DNS Abuse SIG

Mission

The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency.

Goals & Deliverables

  1. Initially, provide a common language and a FIRST-definition of what the global incident response community understands as DNS Abuse in an operational context to protect its constituencies, as well as for purposes of global policy recommendations.
  2. Develop a classification scheme for DNS Abuse.
  3. Identify common tools, techniques, and practices of malicious DNS Abuse threat actors.
  4. Identify the relevant stakeholders for DNS Abuse mitigation and facilitate reasonable cooperation to mitigate DNS Abuse, including possibly recommending certain provisions be adopted in applicable registration agreements to facilitate voluntary cooperation in curbing DNS Abuse.
  5. Outline possible best practices for further discussion of how to effectively mitigate DNS Abuse.
  6. Outline possible best practices for each of the relevant stakeholders,
  7. Organize and/or participate in meetings or conferences on DNS Abuse, and possibly deliver relevant presentations, or coordinate their delivery as reasonably necessary in furtherance of the goals outlined above.

Meetings and Communication

We currently have a regularly scheduled weekly meeting on Thursdays at 13:00 UTC. Most regular communication is done through the Slack channel, but we also have a mailing list for members which is used for more official discussion and in cases where we need to reach the entire SIG.

Chair

Membership and Joining the SIG

FIRST members are automatically approved to join the SIG, and outside members are welcome to apply from the technical and academic communities in research or operational roles that work with DNS and DNS Abuse. Applications from non-FIRST members must be approved by the SIG chairs.

In general, the SIG is a technical group rather than a policy group. Policy items that impact anti-abuse efforts are obviously relevant to SIG work, however the scope of SIG work is primarily technical advice about how to navigate the existing policy landscape.

If you're interested in joining, please check out the policies page, which includes details on sharing information and our Code of Conduct.

Request to Join