DNS abuse: Where are we and where do we want to be?

1 Dec 2022 15:00h - 15:30h

Session page

Event report

The critical infrastructure that facilitates the Domain Name System (DNS) is still resilient, but under bigger and bigger attacks.

Knowing that the main function of DNS is in the core mission of the Internet Corporation for Assigned Names and Numbers (ICANN), ICANN does have a lot of influence, and currently lacks a way to act against domain registrars and registries that intentionally harbour those who abuse the DNS.

There are different metrics when looking at the abuse of the DNS space, but according to many of them, the level of DNS abuse has been continuously rising since 2018. It is the same this year, during which ICANN’s Anti-Phishing Working Group (APWG) observed 1.1 million large phishing attacks (a record number). 

According to industry research, there are around 1,200 registrars that are currently hosting malware domain names, and overall cybercrime is increasing. A framework around stronger accountability of contractual parties that are landing such domain names needs to be implemented. 

Practices from the Global South show that resellers of such services (landing of the DNS) do not want to give up too much information to their competitors, and use their personal names for registering domains. That alone creates a lot of identity problems in persecuting bad actors, but an additional barrier is the WHOIS privacy policy, directly caused by the EU’s General Data Protection Regulation (GDPR). ICANN responded to the GDPR provisions with reductions of personal data that WHOIS carries, and therefore reduced the safeguarding mechanisms for fast responses. 

The difficulty of investigating WHOIS, due to reductions, is significantly bigger today. In some ways, this has also led to the market for ‘Dark WHOIS’ records. A part of the industry is arguing that this might be the case in which excessive privacy enabled shady actors to create an advantage.

Prices have been driven down and top-level domains (TLDs) can be rented for less than a dollar, and the obfuscation of WHOIS data led to instances where there is almost no accountability for malicious actors. The registries are ‘just selling’ domains, and hosting companies (on another continent) direct users to get a court order so they can tell who is behind the domain. Small users are on an uneven field as extensive resources are needed.

Various evidence shows that DNS abuse is found more with low-cost TLDs, and this needs to be addressed. The industry is also conducting consultations regarding the change of contracts that are signed between central parties and end users.

By Arvin Kamberi


The session in keywords

WS505 WORDCLOUD DNS abuse Where are we and where do we want to be IGF2022