Skip to main content

DNS Security Threat Mitigation Program

How to address malicious use of domain names, broadly referred to as Domain Name System (DNS) abuse, is a topic of great interest and discussion. The ICANN community has not yet reached a consensus definition for "DNS Abuse". At this time, consistent with ICANN's remit as defined by the ICANN Bylaws, the ICANN organization's efforts are primarily focused on supporting the mitigation of DNS security threats.

DNS security threats include five broad categories of harmful activity:

  • Botnets
  • Malware
  • Pharming
  • Phishing
  • Spam (as it is used to propagate other DNS security threats).

ICANN org's DNS Security Threat Mitigation Program (Program) strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats across the Internet.

The ICANN organization-wide program is built upon these three pillars:

  1. Be recognized as a trusted source of information: Provide research, data and expertise to help the community have fact-based discussions about the topic.
  2. Provide Tools to the Community: Help support mitigation of DNS security threats.
  3. Enforce Contractual Provisions: Enforce Registry Agreement, Registrar Accreditation Agreement and ICANN Consensus Policies through audits and pursuit of complaints.

This Program enables ICANN org a collaborative platform which provides visibility and clarity over the org's various DNS security threats related initiatives and projects, and allows for the formation and execution of a centralized strategy. This page will act as a hub for the variety of projects, initiatives and activities ICANN undertakes related to the mitigation of DNS security threats.

If you have questions, please direct them to

News and Events

Meetings and Sessions

22 October 2021

Informational Session on DNS Abuse: Panel Discussion with the ICANN Board

22 July 2021

DNS Security Threat Mitigation Program Update and Community Discussion

Domain Abuse Activity Reporting

ICANN's Domain Abuse Activity Reporting (DAAR) system monitors domain abuse and registration activity across top-level domains (TLDs). DAAR continuously collects registration and security threat data from numerous reputation data feeds. Using the data, ICANN analysts identify and report the use of domain names for activities such as phishing, malware distribution, botnet activity, and spam as a delivery mechanism. The DAAR data can be used to monitor DNS security threat levels and concentrations across participating TLDs. For more information, as well as DAAR monthly reports, visit the Domain Abuse Activity Reporting webpage. ICANN's Identifier Technology Health Indicators (ITHI), or ITHI Metrics, also provide metrics related to DNS Security Threats for the community. For more information, visit the ITHI webpage.

Domain Name Security Threat Information Collection and Reporting (DNSTICR)

The DNSTICR project produces reports on recent domain registrations that we believe to be using the COVID-19 pandemic for phishing or malware campaigns. These reports contain the evidence that leads ICANN org to believe the domains are being used maliciously, along with other background information to help the responsible registrars to determine the correct course of action. More information about DNSTICR can be found here.

Capacity Development and Training

Capacity development and training includes the DNS ecosystem security offerings on ICANN Learn, as well as virtual and in-person training delivered by OCTO Technical Engagement, Global Stakeholder Engagement, and with community partners.

Resources for Registries and Registrars

Resources for End Users

After a reporter has submitted an abuse complaint to the registrar of record regarding abuse of a domain name in a gTLD, and after a reasonable time, if the reporter believes the registrar did not fulfill its obligations according to the Registrar Accreditation Agreement (see section 3.18), then the reporter may file a complaint with ICANN Contractual Compliance: Abuse involving a domain name. For more information on abuse complaint handling, visit ICANN Contractual Compliance Handling Report webpage.

Contractual Compliance Audit Program

The audit program is an integral part of the ICANN Contractual Compliance function. The goal is to ensure that contracted parties, registrars and registries, comply with their agreements and the consensus policies. It is the opportunity and means by which ICANN enhances community transparency through fact based and measurable reporting while proactively addressing any potential deficiencies. For more information, visit the Contractual Compliance Audit Program webpage.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."