The Spectre in the Room: Let’s Talk About DNS Abuse

‍

Defining “DNS Abuse” Is Kind of Pointless

"DNS Abuse" as a term covers all forms of online threats related to the DNS, but the exact definition has been a matter of debate for some years. The people running registries and registrars mostly consider it related to registration of domain names, the people from threat intelligence look at how malware uses the DNS, and DNS infrastructure operators think of it as attacks on the DNS infrastructure itself. So, nobody quite agrees on a unified understanding of what the term means.

Turns out though: It doesn't matter. Everyone has their own definition of what it means to them, according to their perspectives and their particular values, but in the end we're all on the same side and we're all trying to protect users on the internet from online threats in some way or another. Whether one entity considers DNS Abuse to cover C2 domains or not isn't important, as long as each entity works to solve for the DNS Abuse they define. At the ICANN75 conference this year it was noted, "the train has left the station." The term DNS Abuse is out there and it means different things to different people, and that's OK.

Everyone’s Talking About It

There's been a lot of activity this year related to DNS Abuse, and it seems to have finally arrived in the spotlight globally.

The EU released a 173-page report on the results of a 7-month study on DNS Abuse, which prompted a lot of discussion worldwide. The European Dialog on Internet Governance (EuroDIG) held a session to discuss the consequences of definitions, and DNS Research Foundation published their thoughts on the topic.

The DNS Abuse Institute was launched by the Public Interest Registry (PIR, responsible for handling the .org TLD), and released their ongoing study of DNS Abuse called DNSAI Compass that shows trends from various areas. The FIRST DNS Abuse SIG released a draft of their model of DNS Abuse techniques, and the international group of registries and registrars, eco, published their initial versions of a table classifying DNS Abuse.

All of this represents the result of months and years of work behind the scenes on many different fronts, but altogether has pushed DNS Abuse into the public consciousness in a way that hasn't really been seen before.

What DNSFilter is Doing

DNSFilter continues to play a key part in the evolving landscape of DNS Abuse. As part of our mission to provide best-in-class DNS security, understanding and taking part in the conversation is fundamental to how DNSFilter can better protect our users while furthering online security for the internet as a whole.

Our Principal Security Researcher, Peter Lowe, presented at the ICANN75 AGM in Kuala Lumpur this year on the topic, after being named DNS Abuse Ambassador for FIRST (the Forum of Incident Responders and Security Teams). He's also continued his work as co-chair of the FIRST DNS Abuse SIG to provide incident responders with a reference point for dealing with ongoing events, as part of a multi-stakeholder group covering a huge range of interested parties.

We're also actively engaging with the DNS Research Foundation to explore their DAP.LIVE platform, and have provided feedback and commentary on eco's topDNS DNS Abuse Table. Evaluations and discussions are also happening with the DNS Abuse Institute on several levels, including their research and analysis, and reporting system that they are aiming to promote.

The Path Ahead

While there's been a lot of activity on various fronts, one of the main things that needs to happen going forward is to bring people together. With so many different perspectives, enabling the conversation itself is as valuable as the work itself on some levels.

Protective DNS is now seen as a basic part of any threat protection profile, and we have unique insight into all levels of DNS Abuse as an industry leader, allowing us to bring people together and remind everyone that we're all fighting the same battle. As part of this, DNSFilter is organizing a number of panels for 2023 at different levels, involving key players from all sectors to highlight the issues we're facing on a global scale.

At the same time, we're continuing to contribute our expertise and knowledge to ongoing work while providing feedback on publishings from other organizations. Every day seems to bring new ideas to the table.

‍