The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency.
Our first major publication is a matrix of DNS Abuse Techniques and Stakeholders:
The advice currently takes the form of a matrix indicating whether a specific stakeholder can directly help with a specific technique. By “help”, we mean whether the stakeholder is in a position to detect, mitigate, or prevent the abuse technique. We have organized this information under three spreadsheets covering these incident response actions. For example, during an incident involving DNS cache poisoning, the team can go to the mitigation tab and look at the row for DNS cache poisoning, to find which stakeholders they might be able to contact to help mitigate the incident.
Thanks is given in the document, which is the result of collaboration between many people representing a wide of range roles in the DNS industry.
Many thanks to Shoko Nakai for arranging a Japanese translation of this document, available here:
The Matrix has been incoporated into other work elsewhere:
We currently have a regularly scheduled weekly meeting on Thursdays at either 07:00 UTC, or 19:00 UTC, rotating. Most regular communication is done through the Slack channel, but we also have a mailing list for members which is used for more official discussion and in cases where we need to reach the entire SIG.
FIRST members are automatically approved to join the SIG, and outside members are welcome to apply from the technical and academic communities in research or operational roles that work with DNS and DNS Abuse. Applications from non-FIRST members must be approved by the SIG chairs.
In general, the SIG is a technical group rather than a policy group. Policy items that impact anti-abuse efforts are obviously relevant to SIG work, however the scope of SIG work is primarily technical advice about how to navigate the existing policy landscape.
If you're interested in joining, please check out the policies page, which includes details on sharing information and our Code of Conduct.