Join us for our Quarterly Product Webinar on April 30th

SAVE YOUR SEAT NOW

    The Challenge of Defining DNS Abuse

    by Peter Lowe on May 24, 2022 12:00:00 AM

    DNS Abuse is a pretty widely used term. On the surface, it might seem like a simple term that's easily understood. But when you look more closely, the definition depends on your perception of the issue—and can be defined both broadly, or more narrowly.

    What's FIRST?

    FIRST of all, I should probably explain what FIRST is—and why I'm writing this.

    FIRST is the Forum of Incident Responders and Security Teams. Incident Responders are interested in DNS Abuse because it's a large part of the incidents that they have to respond to—they need to know how to handle it and who to involve.

    FIRST has tons of Special Interest Groups (SIGs), one of which is the DNS Abuse SIG. Over the past 18 months, we've been delving into what DNS Abuse actually is, how different stakeholders see it, and how they're affected by it.

    With support from the DNS Abuse SIG, I have been appointed by FIRST as its ambassador on DNS Abuse.

    You can read more about the SIG here. One of its core goals is to provide a common language and understanding of DNS Abuse.

    But things aren't as simple as we thought… at FIRST.

    Why is defining DNS Abuse a challenge?

    Really, the challenge is that DNS Abuse means different things to different people.

    For example, domain name registrars and registries may consider DNS Abuse the registration of domain names with a malicious intent.

    But for a DNS resolver, they might consider DNS Abuse much more broadly—including things like DDoS attacks and fast-flux domains.

    This results in a landscape where each stakeholder has a relatively narrow vision of what encompasses DNS Abuse, and there's no universal language that can help combat it.

    So who else is involved?

    A plethora of stakeholders

    Plenty of people have some kind of investment in DNS Abuse.

    These include:

    • Domain registries
    • Domain registrars
    • Incident response groups
    • Threat intelligence organizations
    • Governments
    • Enterprise risk management
    • Resolvers - both firewalls and filtering services
    • Policy makers
    • Law enforcement
    • Rights holders
    • … and, of course, every single victim on the internet

    Because there are so many people involved, conversations are difficult about how to even define, let alone deal with, incidents of DNS Abuse.

    There are myriads of anti-abuse groups

    Nobody denies that "DNS Abuse" needs to be combated in some way. As a result many organizations, frameworks, and yes, Special Interest Groups have been created to try and do so.

    Some of these include:

    Abuse of the DNS vs Abuse via the DNS

    An important distinction to make is that there are two main types of DNS abuse.

    Abuse of the DNS is very different from abuse via the DNS. There are only a few types of abuse that really attack the DNS itself - things like cache poisoning attacks and DDoS attacks. Most types of abuse are via the DNS: when someone registers a lookalike domain and uses it in a phishing operation, the DNS is actually operating as it should by serving up the domain to the people using it. However, in that case, it's abuse via the DNS because the domain is being used for harm.

    So what can be done?

    Providing a common language

    The first goal of the DNS Abuse SIG is:

    Initially, provide a common language and a FIRST-definition of what the global incident response community understands as DNS Abuse in an operational context to protect its constituencies, as well as for purposes of global policy recommendations.

    A large part of this is separating DNS abuse into categories (of and via) and defining each type of abuse succinctly. The DNS Abuse SIG is now working on identifying relevant stakeholders for each of the incidents that its constituencies are trying to address.

    It’s also illustrating where in the “kill chain” each type of abuse occurs, identifying the relevant infrastructure, examples of threat groups from historical incidents that have been associated with the activities, and who or what they are targeting as well as the tactics and techniques being used. 

    Facilitating conversations

    As the FIRST.org DNS Abuse Policy Ambassador (try saying that three times fast), one of the things I hope to do is to help facilitate conversations between the different interested parties. And I want to start off by bringing some much needed visibility between people.

    Beating the drum

    DNS Abuse isn't going away, but it does sometimes fade from people's consciousness. People start to accept that fake domains are just a thing, so rather than reporting them they block and move on.

    But this shouldn't be the case: People need to be reminded that there are solutions, and we can make a difference—if stakeholders focus on what they can do and stop passing the hot potato to someone else. 

    This article has been published simultaneously on DNSFilter.com and FIRST.org.
    Topics: DNS
    Search
    • There are no suggestions because the search field is empty.
    Categories

    Categories

    Latest posts
    Why Scaling Your MSP Doesn’t Mean Hiring More Technicians Why Scaling Your MSP Doesn’t Mean Hiring More Technicians

    Growth should feel like progress. But for a lot of MSPs, there comes a point where growth starts to feel heavier instead. New clients are coming in, and revenue is rising, yet the day-to-day operation feels more stretched, not more efficient. The service desk is constantly busy. Senior techs keep getting pulled into escalations. The team is working harder just to maintain the same standard of delivery.The usual response is to hire more people. On...

    The Hidden Cost of “Good Enough” Security in MSP Environments The Hidden Cost of “Good Enough” Security in MSP Environments

    “Good enough” security checks the boxes and keeps the dashboards green. It covers the basics and gets you through onboarding. But in MSP environments, “good enough” usually means nothing breaks badly enough to force action. And that’s exactly the problem.The tooling system doesn’t fail. It just becomes more expensive to run, gradually turning your service desk into a permanent cleanup crew.Over time, reactive security tools create a profitability...

    SASE vs SSE: What's the Difference and Why It Matters for Your Security Stack SASE vs SSE: What's the Difference and Why It Matters for Your Security Stack

    If you’ve spent any time researching modern network security, you’ve likely come across SASE and SSE used interchangeably, sometimes even in vendor messaging. The result is a lot of confusion around two concepts that are closely related but not identical.

    Explore More Content

    Ready to brush up on something new? We've got even more for you to discover.
    WhitePapers
    WhitePapers
     Webinars
    Webinars
     Case Studies
    Case Studies
     Product Literature
    Product Literature
    What's New