Skip to main content

DNS Security Threat Mitigation Program

(Last updated 8 May 2023).

ICANN's Domain Name System (DNS) Security Threat Mitigation Program gives the ICANN organization (org) a collaborative platform to improve the visibility and clarity of the org's various DNS security threats-related initiatives. This platform also allows ICANN to formulate and execute a centralized strategy. This page will act as a hub for the variety of projects, initiatives, and activities ICANN undertakes to help combat DNS security threats.

How to address malicious use of domain names, broadly referred to as DNS abuse, is a topic of great interest and discussion. The ICANN community has not yet reached a consensus definition for "DNS abuse." At this time, consistent with ICANN's remit as defined by the ICANN Bylaws, the ICANN org's efforts are primarily focused on supporting the mitigation of DNS security threats.

DNS security threats include five broad categories of harmful activity:

  1. Botnets
  2. Malware
  3. Pharming
  4. Phishing
  5. Spam (when it is used to propagate other DNS security threats).

ICANN org strives to combat DNS security threats in accordance with ICANN Bylaws, and policies. An ICANN cross-functional team supports a three-pronged approach to combating DNS security threats. This include:

  1. Contributing data and expertise to fact-based discussions
  2. Providing tools to the ICANN community
  3. Enforcing contractual obligations with registries and registrars

ICANN coordinates the allocation and assignment of names in the root zone of the DNS, and coordinates the development and implementation of policies concerning the registration of second-level domain names in generic top-level domains for which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS. In performing this function,, ICANN is focused on DNS-level activities and actions. ICANN's Bylaws expressly prohibit ICANN from imposing rules and restrictions on services that use the Internet's unique identifiers or the content that such services carry or provide, except in narrow circumstances set out in the ICANN Bylaws.

  1. Contributing Data and Expertise to Fact-Based Discussions:

    The Domain Abuse Activity Reporting (DAAR) system measures domain abuse and registration activity for generic top-level domains (gTLDs) and country code top-level domains (ccTLDs) that have volunteered in the program. DAAR continuously collects registration and security threat data from numerous reputation data feeds. Using the data, ICANN analysts identify and report the use of domain names for activities such as phishing, malware distribution, botnet activity, and spam (as a delivery mechanism). For more information, as well as DAAR monthly reports, visit the Domain Abuse Activity Reporting webpage.

    Using DAAR data, ICANN published a DNS abuse trends report in 2022. The report showed that the number of domains reported to be used for DNS abuse had considerably declined from October 2017 until January 2022. In contrast to many existing industry white papers and general discussions published on DNS abuse, this report relies on four years of data. Typically, similar studies use data with a much shorter time span such as half a year.

    ICANN's Identifier Technology Health Indicators (ITHI), or ITHI Metrics, also provide a way to analyze trends in DNS security threats for the community. For more information, visit the ITHI webpage.

    Capacity development and training includes the DNS ecosystem security offerings on ICANN Learn, as well as virtual and in-person training delivered by the ICANN's Office of the Chief Technology Officer (OCTO) Technical Engagement and Global Stakeholder Engagement teams, and in collaboration with community partners.

  2. Providing Tools to the ICANN Community:

    The Domain Name Security Threat Information Collection and Reporting (DNSTICR) produces reports of abuse for registrars. The reports are based on recent domain registrations that employ specific keywords, which are translated into multiple languages (COVID-19 pandemic, war in Ukraine, or certain other current and future crises) used in phishing or malware campaigns. These reports provide evidence that leads ICANN org to infer which domains are being used maliciously. They also provide background information to help responsible registrars to determine the correct course of action. More information about DNSTICR can be found here.

    The Special Interest Forums on Technology (SIFT) is an online discussion platform that provides an ad hoc forum for the ICANN community and org. They use this forum to engage in technical discussions and review contributions by interested technical participants on emerging technologies and trends related to the Internet's identifier system. This includes domain names and the DNS, Internet Protocol (IP) addresses, autonomous system numbers, and various protocol parameter assignments. More information about SIFT can be found here.

    Resources for Registries and Registrars

    Resources for End Users

    After a reporter has submitted an abuse complaint to the registrar of record regarding abuse of a domain name in a gTLD, and after a reasonable time, if the reporter believes the registrar did not fulfill its obligations according to the Registrar Accreditation Agreement (see Section 3.18), then the reporter may file a complaint with ICANN Contractual Compliance: abuse involving a domain name. For more information on abuse complaint handling, visit the ICANN Contractual Compliance Handling Report webpage.

  3. Enforcing Contractual Obligations with Registries and Registrars:

    ICANN Contractual Compliance enforces the contractual obligations set forth in ICANN's policies and agreements, including the Registry Agreement (RA) and the Registrar Accreditation Agreement (RAA). Examples of the abuse-related provisions enforced by ICANN Compliance include Specification 6 4.1, Specification 11 3(a) and 3(b) of the RA, as well as Section 3.18 of the RAA. For example, both registrars and registries must publish on their website information about how to submit a report of abuse about a domain name and an email address to collect reports of abuse. Registrars are required to investigate and respond appropriately to reports of abuse.

    ICANN is currently engaged in contractual negotiations with the registrars and registries to strengthen the requirements related to DNS abuse. More information can be found here.

    Similarly, ICANN Contractual Compliance enforces other contractual obligations which often play a role in investigations related to DNS abuse. For example, those related to Registration Data (WHOIS) accuracy in Section 3.7.8 and the Whois Accuracy Program Specification of the RAA (ICANN Contractual Compliance often receives reports of inaccurate data associated with allegedly abusive domain names); or those related to zone file third-party access requests (often submitted by security researchers who investigate and help combat DNS abuse) in Specification 4, Section 2 of the RA.

    More information about current requirements that ICANN Contractual Compliance enforces in relation to DNS abuse can be found here.

    The Audit Program is an integral part of the ICANN Contractual Compliance function. The goal is to ensure that contracted parties, registrars and registries, comply with their agreements and the consensus policies. It is the opportunity and means by which ICANN org enhances community transparency through fact-based and measurable reporting while proactively addressing any potential deficiencies. For more information, visit the Contractual Compliance Audit Program webpage.

Latest Publications:

If you have questions about ICANN's program, please direct them to


DNS Security Threat Mitigation Program (April 2023)

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."