What is Domain Abuse?

Domain abuse (also called DNS abuse) refers to the malicious use of domain names to conduct phishing, distribute malware, impersonate brands, or perpetrate fraud. ICANN defines five categories of DNS abuse: phishing, malware, botnets, pharming, and spam used to deliver other forms of DNS abuse.

Last updated:

Types of Domain Abuse

ICANN's DNS Abuse Categories

ICANN formally defines DNS Abuse in its contractual agreements with registrars and registries as a limited set of technical abuse types. These are the categories for which contracted parties now have explicit mitigation obligations under the 2024 amendments:

  • Phishing — Using a domain to host a website that impersonates a legitimate entity in order to deceive users and steal credentials, financial information, or other sensitive data
  • Malware — Using a domain to distribute malicious software, host payloads, or operate command-and-control infrastructure
  • Botnets — Using a domain as part of a network of compromised devices that are remotely controlled for malicious activity
  • Pharming — Redirecting users from a legitimate website to a fraudulent one by manipulating DNS resolution or exploiting vulnerabilities in DNS infrastructure
  • Spam — Using a domain to send unsolicited communications only where the spam is directly linked to or facilitates the above forms of DNS abuse

Under ICANN's 2024 compliance framework, registrars and registries are required to take "prompt and appropriate mitigation actions" when presented with actionable evidence of these abuse types. This represents a shift from passive handling to enforceable obligations to disrupt abuse.

Importantly, ICANN distinguishes DNS Abuse from broader categories of harmful or illegal content. Issues such as trademark infringement, counterfeit goods, or brand impersonation do not automatically fall within DNS Abuse unless they are tied to one of the defined technical abuse vectors (e.g., phishing).

Actionable Evidence and Reporting Quality

According to ICANN guidance and the CPH Abuse Reporting Guide, enforcement depends heavily on whether a report contains sufficient, verifiable, and actionable evidence. Effective abuse reports should include:

  • The specific domain name(s) involved
  • A clear classification of the abuse type (e.g., phishing, malware)
  • Concrete evidence (screenshots, URLs, payload samples, DNS data)
  • Timestamps and context demonstrating active abuse

Reports that lack detail or fail to clearly tie the activity to one of the DNS Abuse categories may not trigger action, even if the underlying activity is harmful.

Brand-Specific Domain Abuse

Many threats relevant to brand protection fall outside ICANN's narrow definition of DNS Abuse, as they are typically content- or trademark-based rather than purely technical DNS abuse. Common forms include:

  • Typosquatting — Registering common misspellings of a brand's domain (e.g., goggle.com, amazom.com) to exploit user typing errors and redirect traffic to malicious or monetized content.
  • Combosquatting — Adding words to a brand name to create plausible-looking domains (e.g., brand-login.com, brand-support.com, brand-clearance-sale.com). Research has shown this to be more prevalent than typosquatting due to its higher credibility.
  • Homograph attacks — Using visually similar Unicode characters to mimic legitimate domains (e.g., replacing Latin "a" with Cyrillic "a"), creating domains that appear identical to users but resolve to attacker-controlled infrastructure.
  • TLD squatting — Registering a brand's name across multiple top-level domains (e.g., brand.shop, brand.online, brand.xyz). With over 1,200+ gTLDs, this significantly expands the attack surface.
  • Subdomain abuse — Using a brand name as a subdomain of an attacker-controlled domain (e.g., brand.attacker-site.com). Because no new domain is registered, this activity is often invisible to traditional domain monitoring.
  • Expired domain hijacking — Re-registering lapsed domains previously owned by a brand (e.g., old campaign domains) and repurposing them for malicious use, often leveraging existing SEO authority and backlinks.

While these activities may not always qualify as DNS Abuse under ICANN's definition, they remain highly actionable through other enforcement channels, including:

  • Hosting provider enforcement (content-based removal)
  • UDRP or URS proceedings (domain suspension or transfer)
  • Court actions (e.g., ACPA for bad-faith registration and use)

In practice, effective brand protection strategies combine DNS abuse reporting (where applicable) with content-level and legal enforcement mechanisms, selecting the most appropriate channel based on the nature of the threat.

ICANN's Role in Combating Domain Abuse

Contractual Requirements (Updated April 2024)

Since April 5, 2024, ICANN's updated Registrar Accreditation Agreement (RAA) and Base Registry Agreement contain strengthened requirements for DNS abuse mitigation:

  • Registrars must investigate and respond to well-evidenced abuse reports
  • Registrars must maintain records of abuse reports and provide them to ICANN
  • Registry operators must take mitigation actions against well-evidenced DNS abuse
  • Both must publish abuse contact information and procedures

In April and May 2024 alone, ICANN received 1,558 complaints related to DNS abuse under the new framework.

Enforcement Against Domain Abuse

Registrar Abuse Complaints

The most direct route for domain-level takedowns. File an abuse complaint with the domain's registrar, providing:

  • Evidence of the abusive use (screenshots, URLs, technical data)
  • Identification of the relevant DNS abuse category
  • Reference to the registrar's obligations under RAA Section 3.18

UDRP and URS

For trademark-based domain disputes:

  • UDRP — Covers all gTLD domains, results in transfer or cancellation (~60 days, $1,500+)
  • URS — Faster suspension mechanism for new gTLDs (~30 days, $375)

Law Enforcement

For domains involved in criminal activity (fraud, identity theft, counterfeiting):

  • Reports to national cybercrime units
  • Reports to the FBI's Internet Crime Complaint Center (IC3)
  • Reports to Europol's European Cybercrime Centre (EC3)

Multi-Vector Enforcement

The most effective approach targets domain abuse from multiple angles simultaneously:

  • Registrar — Request domain suspension
  • Hosting provider — Request content removal
  • Search engines — Request delisting
  • Email providers — Report phishing source domains
  • Payment processors — Report fraudulent merchant accounts (for fake shops)

This multi-vector approach minimizes the time a malicious domain can operate and makes it more costly for attackers to rotate to new domains.

How Astra Helps

Astra continuously monitors domain registrations and DNS changes to detect domain abuse targeting your brand — including typosquatting, combosquatting, and lookalike domains. When abuse is identified, Astra initiates automated enforcement through registrar abuse complaints, hosting takedowns, and search engine delisting.

Frequently Asked Questions

Related Terms

glossary

What is Cybersquatting? Definition, Laws & How to Fight It

Cybersquatting is registering domain names identical to trademarks in bad faith. Learn about ACPA, UDRP remedies, and how to protect your brand.

glossary

What is DNS Monitoring for Brand Protection? Complete Guide

DNS monitoring tracks domain name system changes to detect brand threats early. Learn how DNS monitoring works, what signals matter, and how it protects brands.

glossary

What is ICANN? Role in Domain Names & Brand Protection

ICANN coordinates the global domain name system. Learn how ICANN's policies — UDRP, TMCH, and registrar oversight — protect trademarks online.

glossary

What is Typosquatting? Definition, Examples & Protection

Typosquatting is registering domains that mimic legitimate brands through common typos. Learn how it works, real examples, and how to protect your brand.

Stop Brand Impersonation

Astra monitors, detects, and removes threats automatically.

Book a Demo