DNS Security Threat Mitigation Program
(Last updated 8 May 2023).
ICANN's Domain Name System (DNS) Security Threat Mitigation Program gives the ICANN organization (org) a collaborative platform to improve the visibility and clarity of the org's various DNS security threats-related initiatives. This platform also allows ICANN to formulate and execute a centralized strategy. This page will act as a hub for the variety of projects, initiatives, and activities ICANN undertakes to help combat DNS security threats.
How to address malicious use of domain names, broadly referred to as DNS abuse, is a topic of great interest and discussion. The ICANN community has not yet reached a consensus definition for "DNS abuse." At this time, consistent with ICANN's remit as defined by the ICANN Bylaws, the ICANN org's efforts are primarily focused on supporting the mitigation of DNS security threats.
DNS security threats include five broad categories of harmful activity:
ICANN org strives to combat DNS security threats in accordance with ICANN Bylaws, and policies. An ICANN cross-functional team supports a three-pronged approach to combating DNS security threats. This include:
- Contributing data and expertise to fact-based discussions
- Providing tools to the ICANN community
- Enforcing contractual obligations with registries and registrars
ICANN coordinates the allocation and assignment of names in the root zone of the DNS, and coordinates the development and implementation of policies concerning the registration of second-level domain names in generic top-level domains for which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS. In performing this function,, ICANN is focused on DNS-level activities and actions. ICANN's Bylaws expressly prohibit ICANN from imposing rules and restrictions on services that use the Internet's unique identifiers or the content that such services carry or provide, except in narrow circumstances set out in the ICANN Bylaws.
Contributing Data and Expertise to Fact-Based Discussions:
The Domain Abuse Activity Reporting (DAAR) system measures domain abuse and registration activity for generic top-level domains (gTLDs) and country code top-level domains (ccTLDs) that have volunteered in the program. DAAR continuously collects registration and security threat data from numerous reputation data feeds. Using the data, ICANN analysts identify and report the use of domain names for activities such as phishing, malware distribution, botnet activity, and spam (as a delivery mechanism). For more information, as well as DAAR monthly reports, visit the Domain Abuse Activity Reporting webpage.
Using DAAR data, ICANN published a DNS abuse trends report in 2022. The report showed that the number of domains reported to be used for DNS abuse had considerably declined from October 2017 until January 2022. In contrast to many existing industry white papers and general discussions published on DNS abuse, this report relies on four years of data. Typically, similar studies use data with a much shorter time span such as half a year.
ICANN's Identifier Technology Health Indicators (ITHI), or ITHI Metrics, also provide a way to analyze trends in DNS security threats for the community. For more information, visit the ITHI webpage.
Capacity development and training includes the DNS ecosystem security offerings on ICANN Learn, as well as virtual and in-person training delivered by the ICANN's Office of the Chief Technology Officer (OCTO) Technical Engagement and Global Stakeholder Engagement teams, and in collaboration with community partners.
Providing Tools to the ICANN Community:
The Domain Name Security Threat Information Collection and Reporting (DNSTICR) produces reports of abuse for registrars. The reports are based on recent domain registrations that employ specific keywords, which are translated into multiple languages (COVID-19 pandemic, war in Ukraine, or certain other current and future crises) used in phishing or malware campaigns. These reports provide evidence that leads ICANN org to infer which domains are being used maliciously. They also provide background information to help responsible registrars to determine the correct course of action. More information about DNSTICR can be found here.
The Special Interest Forums on Technology (SIFT) is an online discussion platform that provides an ad hoc forum for the ICANN community and org. They use this forum to engage in technical discussions and review contributions by interested technical participants on emerging technologies and trends related to the Internet's identifier system. This includes domain names and the DNS, Internet Protocol (IP) addresses, autonomous system numbers, and various protocol parameter assignments. More information about SIFT can be found here.
Resources for Registries and Registrars
- Framework for Registry Operators to Respond to Security Threats
- Advisory re: Technical Analysis and Statistical Reporting of Security Threats (Specification 11 3b of the Base gTLD Registry Agreement)
- Security Response Waiver (SRW) for Registrars
- Security Response Waiver (SRW) for Registry Operators (formerly Expedited Registry Security Request)
- ICANN Monitoring System API (MoSAPI) user guide – In addition to service level agreement (SLA) performance information, registries can access daily feeds from ICANN's DAAR system via the MoSAPI.
Resources for End Users
- Contracted Party House Publication: Guide to Abuse Reporting Practices
- Contracted Party House Publication: Minimum Required Information for WHOIS Data Requests
After a reporter has submitted an abuse complaint to the registrar of record regarding abuse of a domain name in a gTLD, and after a reasonable time, if the reporter believes the registrar did not fulfill its obligations according to the Registrar Accreditation Agreement (see Section 3.18), then the reporter may file a complaint with ICANN Contractual Compliance: abuse involving a domain name. For more information on abuse complaint handling, visit the ICANN Contractual Compliance Handling Report webpage.
Enforcing Contractual Obligations with Registries and Registrars:
ICANN Contractual Compliance enforces the contractual obligations set forth in ICANN's policies and agreements, including the Registry Agreement (RA) and the Registrar Accreditation Agreement (RAA). Examples of the abuse-related provisions enforced by ICANN Compliance include Specification 6 4.1, Specification 11 3(a) and 3(b) of the RA, as well as Section 3.18 of the RAA. For example, both registrars and registries must publish on their website information about how to submit a report of abuse about a domain name and an email address to collect reports of abuse. Registrars are required to investigate and respond appropriately to reports of abuse.
ICANN is currently engaged in contractual negotiations with the registrars and registries to strengthen the requirements related to DNS abuse. More information can be found here.
Similarly, ICANN Contractual Compliance enforces other contractual obligations which often play a role in investigations related to DNS abuse. For example, those related to Registration Data (WHOIS) accuracy in Section 3.7.8 and the Whois Accuracy Program Specification of the RAA (ICANN Contractual Compliance often receives reports of inaccurate data associated with allegedly abusive domain names); or those related to zone file third-party access requests (often submitted by security researchers who investigate and help combat DNS abuse) in Specification 4, Section 2 of the RA.
More information about current requirements that ICANN Contractual Compliance enforces in relation to DNS abuse can be found here.
The Audit Program is an integral part of the ICANN Contractual Compliance function. The goal is to ensure that contracted parties, registrars and registries, comply with their agreements and the consensus policies. It is the opportunity and means by which ICANN org enhances community transparency through fact-based and measurable reporting while proactively addressing any potential deficiencies. For more information, visit the Contractual Compliance Audit Program webpage.
- Blog: ICANN's "Day of DNS Abuse Discussions" Draws More Than 125 Participants (September 2023)
- Blog: ICANN to Hold Meeting in Vietnam on DNS Abuse (August 2023)
- Blog: ICANN and Contract Negotiations Update: Improved DNS Abuse Requirements (May 2023)
- Blog: New ICANN Project Explores the Drivers of Malicious Domain Name Registrations (April 2023)
- Blog: ICANN and Contracted Parties Negotiate About Improved DNS Abuse Requirements (18 January 2023)
- Guest blog (APNIC): DNS abuse trends (14 June 2022)
- Blog: Keep Up to Date With ICANN's DNS Security Threat Mitigation Program (9 June 2022)
- Blog: ICANN Publishes DNS Abuse Trends (22 March 2022)
- Announcement: The Recording is Now Available for the ICANN Informational Session on DNS Abuse (8 November 2021)
- Announcement: Informational Session on DNS Abuse: Panel Discussion with the ICANN Board (18 October 2021)
- Blog: Update on ICANN's DNS Security Threat Mitigation Program (19 July 2021)
- Announcement: Webinar: ICANN DNS Security Threat Mitigation Program Update and Community Discussion (1 July 2021)
- Announcement: Adding Linguistic Diversity to the Domain Name Security Threat Information Collection and Reporting Project (14 June 2021)
- Blog: ICANN Org's Multifaceted Response to DNS Abuse (20 April 2020)
If you have questions about ICANN's program, please direct them to DNSsecuritythreats@icann.org.
DNS Security Threat Mitigation Program (April 2023)