reg Levy, Head of Compliance Tucows; and Su Wu, COO, iQ.
Developing Responsible Anti DNS Abuse Approaches
Creating an approach to tackling DNS Abuse is not straightforward or easy. This guidance is designed to assist registries and registrars to review their existing approach. This guidance is organized into six sections, moving from the most foundational and general to the most tactical and operational:
- Regulatory landscape, Policy, Terms of Service
- Process and Procedure
- Tools
- Training
- Reporting
- Review
Depending on the maturity of the operator and the resources available, there are a wide range of options within each of the categories.
1. Regulatory landscape, Policy, Terms of Service
It’s essential to understand the legal and regulatory environment in which your organization operates. This will vary depending on the applicable jurisdiction and where you offer services. For example, certain jurisdictions have prescriptive legislation setting out how a registry or registrar should manage abuse while others are completely silent. Consider national, regional, and local laws, but also understand the ICANN policy environment and your obligations. For example, under the contractual amendments to gTLD policies recently passed, registrars and registries will have new obligations around mitigation of DNS Abuse.
Secondly, have a formal publicly available abuse policy or terms of service prohibiting DNS Abuse. Sometimes DNS Abuse related provisions are incorporated into an Acceptable Use Policy (AUP) which typically sets out a range of acceptable and unacceptable behavior, such as provisions against unlawful activity or limits on system usage. Sometimes DNS Abuse provisions are written into a terms of service, which typically includes a wider range of information (such as liability and licensing conditions) and are signed at the beginning of service. Often a terms of service will incorporate a requirement to comply with various policies and subsequent versions as updated from time to time, which can provide more flexibility for the future. Any of these approaches are acceptable, the important thing is to ensure you have clearly visible information and understand the process for making updates.
Adopting a specific abuse policy provides advantages, primarily around clarity and protection. A clear abuse policy, and a reputation for enforcing it, is a disincentive to bad actors to use a service. A clear policy will also explain to the outside world what your stance on DNS Abuse is, and what type of actions you will take in which circumstances. The Institute has created a free template generic policy available in English and Chinese. This policy was developed with the Internet and Jurisdiction Policy Network (I&JPN).
Typically, you’ll want to create your policy and legal base with some element of discretion for unforeseen events. You can do this by having language related to exceptional circumstances. By definition, this should be used infrequently. If you find you’re using these exceptions regularly, you should review your policy to make sure it’s fit for purpose, and review the circumstances in which you utilize this exception.
2. Process & Procedure
Once you have assessed your operating environment and put the relevant legal and policy documents in place, you’ll need a process to implement these. While your process sets out steps to be taken, a procedure is usually a more detailed set of instructions for completing each step.
At a minimum, a functioning Anti-Abuse Approach will need processes in place to accept and manage reports of suspected DNS Abuse from external parties. Some questions to keep in mind when writing your policies and procedures:
- Who is responsible for which task?
- To which timeline will you adhere for each task?
- How will you staff the abuse desk? Will it be 24 hours, 7 days a week? 5×24? 7×12? Other?
- What language(s) will be supported?
- How will you prioritize reports (type of harm, date received, other)?
- Who will difficult reports be escalated to?
- What do reporters need to provide?
- How will messaging with abuse reporters be handled?
Management of reports should also include a way to look back through historic reports to communicate the number of incidents, the outcomes and any internal issues encountered, or answer questions on what was decided and why.
If you’d like to take your approach to the next level, you can also consider how you will publicly report on abuse or proactively search for abuse. Proactively finding abuse can help prevent harm. Reporting publicly promotes your reputation and helps third parties understand how much mitigation occurs.
Your processes and procedures should work alongside a compliance strategy. A compliance strategy should include an assessment of your strengths and capabilities and identify vulnerabilities or inefficiencies. Once you’ve set up your initial approach, you should attempt to grow and expand your detection and mitigation and understand what is normal/abnormal behavior for your customers.
3. Tools
There are plenty of tools available to help you implement your processes and procedures. These range from utilizing existing internal systems, using free or open source options, to paid external commercial tools, or a combination of all three. Which path is right for you will depend on your volume of reports, the internal resources and funds available to you, your specific business model, and whether you’d like to meet the minimum expectations or be an exemplar who goes above and beyond.
For example, you could utilize internal systems by accepting reports via email, investigating them with internal information (DNS records, registrant information), managing them in an organized inbox or even something as simple as a tracking spreadsheet. You may also use a ticketing or CRM system. It’s important to note that this approach is typically only suitable to providers receiving a handful of abuse complaints per week as it does not scale to higher volumes, and can be prone to human error. Operators with more reports are likely to benefit from incorporating automation and standardization as appropriate.
Some free tools to consider exploring:
- NetBeacon Reporter: The Institute created NetBeacon Reporter in 2022 as a free centralized abuse reporting tool for abuse reporters, as well as registries and registrars. You can embed the NetBeacon Reporter form into your website to accept abuse reports. NetBeacon Reporter will provide reports to you or redirect reports that are not for your domains under management.
- Free services like Virus Total, Google Safebrowsing,or URLScan could add value to your investigation.
- Reputation Block Lists may also give you an indication of where abuse might be located (e.g., APWG, Phistank, URLHaus). Keep in mind that these feeds can require significant manual manipulation as they’re more typically designed for the purposes of network blocking, not DNS Abuse mitigation at the registrar or registry level. For a deep dive into threat feed analysis, see the Realtime/Eco webinar.
There are also paid commercial services that offer various levels of DNS Abuse management and support, including finding, managing, documenting, and reporting on DNS Abuse efforts. These include CleanDNS, iQ, and Mambo.plus.
4. Training
Regardless of how you choose to implement your policy, you’ll need to conduct training with a good amount of practice to ensure your staff understand how to carry out your processes and procedures consistently.
One of the most crucial elements will be doing hands-on practice and real life examples. While your staff are learning, you can train them to look for some standard recurring patterns of DNS Abuse. Work through your procedures in a training scenario to help staff navigate decision making. From there, it’s important to “practice, practice, practice” and set clear escalation pathways for unusual cases.
Industry connections can come in handy to learn from each other. In the gTLD space, the registries and registrars each have a DNS Abuse Working Group that shares tips and develops published practices. In the ccTLD world, the ccNSO maintains the DNS Abuse Standing Committee that also shares resources. If you feel stuck with an issue, you can always reach out to the Institute and we’ll be happy to either help you directly, or put you in touch with someone who can. Industry organizations like the APWG and M3AAWG provide forums for all stakeholders in the anti-abuse ecosystem to come together, build relationships, and learn from each other.
One important aspect to remember is staff wellbeing. Staff can be looking at challenging content on a daily basis and it’s essential to support this. Some operators even conduct an “Abuse Agent for a Day” activity with senior managers, so they can understand what teams are experiencing.
Do keep in mind that for content-specific abuse, it’s often better to partner with an external expert organization where possible. For example, the Internet Watch Foundation (IWF) specializes in assessing Child Sexual Abuse Material (CSAM) and has specific staff welfare practices in place to manage the mental and emotional challenges associated with this role, such as mandatory counseling services. While you may be building a team for DNS Abuse, you need to be aware of the other types of harm online, and have parallel/complementary processes for how they will be managed.
Finally, it is ok to occasionally need to reverse a mitigation action. With strong processes, escalation pathways, and processes for reversing decisions, staff should feel empowered to make decisions within the scope of their roles and understand where to go for help.
5. Reporting
Understanding what is happening over time will enable you to make improvements to your approach and identify if your service is being newly targeted. You’ll need to be able to look back on what was decided and why to answer any questions you receive. Beyond individual cases, it’s useful to be able to track trends over time for internal decision making.
Beyond internal use, reporting externally can be hugely beneficial to help the public and other stakeholders understand DNS Abuse and mitigation of harm. This can help build transparency and move conversations forwards with real data.
If you don’t have the capacity to report on your own internally collected data, you can explore an external benchmarking option with NetBeacon MAP: Individual Dashboards. Our NetBeacon MAP: Dashboards allow registries and registrars to understand the prevalence and persistence of phishing and malware in their zones over time, and compare this to a peer group. We offer NetBeacon MAP: Monthly Analysis reports and access to Dashboards as free services for the industry. Please reach out to us if you’d like to access your NetBeacon MAP: Dashboards.
If you’re interested in public reporting, you may like to look at some examples of the types of public reporting currently produced: .esu, .org, .uk, .nl, and Identity Digital.
6. Review
Your policy, processes, and procedures should not be static; they should be reviewed on a regular basis to ensure they’re still fit for purpose. It’s helpful to utilize version numbers and dates on all documents, and implement a tracker and regular review schedule (e.g., 6 months, annual).
Sometimes a “trigger event” will cause you to review your anti-abuse approach. For example, changes to your operating environment, a particularly challenging case, a new regulatory landscape, or new information on how your peers are approaching anti-abuse are all reasons to look at your existing cycles for possible changes and improvements.
More information
For a deeper dive into this topic, you can watch the zoom recording of how to build an anti- abuse center inside your registry or registrars at the DNS Symposium.
Su Wu, iQ has written a blog post on her presentation.
Check out our Generic Abuse Policy for Registrars and Registries and sign up to our newsletter at the bottom of the page to receive future articles.