DNS Security Threat Mitigation Program
How to address malicious use of domain names, broadly referred to as Domain Name System (DNS) abuse, is a topic of great interest and discussion. The ICANN community has not yet reached a consensus definition for "DNS Abuse". At this time, consistent with ICANN's remit as defined by the ICANN Bylaws, the ICANN organization's efforts are primarily focused on supporting the mitigation of DNS security threats.
DNS security threats include five broad categories of harmful activity:
- Spam (as it is used to propagate other DNS security threats).
ICANN org's DNS Security Threat Mitigation Program (Program) strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats across the Internet.
The ICANN organization-wide program is built upon these three pillars:
- Be recognized as a trusted source of information: Provide research, data and expertise to help the community have fact-based discussions about the topic.
- Provide Tools to the Community: Help support mitigation of DNS security threats.
- Enforce Contractual Provisions: Enforce Registry Agreement, Registrar Accreditation Agreement and ICANN Consensus Policies through audits and pursuit of complaints.
This Program enables ICANN org a collaborative platform which provides visibility and clarity over the org's various DNS security threats related initiatives and projects, and allows for the formation and execution of a centralized strategy. This page will act as a hub for the variety of projects, initiatives and activities ICANN undertakes related to the mitigation of DNS security threats.
News and Events
- Blog: Update on ICANN's DNS Security Threat Mitigation Program (19 July 2021)
- Announcement: Webinar: ICANN DNS Security Threat Mitigation Program Update and Community Discussion (1 July 2021)
- Announcement: Adding Linguistic Diversity to the Domain Name Security Threat Information Collection and Reporting Project (14 June 2021)
- Blog: ICANN Org's Multifaceted Response to DNS Abuse (20 April 2020)
Meetings and Sessions
22 July 2021
DNS Security Threat Mitigation Program Update and Community Discussion
Domain Abuse Activity Reporting
ICANN's Domain Abuse Activity Reporting (DAAR) system monitors domain abuse and registration activity across top-level domains (TLDs). DAAR continuously collects registration and security threat data from numerous reputation data feeds. Using the data, ICANN analysts identify and report the use of domain names for activities such as phishing, malware distribution, botnet activity, and spam as a delivery mechanism. The DAAR data can be used to monitor DNS security threat levels and concentrations across participating TLDs. For more information, as well as DAAR monthly reports, visit the Domain Abuse Activity Reporting webpage. ICANN's Identifier Technology Health Indicators (ITHI), or ITHI Metrics, also provide metrics related to DNS Security Threats for the community. For more information, visit the ITHI webpage.
Domain Name Security Threat Information Collection and Reporting (DNSTICR)
The DNSTICR project produces reports on recent domain registrations that we believe to be using the COVID-19 pandemic for phishing or malware campaigns. These reports contain the evidence that leads ICANN org to believe the domains are being used maliciously, along with other background information to help the responsible registrars to determine the correct course of action. More information about DNSTICR can be found here.
Capacity Development and Training
Capacity development and training includes the DNS ecosystem security offerings on ICANN Learn, as well as virtual and in-person training delivered by OCTO Technical Engagement, Global Stakeholder Engagement, and with community partners.
Resources for Registries and Registrars
- Framework for Registry Operators to Respond to Security Threats
- Advisory re: Technical Analysis and Statistical Reporting of Security Threats (Specification 11 3b of the Base gTLD Registry Agreement)
- Expedited Registry Security Request Process
- Security Response Waiver
gTLD Registries Stakeholder's Group (RySG) resources for registries
- Framework on Domain Generating Algorithms (DGAs) Associated with Malware and Botnets jointly drafted by the Governmental Advisory Committee Public Safety Working Group (PSWG) and the Registries Stakeholder Group (RySG)
- Combating DNS Abuse: Registry Operator Available Actions
- ICANN Monitoring System API (MoSAPI) user guide - In addition to service level agreement (SLA) performance information, registries can access daily feeds from ICANN's DAAR system via the MoSAPI.
Resources for End Users
- Registrar Stakeholder Group Publication: Guide to Registrar Abuse Reporting Practices
- Contracted Party House Publication: Minimum Required Information for WHOIS Data Requests
After a reporter has submitted an abuse complaint to the registrar of record regarding abuse of a domain name in a gTLD, and after a reasonable time, if the reporter believes the registrar did not fulfill its obligations according to the Registrar Accreditation Agreement (see section 3.18), then the reporter may file a complaint with ICANN Contractual Compliance: Abuse involving a domain name. For more information on abuse complaint handling, visit ICANN Contractual Compliance Handling Report webpage.
Contractual Compliance Audit Program
The audit program is an integral part of the ICANN Contractual Compliance function. The goal is to ensure that contracted parties, registrars and registries, comply with their agreements and the consensus policies. It is the opportunity and means by which ICANN enhances community transparency through fact based and measurable reporting while proactively addressing any potential deficiencies. For more information, visit the Contractual Compliance Audit Program webpage.
If you have questions, please direct them to DNSsecuritythreats@icann.org.