Phishing & DNS: What Providers Can Do

TL;DR

Yes, a DNS provider can take action against phishing attempts originating from their domains. They have several tools at their disposal, ranging from suspending the domain to working with abuse reporting services and law enforcement. The speed and effectiveness of their response depend on their policies, monitoring capabilities, and the severity of the threat.

What a DNS Provider Can Do About Phishing

1. Monitoring for Abuse Indicators: Many providers use automated systems to detect suspicious activity associated with domains they host. This includes:
   • DNS Record Changes: Frequent or unusual changes to DNS records (especially A, MX, and TXT records) can be a red flag.
   • WHOIS Data Anomalies: Changes to registration information that seem incorrect or are made shortly before malicious activity.
   • Blacklist Checks: Regularly checking domains against known phishing blacklists.
2. Suspension of the Domain: This is the most direct action. A provider can immediately suspend a domain if they have strong evidence of phishing.

   This prevents further use of the domain for malicious purposes.

3. Working with Abuse Reporting Services: Providers often collaborate with organisations like APWG (Anti-Phishing Working Group) and other threat intelligence feeds. They can submit reports to these services, which help to disseminate information about phishing domains.
   • APWG Submission Example: While direct submission methods vary, providers typically use email or a dedicated portal.
4. Contacting the Domain Registrar: If the provider doesn’t directly manage registration, they can alert the registrar to the issue.

   The registrar has ultimate control over the domain and can take action against the registrant.

5. Cooperating with Law Enforcement: In serious cases, providers may work with law enforcement agencies to investigate phishing attacks. This involves providing logs and other relevant information.
6. Implementing DNSSEC (Domain Name System Security Extensions): While not a direct anti-phishing measure, DNSSEC helps ensure the integrity of DNS data, making it harder for attackers to redirect users to fake websites through DNS poisoning.

   dig +dnssec example.com

   This command shows if DNSSEC is enabled for a domain.

7. DMARC, SPF and DKIM Record Checks: Providers can check if the domain has properly configured email authentication records (DMARC, SPF, DKIM). These records help prevent email spoofing, which is often used in phishing attacks.
   • DMARC Lookup Example: Use a tool like MXToolbox to check DMARC records.

What Happens When Phishing is Reported?

1. Initial Investigation: The provider will investigate the report, gathering evidence and assessing the severity of the threat.
2. Notification (if possible): If contact information is available, the domain owner may be notified about the phishing activity. However, this isn’t always done if it could alert the attacker.
3. Action Taken: Based on their policies and the investigation results, the provider will take appropriate action (suspension, reporting, etc.).

Limitations

• Speed of Response: It can take time to investigate reports and take action. Attackers can often move quickly.
• False Positives: Automated systems aren’t perfect and may sometimes flag legitimate activity as malicious.
• Privacy Concerns: Providers must balance the need to protect users with the privacy rights of domain owners.