Tackling DNS Abuse: Insights from Rowena Schoo (NetBeacon Institute)

DNS is the quiet infrastructure that makes everything work—from web browsing and email to cloud services. Because DNS sits at the core of the Internet, it’s also an attractive point of exploitation—often used to route, scale, and sustain abusive activity. We call it: DNS abuse. Malicious actors engage in harmful activities that leverage domains to enable phishing, malware distribution, botnets, fraud, and other threats that undermine trust and safety online.

To dig deeper, we’re joined by Rowena Schoo, Director, Programs and Policy at the NetBeacon Institute—an organization working to reduce DNS abuse by building free, practical tools and shared infrastructure that help the domain industry and its partners report, measure, and mitigate abuse at scale. Rowena brings a rare mix of hands-on industry and public-sector experience, having previously worked at Ofcom (the UK’s communications regulator), Nominet UK, and the UK government’s Department for Digital, Culture, Media and Sport. With over a decade in and around policy, she offers a clear-eyed view of what collaboration can look like—and what it will take to protect users.

Read on for our full conversation with Rowena on DNS abuse.

1How do you decide which layer of the internet stack should act on harm, and what should ‘right actor, right layer’ look like in practice?

The Domain Name System (DNS) serves as a critical but often overlooked system underpinning the Internet’s ability to connect its users and devices. As with any service, domain names are not immune to abuse, malicious actors use them for all manner of harms – some of which are appropriately dealt with at the DNS level, others are more appropriately mitigated by other actors.

For years, DNS Abuse has been used as a shorthand for harm that registries and registrars can evidence and mitigate at the DNS level—typically through domain suspension. That tool is blunt: it disrupts a domain globally (web, email, subdomains) but doesn’t remove hosted content, which can reappear under a new domain. Because the risk of collateral damage is high, think mistakenly taking a bank or critical service offline, DNS-level action must be applied carefully. Suspension is disruption, not content deletion.

This is why the industry converged on a “technical DNS abuse” definition: phishing, pharming, malware, botnets, and spam when it enables the preceding harms. It’s reflected in ICANN’s gTLD contracts and provides a workable global baseline for policy-making through the multistakeholder model.

That baseline is the floor, not the ceiling. Operators may choose to go further based on local laws, norms, and risk tolerance, especially for the most extreme content harms—usually when the site is clearly dedicated to the abuse or when closer-to-content actors can’t or won’t act. In those cases, some rely on trusted notifiers and law enforcement rather than assessing content themselves—particularly for child sexual abuse material (CSAM), which requires specialist handling and can be illegal to verify directly. For other harms, such as intellectual property (e.g. trademarks), registries and registrars do not have expertise to assess these complex, often cross jurisdictional legal disputes,  the right move is often a referral to more appropriate legal or policy processes, such as the Uniform Domain Name Dispute Resolution Policy (UDRP), the Uniform Rapid Suspension System (URS), or local ccTLD dispute resolution service.

2When DNS abuse is confirmed, who should act first, and how fast?

The general rule is that you go to the entity that is closest to the content. If unsuccessful, you can try working your way up the chain. The picture below, developed by the Internet and Jurisdiction Policy Network, illustrates this escalation path visually, showing each step in the chain—from the content/hosting layer up through DNS providers, registrars, and registries—so it’s clear who to approach first and how to move upward if action isn’t taken.

3What is NetBeacon Institute’s mission, and how do NetBeacon Reporter and the MAP translate that mission into practical, scalable impact against DNS abuse?

Our mission is to provide a world-class, comprehensive, free suite of tools to make the Internet safer for everyone by empowering the domain industry and collaborating with stakeholders to tackle challenges best solved through a system-wide approach.

In 2022 we launched NetBeacon Reporter to create a centralized reporting conduit with a dual purpose:

1. It aims to improve the quality of reports that the domain industry receives, by standardizing, simplifying and enriching them with additional evidence.
2. It makes reporting abuse easier, simpler, automated and scalable.

We specifically aimed to meet all users where they are—accepting reports via email (human-readable or XARF) or API, translating and enriching them through NetBeacon Reporter as a central routing layer, and automatically forwarding DNS abuse reports to registrars, registries, and web hosts; we’re now focused on scaling enrichments and optional harm expansion, and the platform was made possible thanks to donated development work from CleanDNS.

With NetBeacon Measurement and Analytics Platform (MAP) we measure the use of the DNS for phishing and malware: the volume, where it is concentrated, how it changes over time, whether it is being mitigated, how quickly and by whom. Are the domains maliciously registered or is it a case of a compromised website? This project required academic rigor and independence, so we partnered with KOR Labs which is based out of Grenoble University in France. They put together a transparent methodology. We provide public reporting as well as individualized dashboards for registries and registrars.

4How do you tell if a bad domain was created for abuse versus a legitimate domain that was hacked? What’s the right fix in each case to avoid hurting good users?

This is a really important distinction. It’s quite case-dependent, but often operators will look at when the domain name was registered and indications such as the relationship between the string of the domain name and the content on the website.

For example, if most of a website clearly belongs to a legitimate organization—say a local shop or a museum, with details you can verify through independent sources like business registries, Google Maps, or Street View—but you then find an unrelated page prompting users to log in to a bank or PayPal, that’s a strong indicator the site has been compromised. Typically, this happens at the CMS layer of the website. The CMS allows users to make edits on their website, but often there are vulnerabilities in this software. Updates get issued, but they typically can’t be applied automatically and require the website operator or registrant to make the change. Until that happens, it’s like a window has been left open that is easy for attackers to climb through at scale across the whole Internet. Closing the window will likely involve working with the hosting provider and/or the registrant or website operator.

There is a real risk of hurting legitimate website users if the domain is suspended, who are really victims here not malicious actors. This is why it’s so complex to deal with some times of abuse. It takes time and care to avoid more harm.

In September 2025 we observed that 84% of phishing domains were maliciously registered and 16% were a case of compromise. Measuring this distinction at scale with scientific rigor is very complex. One of the first projects on this was COMAR which was sponsored by Afnic and SIDN and carried out at the Université Grenoble Alpes by the team that is now at KOR Labs. KOR Labs created another classifier called MalCom, which is now used for NetBeacon MAP. From the beginning, MalCom has included a machine-learning component, and they continue to refine it—for example, by making the categorization dynamic and updating it based on subsequent mitigation actions.

5ICANN’s 2024 rules say registries and registrars must act promptly on abuse. Where are operators still struggling, and what does “prompt” mean in practice (hours vs. days)?

Speed is a tricky element. On one side, we want to reduce the harm window and act as quickly as possible once malicious activity is confirmed. On the other hand, the consequences of a false positive could be catastrophic and potentially inflict even more harm. It’s very case dependent, each operator will need to make that risk assessment and balancing act. The ICANN contracts require “prompt” action, but what is prompt will depend on each case. If there is a subdomain involved, or it’s an issue of a compromised website, it will take longer and require more entities to be involved. Sometimes the best course of action is no DNS level mitigation for a compromised website – only referral to other parties.

If it’s a malicious domain that’s just been registered a few days ago and the evidence is clear, it’s going to be much quicker and the risk of collateral damage is low. We report on  mitigation as part of NetBeacon MAP, but it’s a holistic approach to whether or not the harm has stopped. It’s not currently attributable to specific actors. For example, it could be the registry, the registrar, or the hosting provider, and referral between entities is a normal and helpful part of mitigating harm. In September 2025, we observed high mitigation rates for phishing (82%) and malware (90%), and found that most unique domains (85%) were associated with a registrar credential that had a median mitigation time of 72 hours or less.

6For the 2026 new gTLD round, what anti-abuse basics must be ready on day one? Will the next round be bound by the same requirements?

It’s really important that anyone taking on an ICANN accreditation, either TLD or registrar, does some early thinking on this. At a very basic level, you’re going to want a policy in place so that you have a basis for taking action if you do have abuse. We have a generic policy that anyone can take and adapt.

Once you have a policy in place, you need to be able to accept reports from external parties, either with an abuse reporting email or a form. Email inboxes can quickly become cluttered with low-quality or incomplete reports, so structured submission forms are often preferred. The easiest thing to do is embed our forms, or connect existing forms to our NetBeacon Reporter API. That way, the operator can leverage our services without having to build their own system. Then you can use our NetBeacon MAP Dashboard to demonstrate how clean your zone is, track your progress over time, and benchmark your performance against your peers.

We have some educational resources available to help on setting up an anti abuse program, and are always happy to have a chat and provide guidance.

Automate DNS thanks domain API with Abe Storey (Entri)

Setting up a domain shouldn’t feel like defusing a bomb—but for many people, it still…

Preparing for the New gTLD Program 2026 with Venkatesh Venkatasubramanian (dotUp)

The launch of new gTLDs has reshaped the internet’s naming landscape, offering businesses, communities, and…

It’s all about domains with… Jan Corstens

The expansion of the internet’s namespace has been a double‑edged sword for brands. New gTLDs…

How the UDRP Resolves Domain Disputes with Charlotte Spencer (WIPO)

A domain name isn’t just a digital address—it’s the foundation of your brand’s identity, shaping…

How .org builds trust for nonprofits with Tim Switzer (PIR)

In the vast digital landscape, domain names serve as cornerstones for identity, guiding users to…

7Which metrics matter most to track abuse and progress, and what data sources do you trust?

There are a few things operators can look at. Having a low volume of abuse is a good indicator of a clean zone. Often, we look at this as a metric per 100,000 Domains Under Management to give an abuse rate – which is more comparable to other operators. We publish Monthly Analysis reports that list low and high rates of abuse per 100,000 DUM. This is a good indicator of your “stock” of domain names.

For many operators, particularly ones that are growing, their rate of malicious domains per new registrations may be more relevant. We also publish some data on this for registrars. This will give you a sense of whether you’re growing while taking in quality registrations, those that will hopefully renew and become valued customers, or whether you’re taking in malicious actors who will not renew and will cost you in terms of abuse investigations and action. In our individualized dashboards, operators can compare these metrics to a group of peers to track performance over time.

8What new abuse tactics are you watching?

We’re seeing a lot of coordinated campaigns with large numbers of registrations following similar patterns. These seem to target a handful of registrars and TLDs, and once they get shut down, the malicious actors move on to another operator. This is tricky as it means operators really need to be careful with what they take in the door, even if they mitigate quickly it’s hard to act quickly enough at scale. In particular, it’s important to consider whether you’re allowing automated registration tools at all or whether you’re only giving those tools to trusted customers (e.g. they’ve already had a credit card clear without any charge backs and passed AGP, or they’ve renewed a domain before).

One of the tactics we’ve seen is Subdomain Cloaking. It occurs when the domain registrant is acting maliciously, but they are further obscuring their activities by using subdomains to make the second level domain appear to be exploited, compromised, or ambiguous, rather than a part of a malicious campaign. This trend is concerning because if a registry or registrar receives one subdomain report in isolation, it will very likely not be clear that the entire second-level domain name is maliciously registered. An example of this attack is: gov.uk-[keyword][random letters].[TLD]

9Is AI changing the abuse landscape? Which AI-based defenses actually reduce response time without harming privacy or accuracy?

We’re still in the early stages of understanding how AI will reshape the landscape. On one hand, it makes it easier to quickly create websites that look credible and unique—much more so than the old approach of reusing obvious templates—which can make abuse harder to spot. On the other hand, AI can help abuse teams triage and analyze reports more efficiently, potentially improving detection and speeding up response times. We’re actively exploring those opportunities.

AI is also already being used in the payments ecosystem, which is especially relevant for retail registrars. Many payment providers’ premium anti-fraud tools use AI-driven signals to assess risk and flag transactions—such as payments for domain registrations—that are more likely to be malicious.