Unpacking DNS Abuse: Understanding ‘Abuse of the DNS’ and ‘Abuse via the DNS’

In our interconnected digital world, the security and safety of the Domain Name System (DNS) is paramount for a secure and safe internet experience. Malicious actions on the internet, sometimes broadly referred to or even mischaracterized as “DNS abuse,” are a significant concern that can manifest in various ways, impacting users and organizations globally.

To clarify some of the complexities surrounding this issue, it’s helpful to first explore the categories of malicious activity, including the concepts of “Abuse of the DNS” and “Abuse via the DNS,” drawing on insights from the Forum of Incident Response and Security Teams (FIRST) DNS Abuse Special Interest Group. This series then dives deeper into the specifics of “Abuse via the DNS,” including content-based online harms and the critical roles of various internet actors in combating these threats and their tools and limitations. Later, it examines the role of the International Corporation for Assigned Names and Numbers (ICANN) and the ICANN community in defining and combating DNS abuse within its bylaws and limited technical remit.

FIRST, an international non-profit cybersecurity incident response peer consortium, starts by categorizing abuse into two primary types: abuse of the DNS and abuse via the DNS. Abuse of the DNS involves malicious activities leveraging the DNS infrastructure to perpetrate harm, such as distributed denial-of-service (DDoS) attacks, where attackers flood a target with traffic using DNS amplification techniques, causing significant disruptions. In practice, a finite set of abuse types attack the DNS itself – namely cache poisoning and volumetric attacks. These attacks aim to degrade, manipulate or disrupt the transmission or processing of DNS services. Most DNS abuse types are actually via the DNS.

Abuse via the DNS involves using the DNS infrastructure to facilitate the distribution of illegal material, such as when malicious actors use the DNS system to redirect users to counterfeit versions of legitimate websites. These counterfeit sites might appear authentic but are set up as phishing operations, distributing malware or propagating disinformation. This abuse method capitalizes on the DNS's definitive role in directing internet traffic. By subtly altering DNS settings, attackers can funnel users to these harmful sites without immediate detection. Such actions exploit the trust users have in the accuracy of DNS resolution, making it a potent vector for widespread digital harm. Thus, combating abuse via the DNS is not only about preserving the technical reliability of the DNS but also about protecting internet users from sophisticated scams and threats that leverage the DNS's foundational role in internet navigation.

Delving into the complex issue of DNS abuse and other online harms, it becomes clear the challenges often extend beyond what DNS infrastructure providers can directly control. Malicious software, such as malware or phishing tools, is frequently hosted on compromised servers managed by web hosting providers. This underscores the need for a collaborative approach to DNS abuse mitigation that includes DNS providers as well as web hosting services. Effectively addressing DNS abuse requires well-defined roles, responsibilities and processes – including enhanced monitoring for suspicious activity and rapid response protocols – to guide the actions of the parties that need to be involved, including registries, registrars, hosting companies and content providers. By working together, these stakeholders can implement more comprehensive security measures for addressing DNS abuse. Cooperation across technologies and platforms is crucial for identifying and neutralizing threats before they can harm users, reinforcing security across all layers of internet infrastructure.

The distinction between abuse of and abuse via the DNS is central to understanding and effectively addressing and mitigating online harms. This differentiation helps in crafting targeted responses and allocating resources where they are most effective and enduring, fortifying the overall security posture of the DNS infrastructure.

Ongoing community efforts to mitigate DNS security threats involve a broad spectrum of stakeholders—from domain name registrars and registries to security experts, web hosts and cloud and internet service providers. This collaborative, distinction-based approach aims to enhance security protocols within the DNS infrastructure and focuses on proactive, layered measures to stop or even preempt potential abuses.

As the discussion of DNS abuse and other online harm mitigation continues, the importance of comprehensive strategies involving multiple stakeholders becomes increasingly evident. A unified effort that includes content and service providers is essential for creating a safer internet environment.