KOR Labs

From Internet Data to Cyber Defense

Measuring DNS Abuse: Our first report

In May 2022, we wrote about kicking off our work to measure DNS Abuse. We’re proud to announce today that we have launched our first report and gone live with our measurement initiative: DNSAI Intelligence.

Our priorities for this initiative are:

To ensure the report is independent, reliable, and uses academically robust methodology we are working with an experienced independent third party to lay out the methodology and conduct the data gathering. The technical analysis for this project is performed by KOR Labs, led by Maciej Korczynski from Grenoble INP-UGA.

The intention is to establish a credible source of metrics for addressing DNS Abuse. We hope this will enable focused conversations, and identify opportunities for reducing abuse across the DNS ecosystem.

We hope future iterations of this report create an opportunity to celebrate and recognize good practice, as well as shine a spotlight on potential for areas of improvement in the industry. We hope to understand through these reports which factors, policies, and processes are effective, and empower the industry with evidence.

DNS Abuse impacts everyone. We want to use this understanding to improve the overall health of the DNS ecosystem. Fundamentally, we want to prevent or quickly mitigate harm to end users, businesses, governments, civil society organizations, public services, and the general public while preserving the benefits and principles of an open Internet.

While we expect to offer much greater levels of granularity in our upcoming reports, our first report focuses on higher level aggregate data from May, June, and July 2022. We have this higher level approach for this initial report to allow for further data collection and to gather feedback as to what would be most helpful in our future reports.

The interactive dashboards are available on our website and updated monthly, and you can download our first monthly report here.

One of the focuses of the data we gather is abuse up-times or “time to live.” This is an important metric because it explains how long DNS Abuse is present on a domain before the harm is mitigated. In order to measure abuse up-times, we track each domain name for 30 days which means the data in our reporting is a month behind.

In creating these reports, we have optimized for accuracy and reliability. This means that some of our numbers will necessarily be lower than some other reports on phishing and malware prevalence which may look to the URL level rather than the domain name level.

Because our data collection efforts are just beginning, we do not attempt to make any conclusions about the data at this time. We look forward to reviewing data as time goes on and patterns cement into trends. However, we do offer commentary on how our methodology captures data and will provide a foundation for understanding this complex problem going forward.

We encourage all readers to delve into the full report, look at the interactive charts, and let us know your thoughts.

We know it will take time to get this right and we’re always interested to hear views and ideas from the community. After all, we are here to support the DNS Community and make it better equipped to tackle DNS Abuse.

The DNS Abuse Institute will periodically publish reports on DNSAI Intelligence.