What the I2Coalition Article Misses About DNS Abuse

jruohonen1 pts0 comments

What the i2Coalition Article Misses About DNS Abuse

Welcome:<br>Login<br>Sign Up<br>About CircleID

Follow:

WARNING: JavaScript is either disabled or not supported by your browser. You may encounter problems using various features on CircleID.

Home

Topics

Access Providers<br>Artificial Intelligence<br>Blockchain<br>Brand Protection<br>Broadband<br>Censorship<br>Cloud Computing<br>Cyberattack<br>Cybercrime<br>Cybersecurity<br>Data Center<br>DDoS Attack<br>DNS<br>DNS Security<br>Domain Management<br>Domain Names<br>Email<br>Enum<br>Gaming<br>ICANN<br>Internet Governance<br>Internet of Things<br>Internet Protocol<br>IPv4 Markets<br>IPTV

IPv6 Transition<br>Law<br>Malware<br>Mobile Internet<br>Multilinguism<br>Net Neutrality<br>Networks<br>New TLDs<br>P2P<br>Policy & Regulation<br>Privacy<br>Regional Registries<br>Registry Services<br>Satellite Internet<br>Spam<br>Telecom<br>Threat Intelligence<br>UDRP<br>VoIP<br>VPN<br>Web<br>White Space<br>Whois<br>Wireless

Display Options:

List by Popularity<br>Chart by Popularity

Blogs

Latest<br>Recently Discussed<br>Most Discussed<br>Most Viewed

News

Latest<br>Recently Discussed<br>Most Discussed<br>Most Viewed

Community

Recently Featured<br>Most Featured<br>Most Active<br>Most Read<br>Recent Members<br>Top 100 Leaderboard<br>Alphabetical View<br>Random View<br>Recent Comments

Industry

Latest Posts<br>Most Viewed<br>Leaderboard<br>CircleID Members:<br>CSC<br>Brand Registry Group<br>DigiCert<br>DNIB.com<br>Hello Registry<br>i2Coalition<br>Godaddy Registry<br>Internet Commerce Association<br>IPv4.Global<br>Radix Registry<br>Threat Intelligence Platform (TIP)<br>Verisign<br>WhoisXML API

Home

/ Blogs

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: ads@circleid.com

-->

What the i2Coalition Article Misses About DNS Abuse

By Karen Rose

Partner, Interisle Consulting Group

July 15, 2026

Views: 657

Add Comment

This post was co-authored by Greg Aaron, Partner of Interisle Consulting Group.

We were pleased to read Christian Dawson’s recent article about our report, Malicious Registrations in the Domain Name Market. Mr. Dawson is Executive Director of the i2Coalition, a trade association representing companies in the domain name and Internet infrastructure industries. We welcome substantive engagement with our research, as we believe discussion is useful and productive. There are several points in the article we agree on, a common ground that is helpful and constructive. But it also mischaracterizes aspects of our research. It also frames the DNS abuse problem in ways that reinforce the status quo and minimize the scale of the problem and the harm it inflicts on individuals, businesses, and society.

Our recent research found that 10% of all gTLD domains registered in 2025 had already been identified as malicious by well-known security feeds and blocklists. Based on ongoing listings and associated domains, we projected that malicious actors likely registered 16.8 million gTLD domains last year—20% of all gTLD domains sold. These are deeply troubling numbers, pointing to an enormous amount of damage being done to the public.

Two themes run through Mr. Dawson’s article: a narrow view of what registries and registrars can reasonably address, and a limited focus on mitigation as the solution. Our findings point in a different direction. What policymakers should take away from our report is: the scale of the problem is large and real, registrars and registry operators can address the malicious activity documented in our report, and more prevention is needed.

The Data Shows What Is Actually Happening

Mr. Dawson’s article questions the use of threat intelligence feeds and blocklist data to measure abuse and suggests that those lists overstate the problem. The truth is, however, that this data is useful for the purpose, and tends to understate the problems.

Security feeds and blocklists are compiled by security professionals looking for malicious activity. They are built on a foundation of observed abuse and reliable abuse signals, not mere speculation. The lists we study are used operationally to protect billions of Internet users, and their providers are incentivized to use judicious listing criteria and minimize false-positive rates. Our paper explained the steps we took to use the data carefully, with its limitations in mind.

In short, these sources are where the world goes to find out about malicious activity. That’s why:

Many registrars and registry operators use blocklists and security feeds to help identify abuse and measure their performance.

ICANN itself distributes this data to registries and registrars to support their mitigation efforts, and to measure abuse in ICANN’s Domain Metrica system.

Researchers across academia, cybersecurity firms, and industry projects like PIR’s NetBeacon Institute use blocklist data as a core input.

It’s also notable that some i2 members operate and sell blocklists and security feeds of their own creation. Many other i2 members use blocklists to protect their users from abuse. They use some...

abuse internet article data security registry

Related Articles