DNS Abuse Framework: 2020 Retrospective

In October, 2019, 11 leading domain name registrars and registries (both gTLD and ccTLDs) launched the Framework to Address Abuse. The Framework set forth recommended practices for  when a registry or registrar must act on questions of abuse (specifically, DNS Abuse), as well as the categories of website content abuse that are so egregious that a registry or registrar should take action. The Framework has been well received across the DNS, with the GAC including the Framework as a potential best practice for registries and registrars.  Since launching, the Framework has expanded greatly, with now over fifty signatory registries and registrars. 

The participating registries and registrars have learned much in the last year since implementing the Framework.  Here are some updates from the some of the participating registries and registrars, a year into the Framework: 

Public Interest Registry

PIR is proud of its role in co-creating the Framework. We have implemented the Framework in several ways, including daily comparisons of .ORG new creates against a variety of DNS Abuse Reputation Block Lists and regular “sweeps” of the entire .ORG zone for DNS Abuse. For transparency, we publish PIR’s DNS Abuse statistics here. In terms of question of website content abuse, the Framework specifically calls out Child Sexual Abuse Materials (CSAM) as a form of content abuse that should be addressed. Together, with the Internet Watch Foundation, we work to identify CSAM in .ORG. After identification, we take the appropriate steps with our registrar partners and registrants to have those images removed. Since March 2018, this process has successfully removed more than 1,900 CSAM images from .ORG.

GoDaddy Registrar

GoDaddy is a supporter of and contributor to the Framework for DNS Abuse, and we believe it’s a key industry effort to coordinate anti-abuse policies.  For GoDaddy, the Framework wasn’t a prescription for change, but more of a reflection of our long-held principles and existing practices.  In the year since developing the Framework, we’ve referred to it as a yardstick to measure our performance, and the performance of other organizations in our industry.

 One development that couldn’t have been foreseen during the development of the Framework was the rise in abuse associated with the COVID-19 pandemic. But while these incidents make for sensational headlines and compelling anecdotes, the data tells a different story. COVID-19 related fraud and abuse was neither incremental or particularly novel, and instead was just “old” abuse wrapped in “new” packaging relating to the pandemic. Our existing practices, as described under the Framework, were more than adequate to address the problem. As a result, COVID-19 fraud peaked sometime in Q2, and has since dropped to a more typical and seasonal level of activity. For more on our COVID-19 efforts, check out this blog post from the pandemic’s peak in late March.

Donuts and Name.com

Donuts and Name.com remain very proud to embrace the commitments we shared along with other leading registries and registrars in the DNS Abuse Framework.  While the principles in the DNS Abuse Framework have long been a mainstay of our anti-abuse philosophies at Donuts and Name.com, working with others to develop the Framework provided us a reminder that improving the way we execute on our commitments is a welcome, healthy part of an excellent abuse mitigation and compliance program.  Reflecting on our efforts in the 12 months since its publication, we have made significant strides.  We’ve deployed new and dynamic abuse monitoring and threat mitigation tools, hired additional compliance professionals, and have further enhanced our compliance processes to ensure that we meet and exceed not only our obligations but the ambitious expectations of the Framework.  We believe this marriage of best-in-class science and art places us in an optimal position to continually improve on the security and safety of our domains, not only for our registrants, but ultimately, for all internet users worldwide.

Tucows

The Tucows family of registrars (Ascio, Enom, EPAG, and OpenSRS) has long practiced the approaches described within the DNS Abuse Framework. The codification into the DNS Abuse Framework has given us something we can use to help educate requestors about what exactly comprises DNS abuse. Education of complainants has vastly improved our ability to appropriately respond to valid requests and to triage requests incorrectly submitted to the domain name registrar. The bright lines that the Framework draws around the few issues that, while not DNS abuse, may be appropriately resolved at the DNS level have been helpful for internal discussions and education as well. The few things that fall outside DNS abuse but are none-the-less appropriate for resolution by a registrar—CSAM, terrorism, and the like—are rare but it is important that experts in those areas are empowered to approach registrars to resolve those issues.

Afilias

Afilias shared our robust mechanisms currently in practice to mitigate domain abuse to help define the Framework. One year later, we continue to aggressively tackle technical abuse (e.g., fast flux hosting and activities that are a precursor to illegal access and penetration of other computers and networks), work with trusted providers to remove CSAM and illegal drug trafficking, and enforce our Terms of Service. To expand adoption of the Framework, we are more assertive in our collaboration with registrars when we identify disturbing patterns of behavior in registrations.

Realtime Register

The DNS Abuse Framework was an excellent addition to our current efforts to combat DNS Abuse. Cybercriminals operate at an advanced level.  For us, the reason to have several employees obtain certification in the following areas; Incident Response and Online Reconnaissance (OSINT) and the creation of a Security Incident Response Team.  Our SIRT now analyses data from over 150 intelligence feeds daily, and abuse levels remain low in a world with more cybercrime than ever.

Nominet

As part of our commitment to transparent communication we have published a Criminal Practices Policy. This document clarifies our existing policy in one place so all registrants, registrars and the general public can easily understand when we take action and why. It also explains who we collaborate with, how to prevent a domain suspension, and how to complain. To support this policy we have begun publishing interviews with the UK law enforcement agencies we work with to provide context and explain the types of issues we see in .UK, especially in the case of more unexpected collaborations – for example, the Environment Agency.

GoDaddy Registry (Formerly Neustar) 

In addition to other activities to mitigate abuse, GoDaddy Registry (formerly Neustar) has joined a Trusted Notifier program with the U.S. Food and Drug Administration. The “Framework for Collaboration to Protect U.S. Consumers from Opioids that are Illegally Being Offered for Sale Online” was established as an initial pilot program running from June 2020 to October 2020. GoDaddy Registry participated as the Registry Operator for the .biz TLD and the Administrator for the .us ccTLD. A report on the pilot program will be finalised in early 2021.

 Further information about the pilot program is available here

Shortdot

ShortDot actively monitors our zones for DNS Abuse and takes action when a name is found to be in violation of our Terms and Conditions. At ShortDot we have a zero-tolerance policy for DNS abuse so anytime we are notified of abuse on a ShortDot domain or find it with our routine scans we immediately investigate the domain(s) and may place them on ServerHold. The DNS Abuse Framework is a tool we use when helping registrants understand what we classify as DNS Abuse, what trusted sources are and more. Oftentimes end users have questions about why and how the abuse was identified and our process. The Framework document helps us to reinforce our policies when it comes to managing DNS Abuse in our extensions.

Namecheap

Namecheap signed the Framework, given that it was already aligned with our processes at the time. As a signatory, we continually look for appropriate ways to improve how we identify and verify DNS abuse, and we look forward to working with contracted parties and the Internet community to address DNS abuse. 

.XYZ

As an industry leader, the XYZ Registry has enforced its strict Anti-Abuse Policy since 2014, shortly after the launch of .xyz, the most widely used new gTLD. The responsibility of implementing the DNS Abuse Framework means mitigating DNS abuse activities by monitoring and disconnecting domains at the registry level when found connected to any activities against XYZ’s Anti-Abuse Policy. Together with the Framework participants, we neutralize DNS abuse threats in accordance with the protocols set by the DNS Abuse Framework and work to make the internet a safer place.