What is ICANN?

What ICANN Does

ICANN — the Internet Corporation for Assigned Names and Numbers — is a nonprofit organization founded on September 18, 1998, and headquartered in Los Angeles, California.

ICANN's core responsibilities:

• Coordinates the Domain Name System (DNS). ICANN ensures that domain names resolve to the correct IP addresses worldwide. It manages the root zone file — the authoritative list of all top-level domains — and coordinates updates to it.
• Allocates IP address space. ICANN oversees the global allocation of IP address blocks to the five Regional Internet Registries (RIRs): ARIN, RIPE NCC, APNIC, LACNIC, and AfriNIC.
• Accredits domain registrars. Any company that wants to sell domain names in gTLDs must be accredited by ICANN and comply with the Registrar Accreditation Agreement (RAA). As of 2024, approximately 2,800 registrars hold ICANN accreditation.
• Contracts with TLD registries. Each generic top-level domain (gTLD) registry operator — the organization that maintains the authoritative database for a TLD — enters into a Registry Agreement with ICANN specifying operational and policy requirements.
• Develops policy through a multistakeholder model. ICANN's policy development process involves governments, businesses, civil society, technical experts, and individual users. Policy recommendations flow from supporting organizations and advisory committees up to the ICANN Board of Directors.

What ICANN does not do:

• It does not regulate website content or online speech.
• It does not enforce trademarks directly — it creates the policy frameworks that enable trademark enforcement.
• It does not operate the DNS itself — that function is distributed across root server operators, registries, and registrars worldwide.

ICANN's Role in Brand Protection

ICANN has developed several mechanisms that are directly relevant to trademark owners and brand protection professionals.

UDRP (Uniform Domain-Name Dispute-Resolution Policy)

The UDRP was adopted by ICANN in 1999 and remains the primary administrative mechanism for resolving domain name disputes involving trademarks. It applies to all gTLDs and many ccTLDs.

To succeed in a UDRP proceeding, a trademark owner must prove three elements: (1) the domain is identical or confusingly similar to their mark, (2) the registrant has no rights or legitimate interests in the domain, and (3) the domain was registered and is being used in bad faith.

WIPO, the largest of six ICANN-approved dispute resolution providers, has resolved over 81,000 cases since 1999. The process typically takes about 60 days and costs from $1,500 for a single-panel decision.

URS (Uniform Rapid Suspension)

The URS was introduced alongside the New gTLD Program in 2013 as a faster, lower-cost complement to the UDRP. Key characteristics:

• Speed: decisions are typically issued within 17 days of filing.
• Cost: approximately $500 per filing — significantly less than UDRP.
• Higher burden of proof: complainants must meet a "clear and convincing evidence" standard, compared to the "preponderance of the evidence" standard in UDRP.
• Limited remedy: the URS can only suspend a domain name (redirecting it to an informational page for the remainder of its registration period). It cannot transfer the domain to the complainant.
• Scope: applies only to new gTLDs launched under the 2012 program. It does not cover legacy TLDs such as .com, .net, or .org.

The URS is best suited for clear-cut cases of infringement in new gTLD domains where the trademark owner wants quick suspension rather than domain acquisition.

TMCH (Trademark Clearinghouse)

The Trademark Clearinghouse is a centralized database of verified trademark records, created as part of the New gTLD Program to protect trademark owners during the launch of new top-level domains. It provides two key services:

• Sunrise Services. When a new gTLD launches, trademark owners with records in the TMCH receive priority registration during a "sunrise period" (minimum 30 days before general availability). This allows brand owners to defensively register their marks before the general public can.
• Trademark Claims Services. For at least 90 days after a new gTLD opens for general registration, anyone attempting to register a domain that matches a TMCH-recorded trademark receives a notification (a "Trademark Claims Notice") informing them of the existing trademark. If they proceed with registration, the trademark owner is notified.

The TMCH is operated by Deloitte (as the validation provider) and is administered under contract with ICANN. Trademark owners pay an annual fee per trademark record — approximately $150 per mark per year for a single-year registration, with discounts for multi-year terms.

RDAP: The New Domain Lookup System

For over two decades, WHOIS was the protocol used to look up domain name registration data — registrant name, contact information, registration and expiration dates, and nameservers. ICANN fully sunsetted the WHOIS protocol on January 28, 2025, replacing it with RDAP (Registration Data Access Protocol).

RDAP improves on WHOIS in several important ways:

• Machine-readable output. RDAP returns data in structured JSON format, making it far easier to parse programmatically than the freeform text output of WHOIS.
• Internationalization. RDAP supports internationalized domain names and contact data natively, using Unicode rather than ASCII-only encoding.
• Differentiated access. RDAP supports authentication and authorization, allowing registrars and registries to provide different levels of data access to different requestors. Public users see redacted data (consistent with GDPR requirements), while verified parties — such as law enforcement, IP professionals, and cybersecurity researchers — can request access to nonpublic registration data through formal processes.
• Standardized error handling and referrals. RDAP uses HTTP status codes and can redirect queries to the appropriate authoritative server.

Domain registration data can be looked up through ICANN's official tool at lookup.icann.org.

RDRS (Registration Data Request Service)

For cases where public RDAP data is insufficient — which is common since GDPR-driven redaction became standard in 2018 — ICANN launched the Registration Data Request Service (RDRS) in November 2023. RDRS provides a centralized portal for submitting requests to registrars for nonpublic registration data. Eligible requestors include law enforcement agencies, IP rights holders, cybersecurity professionals, and other parties with a legitimate interest.

RDRS does not guarantee data disclosure — that decision remains with the individual registrar. However, it standardizes the request process and creates an auditable record, replacing the inconsistent, ad hoc methods that existed previously.

The New gTLD Program

ICANN's New gTLD Program dramatically expanded the domain name landscape and, with it, the attack surface for brand abuse.

First Round (2012)

ICANN opened applications for new gTLDs in January 2012. The program received approximately 1,930 applications. Over 1,200 new gTLDs have been delegated into the root zone as a result, including extensions like .shop, .online, .brand, .law, and hundreds of others.

As of early 2026, the IANA root database contains approximately 1,593 TLDs — a number that reflects both new delegations and some revocations or withdrawals.

Next Round (2026)

ICANN's next application round for new gTLDs is scheduled to open on April 30, 2026. This will be the first opportunity to apply for new TLDs since 2012 and is expected to generate significant interest. Brand protection teams should be aware that each new TLD creates additional domains to monitor and defend.

Impact on Brand Protection

The expansion of the gTLD space has had a direct and measurable impact on brand protection workloads:

• Expanded attack surface. More TLDs means more possible domains that can be registered using a brand's name. A trademark owner who previously needed to monitor .com, .net, and a handful of ccTLDs now faces over 1,500 possible extensions.
• Increased monitoring costs. Defensive registration across all relevant TLDs is financially impractical for most organizations. Monitoring and enforcement have become the primary strategies.
• .Brand TLDs. The New gTLD Program introduced the concept of ".brand" TLDs — top-level domains operated exclusively by the brand owner. Examples include .apple, .google, and .bmw. Only the brand can create domains under these TLDs, providing a trusted namespace. However, .brand TLDs require significant investment (application fees started at $185,000) and ongoing registry operation costs, making them viable primarily for large enterprises.

Registrar Abuse Reporting (Updated -- post-2024 ICANN amendments)

The 2013 Registrar Accreditation Agreement (RAA), as strengthened by the 2024 Global Amendments (effective 5 April 2024), establishes clearer and more enforceable obligations for how registrars must handle domain abuse:

Published abuse contact. Every ICANN-accredited registrar must maintain and publish a dedicated abuse contact (email and/or webform). The 2024 amendments explicitly require that abuse contacts are clearly accessible on registrar websites and that reporters receive confirmation of receipt of abuse reports.

24-hour review requirement (evolving standard). Registrars are still expected to review abuse reports promptly (historically within 24 hours). Under the 2024 amendments, the emphasis has shifted from simple acknowledgment to demonstrable handling, including confirmation of receipt and documented investigation processes.

Mandatory DNS Abuse mitigation obligations (new in 2024). A major change introduced by the 2024 Global Amendments is the creation of explicit, enforceable obligations to act on DNS abuse. Registrars must:

• Take prompt and appropriate mitigation actions when there is actionable evidence of DNS abuse
• Aim to stop or disrupt abusive domains, not just review reports
• Exercise reasonable discretion in selecting mitigation actions depending on context

These obligations are now enforceable by ICANN Compliance, representing a shift from largely reactive handling to active abuse disruption requirements.

Defined scope of DNS Abuse. The amendments formalize the definition of DNS abuse as:

• Malware
• Phishing
• Botnets
• Pharming
• Spam (when used as a delivery mechanism for the above)

This definition is now embedded contractually, reducing ambiguity in enforcement.

Reporting mechanisms modernization. Registrars are explicitly allowed to accept abuse reports via webforms as well as email, reflecting operational realities and enabling structured reporting workflows.

ICANN Contractual Compliance (enhanced enforcement). ICANN Compliance now has clearer authority to enforce abuse obligations. It can:

• Initiate investigations based on complaints
• Require evidence of mitigation actions
• Issue breach notices and escalate enforcement

Since the amendments took effect, ICANN has already initiated hundreds of investigations and enforced mitigation actions, including domain suspensions and phishing site takedowns.

DAAR (Domain Abuse Activity Reporting). ICANN continues to operate DAAR, which aggregates reputation data to measure abuse rates across registrars and TLDs. DAAR remains a key benchmarking and prioritization tool for brand protection teams.

Project INFERMAL. ICANN has expanded its analytical capabilities through Project INFERMAL, which focuses on identifying systemic abuse patterns using inferential and correlation-based analysis. The project is used to:

• Detect abuse trends linked to registrar practices (e.g., high-volume API registrations)
• Identify systemic weaknesses in abuse mitigation
• Inform future policy and enforcement actions

Insights from INFERMAL are already influencing policy discussions, including potential controls on automated bulk registrations and enhanced abuse checks.

Registry Operator Responsibility (post-2024 amendments)

The 2024 Global Amendments also introduce parallel and enforceable DNS abuse obligations for registry operators, aligning them more closely with registrar responsibilities. Registries are now required to promptly take appropriate mitigation actions — including suspension or disruption of domains — when they receive actionable evidence of DNS abuse (malware, phishing, botnets, pharming, and qualifying spam). In addition, registries must maintain and publish abuse reporting mechanisms, ensure reports are reviewed in a timely manner, and, where applicable, act independently of registrars if abuse persists. This represents a significant shift, as registries are no longer purely passive infrastructure providers but are now contractually obligated enforcement points within the DNS ecosystem, enabling faster and more systemic abuse mitigation across TLDs.

Key Takeaways for Brand Protection Professionals

• ICANN sets the rules, not the enforcement. ICANN creates the policy frameworks — UDRP, URS, TMCH, registrar abuse obligations — but enforcement actions are carried out by dispute resolution providers, registrars, and registries. Understanding ICANN's structure helps you know which entity to engage for each type of enforcement action.

• RDAP is now the standard for domain intelligence. Any brand protection workflow that still relies on legacy WHOIS tools needs to be updated. RDAP provides better data structure and, through RDRS, a formal channel for requesting nonpublic registration data.

• The gTLD expansion requires scalable monitoring. Manual monitoring across 1,500+ TLDs is not viable. Automated domain monitoring — scanning for registrations that match or are confusingly similar to a trademark — is a baseline requirement for effective brand protection.

• Registrar abuse reporting is a first-line enforcement tool. For domains engaged in DNS abuse (i.e. phishing), filing an abuse report with the registrar's published abuse contact is often the fastest path to takedown — faster than UDRP and at no cost.