DNS Abuse Framework Voluntary Best Practice Commitments

The Domain Name System (DNS) is a foundational layer of the internet, mapping human-readable domain names to IP addresses and enabling seamless navigation across websites, email servers, and online services. However, this same infrastructure has long been exploited by malicious actors for harmful purposes, including phishing, malware distribution, botnet command and control, and other forms of abuse. Recognizing the urgency to combat these threats while preserving the open and decentralized nature of the internet, a coalition of leading domain registries and registrars introduced the DNS Abuse Framework in 2019. This initiative outlines voluntary best-practice commitments aimed at reducing DNS abuse by establishing clear expectations and shared responsibilities across the domain name industry.

The DNS Abuse Framework focuses specifically on five categories of technical abuse: malware, phishing, botnets, pharming, and spam when it serves as a vehicle for the other four categories. These are considered core threats that undermine user trust and exploit the DNS infrastructure itself. By concentrating on these forms of abuse, the Framework avoids the contentious territory of content moderation, such as hate speech or misinformation, which is typically regulated by national laws rather than domain name policies. This strategic scope allows for broader consensus among stakeholders, many of whom operate globally and must navigate differing legal regimes.

At the heart of the DNS Abuse Framework is the principle of proactive, responsible action by domain registries and registrars when they have credible evidence that a domain under their management is being used to facilitate abuse. While the Framework is voluntary and does not impose binding obligations, it reflects a growing norm in the industry that registrars and registries must not remain passive intermediaries when confronted with egregious harm. Participating companies commit to acting on abuse reports in a timely, transparent, and proportionate manner, including the suspension or takedown of domain names when appropriate.

One of the key elements of the Framework is its emphasis on evidence-based intervention. Registries and registrars are encouraged to define and publicize their DNS abuse policies, including how they assess reports, what standards of evidence they require, and what actions they may take. For instance, if a registrar receives a report that a domain is distributing ransomware, it should have internal procedures to verify the claim, assess its credibility—often using third-party threat intelligence feeds—and determine whether immediate suspension is warranted. In cases involving critical infrastructure or large-scale attacks, the Framework supports swift mitigation efforts, even in the absence of a court order.

The Framework also encourages cooperation between registrars and registries in abuse mitigation. While registrars typically serve as the primary interface with registrants and thus are the first point of contact for abuse handling, registries—especially for country-code TLDs or generic TLDs operated by single entities—can provide escalation pathways when registrars fail to act or are themselves the subject of concern. This layered approach ensures that there is a backstop mechanism to prevent abuse from persisting due to inaction or procedural bottlenecks.

Transparency and accountability are additional pillars of the DNS Abuse Framework. Participants are encouraged to publish periodic reports on their DNS abuse mitigation efforts, including the number of abuse complaints received, the average response time, and the outcomes of those reports. Such disclosures help foster trust with the broader internet community and demonstrate a commitment to responsible stewardship of the DNS. Furthermore, public transparency reports can act as a deterrent to malicious registrants, signaling that the registrar or registry is actively monitoring and addressing abuse.

Collaboration with external stakeholders, including civil society, law enforcement, cybersecurity firms, and abuse reporting organizations, is also promoted under the Framework. Registrars and registries are urged to maintain open communication channels with these groups to receive high-quality abuse reports and coordinate responses where appropriate. For example, a registrar might partner with an anti-phishing working group or cybersecurity research lab to identify and neutralize rapidly spreading phishing campaigns. These collaborative efforts are essential for combating abuse that transcends national borders and evolves at a pace that outstrips traditional enforcement mechanisms.

Importantly, the DNS Abuse Framework does not exist in isolation but complements existing ICANN policies and contractual obligations. While ICANN’s Registrar Accreditation Agreement (RAA) and Registry Agreements contain some provisions related to abuse handling, they are often criticized for being too narrow or vague. The Framework goes beyond these contractual baselines, offering concrete guidance and operational standards that registrars and registries can adopt immediately without requiring formal policy development processes. This agility is particularly valuable given the fast-changing threat landscape.

Adoption of the Framework has grown steadily, with support from major industry players such as GoDaddy, Donuts, PIR (operator of .org), and others. However, the voluntary nature of the initiative also highlights its limitations. Not all registrars or registries have opted in, and some critics argue that without enforceable standards, the Framework lacks the teeth necessary to compel compliance industry-wide. Nonetheless, its influence is evident in the shift toward greater accountability and proactive abuse management, particularly among the more reputable and market-dominant service providers.

Moreover, the Framework serves as a benchmark for regulatory and policy discussions. As governments and intergovernmental bodies increasingly turn their attention to online harms, the DNS Abuse Framework provides a model of self-regulation that balances the need for safety with the preservation of free expression and innovation. By delineating what constitutes DNS abuse—as opposed to broader content-related concerns—it creates a clear boundary that allows technical operators to take decisive action without becoming arbiters of speech or policy.

In practice, the Framework has led to operational improvements across the industry. Some registrars have built automated abuse detection and response systems, while others have expanded their trust and safety teams. Registries have enhanced their audit capabilities and begun tracking abuse metrics more rigorously. As a result, domains used for malicious purposes are being identified and deactivated more quickly, reducing the window of harm to end users.

In conclusion, the DNS Abuse Framework represents a significant advancement in the collective effort to safeguard the DNS from misuse. By articulating a set of voluntary but concrete best practices, it enables registrars and registries to respond more effectively to technical abuses while preserving the open, decentralized nature of the internet. As adoption continues to grow and expectations around accountability become more entrenched, the Framework is poised to play a pivotal role in shaping the future of DNS governance and in maintaining public trust in the digital ecosystem.

The Domain Name System (DNS) is a foundational layer of the internet, mapping human-readable domain names to IP addresses and enabling seamless navigation across websites, email servers, and online services. However, this same infrastructure has long been exploited by malicious actors for harmful purposes, including phishing, malware distribution, botnet command and control, and other forms…