DNS Abuse includes targeted attacks such as malware, botnets, phishing, pharming and spam when it is used to spread the other threats. The Internet Corporation for Assigned Names and Numbers (ICANN) warns against a distorted picture of the extent of abuse in the Domain Name System (DNS) caused by the exclusive use of single blocklists. In this analysis, you will learn why a multi-source approach is crucial to realistically and comprehensively assess DNS abuse.

What ICANN understands by DNS Abuse – and what not

ICANN’s definition of DNS abuse is deliberately narrow. It only includes the following five forms of abuse:

• Malware
• Botnets
• Phishing
• Pharming
• Spam, but only if this serves to spread the other threats mentioned

Other forms of digital abuse, such as fraudulent content, trademark infringements or disinformation, are not included. This clear demarcation ensures a precise assessment, but also restricts the view of the overall problem.

Blocklists in the DNS environment: open vs. commercial approaches

Reputation blocklists (RBLs) are used to detect DNS abuse by associating domains or IP addresses with abuse. ICANN distinguishes between two main types:

Open RBLs

• Mostly operated by non-profit projects or communities
• Transparent, based on user reports
• Limited range, often with blind spots

Commercial AVLs

• From specialized security providers
• Uses proprietary data sources and automated analyses
• Fast detection of new threats, but methodology usually not public
• Risk that certain threats outside the company’s own customer base are not detected

Analysis results: Large differences between data sources

A concrete comparison between open and commercial RBLs shows: The assessment of how badly a particular top-level domain (TLD) is affected by abuse can vary considerably. Without naming specific TLDs, ICANN documents the following rankings in a tabular comparison:

These discrepancies make it clear: An assessment based only on a single blocklist may significantly under- or overestimate the actual extent of DNS abuse. Particularly sophisticated phishing attacks are often only found in commercial lists, while opportunistic attacks can be overrepresented in open RBLs.

Consequences for the abuse analysis in DNA

The choice of block list has a decisive influence:

• The effectiveness of countermeasures against DNA abuse
• The prioritization of resources among registrars and security authorities
• The reputation of individual domain extensions and registrars

A one-sided view can lead to measures not being targeted or false suspicions arising.

ICANN’s recommendation: Multi-source approach against blind spots

ICANN therefore advises combining several methodically different blocklists. This allows a more complete and realistic picture of DNS abuse to be drawn. Carlos Hernandez Ganan from the ICANN CTO Office puts it in a nutshell:

“Only by acknowledging and addressing these blind spots can we get a more accurate and actionable picture of DNA misuse – and ensure that our readings and responses actually reflect reality.”

Examples of relevant blocklists and services

Open / freely accessible block lists

• Abuse.ch – specialized in malware domains (e.g. URLhaus, Feodo Tracker)
• Spamhaus DROP / EDROP / Zen – contains IPs and domains with a bad reputation
• SURBL – lists domains that appear in spam messages
• Phishtank – Community-based collection of verified phishing websites
• URL House – focuses on malware URLs

Commercial blocklists / threat intelligence services

• Google Safe Browsing – used by Chrome, Firefox etc.
• Spamhaus I ntelligence Services – extended commercial APIs
• ThreatStop – DNS-based threat defense
• Cisco Talos Intelligence – Comprehensive IP, domain and URL analysis
• Open Threat Exchange (OTX) – Mixture of open community and professional feeds
• IBM X-Force Exchange – Commercial threat intelligence with API access

Conclusion: Realistic DNS abuse assessment only possible with multi-source analyses

Blocklists are indispensable tools for detecting misuse in the DNS, but their informative value depends heavily on the methodology. Relying on a single data source risks overlooking relevant threats or generating false positives. A structured, cross-data-source approach, as recommended by ICANN, is the best basis for effective defense strategies against DNS abuse.