Research project supports EU study on misuse of DNS with real-time data
23.06.2022 The Domain Name System translates domain names into IP addresses. Due to a lack of technical and organisational specifications, the system is vulnerable to abuse by cyber criminals. The EU has taken up the issue and is looking at how the situation can be improved. The study is based, among other things, on real-time data that the BFH made available to the authors as part of the “abuse.ch” research project.
Many internet users are completely unfamiliar with the Domain Name System (DNS), despite the fact that each and every one of us uses the system in practically every interaction with the internet, be it when visiting our favourite social media platform, e-banking or surfing the web. Without DNS, navigating the internet would be much more time-consuming than it is nowadays.
The Domain Name System is essentially decentralised. Although the registration of domain names in the individual “directories” (see explanation below) is coordinated by the US non-profit organisation ”Internet Corporation for Assigned Names and Numbers” (ICANN), there are very few technical and organisational requirements relating to who can apply for an entry. The decision is usually made by the publishers of the directories (or “domain name registries”) – in the case of “.ch”, by SWITCH, which manages the allocation of entries in the “.ch” directory in accordance with the “Ordinance on Internet Domains (OID)” published by the Federal Office of Communications (OFCOM). In short, the requirements for registering a domain name in the “.ch” directory are regulated by the Swiss governement.
Decentralisation plays into the hands of cybercriminals
However, the registration conditions are not always specified by a state. It is not uncommon for a commercial company to be behind a directory, if it has developed a business model based on the administration of domain names in the corresponding directories. As a rule, such companies have a financial interest in administering as many domain names as possible. After all, they earn money from every registration. The decentralisation of directories has led to the proliferation of registration requirements.
This in turn plays into the hands of cybercriminals: when they operate a “phishing website” or one that is used to distribute malicious software (so-called “malware”), they often choose domain registries that have no or rather weak anti-abuse policies. In practice, this means that a cybercriminal can easily register in such a directory under the name of a bank and thus obtain sensitive data such as credit card information or passwords of internet users.
Advice from BFH researcher during panel discussion
With the increasingly important role that the Internet has acquired over the past decade, efforts in the internet community have also intensified to curb DNS abuse. However, this has so far proven difficult, and the successes of the internet community and stakeholders in the fight against DNS abuse are limited. The ICANN Board of Directors is also aware of the issue and held a public panel discussion on the subject in November 2021 as part of the “ICANN72” event. Roman Hüssy, research associate at the Institute for Cybersecurity and Engineering ICE, contributed BFH’s expertise to the discussion by answering questions on the subject from the ICANN Board of Directors.
EU study with data from abuse.ch
The issue of DNA abuse has also reached the political arena. The European Commission published a detailed study on the subject in January 2022. The study is based, among other things, on real-time data that the BFH made available to the authors as part of the “abuse.ch” research project. The research project has been tackling cyber security issues for more than 15 years and, with the help of the internet community, has identified and rendered harmless more than 2,000,000 malicious websites in recent years. Real-time data provided by “abuse.ch” enabled the authors of the study to develop an adequate and fundamental analysis of the current situation and the extent of DNS abuse.
The study makes several recommendations on how the situation around the misuse of DNA can be improved. These include, among others:
- Administrators of “directories” (domain registries) are to offer uniform access to the registration data of domain names (domain holders).
- Domain registries are to receive financial incentives to keep the number of abuse cases below a certain threshold.
- The email address of domain name holders should be published in an anonymised form. This enables authorities and IT security specialists, among others, to contact the owner in the event of misuse of the domain name.
- A standardised system is to be created so the misuse of domain names can be reported in a uniform manner.
BFH supports the efforts of the European Commission and of the online community to make the internet safer for all, as well as efforts to increase confidence in the security of the internet’s core systems. For this reason, BFH also supports the “abuse.ch” research project, among others, with appropriate resources.
What is DNS?
The DNS is a hierarchical, decentralised naming system. It translates human-readable, easy-to-remember “domain names” such as www.bfh.ch into numeric “IP addresses”, which refer to an address on the internet (e.g.: 126.96.36.199). DNS is comparable to the traditional telephone directory: we know the name of the person we would like to call, but we cannot possibly remember all the telephone numbers of the people we are talking to. Names, on the other hand, are comparatively easy to remember.
The DNS is just like the telephone directory: there is no “one” telephone directory, but many different ones which often cover a geographical region (e.g. ".ch") or serve a specific purpose (e.g. ".travel"). These directories are administered by various organisations (“domain name registries”).