Domain Name System: Lessons from the topDNS Best Practice Webinars

The stable, safe, and secure operation of the DNS (Domain Name System) has proven to be the foundation for the global expansion of the Internet as a universal public resource. However, like any other innovation and every technology, the Internet and the DNS are vulnerable to abuse, such as malware, botnets, phishing, pharming, or spam. With this in mind, we at eco launched the topDNS initiative at the beginning of 2022, uniting members of the association to fight DNS abuse.

Leading companies in the industry have now joined forces under the topDNS umbrella to protect this “telephone book of the Internet” from misuse. The initiative includes VeriSign, CentralNic, Public Interest Registry (.ORG), iQ Global AS, Leaseweb, CleanDNS, nic.at, InterNetX, IONOS, and Realtime Register.

As Thomas Rickert, Director Names & Numbers at eco – Association of the Internet Industry, reports: “The members of the initiative have agreed on a bundle of activities to prevent so-called DNS abuse and to educate about which measures are effective and appropriate to combatting it.”

As part of this bundle of activities, a recent development has seen the launch of a series of topDNS best practice webinars, with the initiative’s members and partners showcasing what the domain name industry is doing to fight DNS abuse. To date, between June and September 2023, four webinars have already taken place. As Director International at the eco Association, I have been happy to moderate all of these webinars, with core insights from each of these provided below.

Webinar 1: How to Reduce Abuse through Quality

The first webinar, titled “How to Reduce Abuse through Quality,” took place on 6 June 2023, and was hosted by Brian Cimbolic, Vice President, General Counsel at Public Interest Registry (.ORG), and Theo Geurts, CIPP/E Privacy & GRC Officer at Realtime Register.

At this webinar, Brian Cimbolic highlighted the mission of the Public Interest Registry (PIR) to empower non-profit organizations and improve the DNS, and featured PIR’s involvement in industry initiatives and its collaboration with topDNS. He explained the reactive and proactive components of PIR’s anti-abuse program, including its partnership with CleanDNS for abuse identification and domain suspension. In homing in on the role of the Quality Performance Index (QPI), he noted that this was an incentive program for registrars to reduce DNS abuse and promote responsible growth. In presenting data, he revealed a significant reduction in abuse since the introduction of the QPI, supported by external sources. He also shared testimonials from industry in reducing abuse via QPI, with other registries recommended to adopt similar incentives.

On his part, Theo Geurts discussed the benefits of the QPI program from a registrar’s perspective, and stressed how important it is to maintain low levels of DNS abuse to qualify for discounts. He drew attention to the growing threat of cybercrime and urged registrars to actively combat abuse to avoid losing discounts. Recommendations that he forwarded included using resources such as OTX and Abuse.IO to monitor and detect DNS abuse, and availing of implementing tools such as IP address blockers and email address verification at registration to prevent abuse. In accentuating the importance of using information from cybersecurity researchers, he shared insights regarding a group of criminals in Vietnam who hacked reseller accounts to re-register previously owned domain names. Theo explained their strategy of setting up catch-all email addresses to collect data from these domains, and advised registrars to review their processes, proactively remove abusive domain names, and to take prompt action against phishing and fraudulent activity.

The second webinar, titled “Standards and Frameworks for Evidencing Abuse Online,” was held on 13 July 2023. This webinar was hosted by Jeffrey Bedser, CEO of CleanDNS. In this webinar, Jeff outlined the critical importance of addressing online abuse. He emphasized the need for standardized frameworks that define the level of evidence required to take appropriate action against abusive domains. 

Explaining the concepts of evidence and proof, Jeff advocated the use of standardized formats, such as the Abuse Reporting Format (ARF), to streamline the reporting process and facilitate the validation of increasing levels of evidence through collaboration within the system. Several examples of evidence of abuse for different types of crime, such as scams, fraud, and human trafficking, were presented to illustrate the far-reaching impact of online abuse. Jeff emphasized the urgent need for standardized evidence practices to enable rapid correlation and mitigation of abusive domains.

In moving on, Jeff also shed light on NetBeacon, an abuse reporting tool designed to assist users in submitting well-evidenced abuse reports. Incentives to report abuse were explored, as were the challenges of correlating reports and losses across jurisdictions: in this regard, Jeff noted just how important timely reporting and the value of well-evidenced reports in expediting takedowns are. In addition, he pointed out that the nuanced boundaries between abuse, harm, and trademark infringement calls for the need to reduce barriers to reporting, with this to include the provision of anonymous reporting options.

Webinar 3: How to Investigate Online Abuse with Free Tools

For our third webinar which took place on 10 August, entitled “How to Investigate Online Abuse with Free Tools,” we were grateful to once again have Theo Geurts, CIPP/E Privacy & GRC Officer at Realtime Register, as a core speaker. In this webinar, Theo shared how, as a domain registrar, he uses free tools to proactively tackle problems related to abuse reports and investigations, going beyond the mere receipt of reports. To get to grips with these issues, he uses abuse reports to identify patterns, which he then turns into keywords: in this regard, the use of contextual keywords distinguishes between false positives and actual threats.

On a daily basis, Theo noted that he performs an export of all the new domain names that have been registered and then uses a range of tools to analyze and identify patterns in those domain names that are associated with malicious activities. The tool openSquat, for example, can quickly scan domain names for potential malicious behavior. In addition, as he pointed out, urlscan is extremely valuable in enabling the bulk submission of domain names for scanning, and also facilitates a choice upon which country to scan from.

In order to identify phishing campaigns caused by cybercriminals, Theo emphasized that what is needed are external tools and a process in which every abuse report that is received is strictly documented and analyzed. When records aren’t defined and there is a need to dig a little deeper, Theo pointed out that switching to pulsedive.com enables new data to be sent in, and enables further enriched intelligence to be extracted. Furthermore, in his reference to cryptocurrency scams, Theo expressed the opinion that a particularly good approach is to undertake research with available images, with Intel Techniques, for example, offering a wide range of search tools. A further tool that Theo regularly uses when he receives abuse reports is VirusTotal: this analyzes suspicious files, domains, IPs, and URLs to detect malware and other breaches. Theo also displayed how the tool CyberGordon can be used when scans and investigations have already taken place. Finally, when staff need to know aspects concerning the SSL certificate, a very powerful and transparent tool is Certificate Search.

Webinar 4: Recognizing Good Practice in the DNS – Towards Positive, Data-Driven Policy Discussions

The most recent webinar, “Recognizing Good Practice in the DNS – Towards Positive, Data-Driven Policy Discussions,” was held on 19 September 2023. At this event, the speakers were Emily Taylor, CEO of DNS Research Federation, and Lucien Taylor, Chief Strategy Officer at Oxford Information Labs.

As Emily Taylor outlined, the aim of the DNS Research Federation is to advance understanding of the DNS’s impact on cybersecurity policy and technical standards through research and education. She presented a project focused on measuring abuse rates, particularly in European ccTLDs, marking the surprisingly low abuse rates relative to their market share; she also emphasized the proactive measures many registries take to improve data quality and the adoption of multiple approaches to data management.

In turn, Lucien Taylor looked into the practical project of modelling a trust service for domain name registrars. He underlined the importance of community collaboration among registrars, a simple trust rating system, a robust algorithm, and a free API for effective domain name trust management. Lucien also described the role of “Know Your Customer” (KYC) requirements and the potential benefits of working with KYC electronic service providers to reduce costs for registrars. He outlined the project’s strategic assets and capabilities and the next steps, including building a community of registrars and establishing an algorithm committee to advise on the mathematical and policy-related aspects of the project.

Both Emily and Lucien highlighted their collaborative approach to developing the trust service for domain name registrars. They stressed that they were not attempting to reinvent the wheel or dominate the market, but rather to work with existing initiatives and stakeholders to provide registrars, especially small ones, with easy-to-use and free tools. In this respect, in reviewing the advantages of industry-created solutions, they focused on industries’ ability to apply solutions internationally and to address issues collaboratively.

The topDNS best practice webinar series will take a short break in October due to ICANN78 taking place in Hamburg in October. Starting in November, the next webinars will cover:

• How to deal with abuse with blockchain domains, presented by Jeff Bedser of CleanDNS in collaboration with the fellow eco member Freename;
• Rowena Schoo will present the latest updates from the DNS Abuse Institute’s COMPASS measurement project; and
• Michael B. Halvorsen of iQ Global will present the latest developments in domain abuse monitoring and analysis.

The exact dates will be published soon on the topDNS website: topdns.eco

If you are interested in eco’s topDNS initiative, its work and future plans, you can meet the entire steering committee and project team at ICANN78!

In the meantime, if you’d like to avail of more detail on any of the prior webinars, you can also check out the full videos here:

• How to Reduce Abuse through Quality
• Standards and Frameworks for Evidencing Abuse Online
• How to Investigate Online Abuse with Free Tools
• Recognizing Good Practice in the DNS – Towards Positive, Data-Driven Policy Discussions

Lars Steffen is Director International at eco – Association of the Internet Industry (international.eco.de), the largest Internet industry association in Europe. At eco, he coordinates all international activities of the association and takes care of the members from the domain name industry.