IGF 2022 DC-DT Fact-checking the DNS: towards evidence-based policy-making

Friday, 2nd December, 2022 (08:15 UTC) - Friday, 2nd December, 2022 (09:45 UTC)

Dynamic Coalition on Data and Trust

Round Table - U-shape - 90 Min


The DNS is receiving increased attention from policy-makers and standards setting bodies for its central role in the functioning of the Internet. From the DNS4EU proposal which seeks to create an EU-based recursive DNS service, to local and regional conversations about the potential impacts of DNS encryption, domain names infrastructure and governance have become new sources of contention. But what does the data say on these issues? And perhaps as importantly, what data is missing to develop evidence-based policies around the DNS that protect users’ trust on the Internet? The goal of this year’s IGF conversation by the DC on Data and Trust will centre around development of DNS policies and standards, highlighting good practices within the industry that use evidence to inform policy choices, different approaches to data-based decision-making, and gaps in data governance that may limit informed policy making as well community scrutiny and study. The conversation will split into three segments: (a) measuring trends in DNS for adequate policy-making with inputs from the technical community and private sector; (b) examples of evidence-based processes leading to DNS policy proposals, with inputs from European regulators and ccTLDs community; and (c) privacy, security and data access concerns from non-commercial stakeholders, with views from academia and civil society.

The session will have a combination of online and onsite speakers to encourage participants in both spaces to actively engage in the discussion during the session. The DC-DT will additionally promote the activity between coalition members and its associated community to line up additional event participants –beyond the speakers– interested in actively commenting and engaging in the discussion; such level of engagement is expected to encourage the participation of other attendees that join the session. To encourage a fluid conversation, the session will split into three segments, opening with firestarter remarks by one to three speakers at a time, and diving straight into the discussion of each proposed topic prior to moving on to the following segment. The three segments will open up with a one question posed to participants –using an online tool for audience interaction such as Slido– to encourage participation and engagement with the proposed issues among both online and in-person attendees.


Emily Taylor, Oxford Information Labs, Private Sector, WEOG Carolina Caeiro, Oxford Information Labs, Private Sector, GRULAC Regina Fuchsova, EURid, Technical Community, WEOG


All speakers listed are confirmed or authorised to be listed by their affiliation organisation. To speak on measuring trends in DNS for adequate policy-making: 1. Geoff Huston, APNIC, Asia-Pacific Group,Technical community; 2. Jordi Iparraguirre, EURid, WEOG, Technical Community To speak on examples of evidence-based processes leading to DNS policy proposals: 3. Keith Drazek, Verisign, WEOG, Private Sector; 4. Biyi Oladipo, .ng, Technical Community, African Group; 5. a speaker from the European Commission to talk about the DNS4EU, WEOG, Public Sector (Note: EURid to reach out to potential speakers from the Commission should the proposal be accepted). To speak on privacy, security and data access concerns from non-commercial stakeholders: 6. Carolina Aguerre, University of Duisburg-Essen/University of San Andres, GRULAC, Academia/Civil Society; and 7. Madeline Carr, University College London, WEOG, Academia and 8. Pablo Hinojosa, APNIC, Asia-Pacific Group, Technical Community.

Onsite Moderator

Emily Taylor, Oxford Information Labs, Private Sector, WEOG

Online Moderator

Regina Fuchsova, EURid, Technical Community, WEOG


Carolina Caeiro, Oxford Information Labs, Private Sector, GRULAC



Targets: The proposal links to SDG 9.1 in that data governance and policy-making on the DNS are essential to the development of a transborder Internet infrastructure that supports economic development and human well-being. The conversation also links to SDG 17.6 in that the roundtable discussion seeks to encourage a global exchange about data governance and data-based policy making in the DNS industry, promoting international cooperation and strong institutions across stakeholder groups involved in the DNS.

Key Takeaways (* deadline 2 hours after session)

The session focused on the access to the DNS-related data for informed decision making at a time that the DNS is receiving a lot of attention from policy-makers. Tensions discussed included disrupted measurements in the face of encrypted DNS, emerging proposals like the DNS4EU initiative and distribution of roles and responsibilities of actors in the DNS value chain. The various speakers commented on the rich nature of the DNS, being both commerc

Call to Action (* deadline 2 hours after session)

Our approach to tackling these policy questions has to be forward looking, thinking 20 years forward and how we want the space to evolve. Participants highlighted the importance of maintaining multi stakeholder conversations on the subject, taking into account views form civil society, governments and technical community.

Session Report (* deadline 26 October) - click on the ? symbol for instructions

Fact-checking the DNS: towards evidence-based policy-making

IGF Report 2022


The DNS is receiving increased attention from policy makers. This session sought to explore to what extent the DNS ecosystem relies on data to make informed decisions, what tensions have been created by increased DNS encryption in terms of accessing data and how to develop evidence-based solutions to tackle DNS Abuse. The session collected views from various stakeholders from the ecosystem.


We started with Geoff Houston from APNIC (technical community). He spoke about how the DNS was not designed thinking it would evolve into a global network, and therefore it was built with virtually no security features, it was ‘trusty.’ This became a vulnerability when the Internet consolidated as a global communications network: any adversary could intrude upon the DNS, observe what was happening and tamper with the answers. Following the Snowden revelations, a series of protections were built around the DNS (DNS messages are encrypted, sources of information are authenticated, DNS content is now verifiable, etc). However, as a result, the DNS has become obscure, “gone dark”, generating problems of its own in preventing abuse and keeping tabs of drivers for centralization. In his words, when we speak of evidence-based/data based policy making around the DNS, “there is no DNS data to talk about, it just does not exist.”


Mallory Knodel from the CDT (Civil society) challenged the notion that the DNS has gone dark. Her view being that just because we had not secured data before, it does not mean there was a good reason for DNS queries to be global data. The data was visible before, and we have now found ways to make it private. She does agree, however, that this has generated issues and has broken things, and to her, it is important from a public interest and Human Rights perspective, that we acknowledge those issues. These include initial centralization of services to make DNS lookups private, challenges for abuse mitigation, censorship becoming more blunt in regimes that previously relied on DNS data for blocking and filtering.


Emily Taylor from OXIL inquired about the availability of data for researchers to study the impact of encrypted DNS, highlighting how for studying the resolution space it is very hard to get that data. Mallory Knodel pointed how measurement initiatives tracking censorship are confident they will be able to overcome that challenge. Geoff said that the reason why query data is not shared is because it has incredibly privacy implications, most operators don't release it for good reasons. When you strip query data from personal, sensitive data you are left with something quite limited. As a result, our window to look into what is happening at the level of the DNS is small and getting smaller. No regulation will change that. The more functions are picked up by applications (QUIC, DoH), the smaller the role of networks will become. This push is the result of interest by large operators and what they perceive users want in terms of privacy that has led to this push.


The conversation then moved on to pick up on existing industry practices to deal with abuse on the DNS with the participation of EURid, CENTR, .ng and Verisign and contributions from academia from Latin America.


Peter Van Roste from CENTR spoke about DNS4EU. The initiative seeks to create a European-wide public recursive resolver. The reasoning has to do with concerns by European institutions that (a) some dominant players –especially interested in the valuable data generated by public recursive resolvers– have captured a significant market share and that public recursive resolvers are typically not European. DNS4EU was probably informed by market or commercial concerns related to the value of resolver data. CENTR welcomes the initiative, as long as the use of the resolver not be made mandatory, and noted that nearly a dozen of European ccTLDs are running local instances of public resolvers contributing to the diversity and resilience of European networks.


Jordi Iparraguirre from EURid spoke about actions taken by EURid to prevent harm to users of the .eu space. These actions are evidence-based policies, but they are also informed both by the existing legal framework (contract with the European Commission, local law in Belgium GDPR) as well as with EURid’s commitment to .eu brand and customer protection. Concrete existing actions include keyword detection on domain names (for example, searching for specific strings related to COVID pandemic) and analysis of domain names at the time of registration; improved Know-Your-Customer procedures to check on Whois data, and information sharing with law enforcement on domain names deemed suspicious of harmful activity.


When considering reliance on data for abuse mitigation, Keith Drazek from Verisign highlighted the importance of recognizing that there are different actors with different roles, responsibilities and operational capabilities. He highlighted ongoing activity at ICANN to identify improvements in DNS abuse mitigation focused on threats that are not content related. The gTLDs registries and registrars have recently sent a letter to ICANN to say they are prepared to take additional responsibilities to deal with DNS related security threats. But there is also a need to focus on content related abuse and for considering additional tracks for dealing with abuse in a multi stakeholder way which may belong outside of ICANN. He also highlighted the need to work with other actors for them to understand what it means to take action at the DNS level when trying to mitigate broad abuse. Mark Datysgeld - chair of DNS abuse group in GNSO supported Keith’s points about work at ICANN and mentioned that the group has also submitted a letter to ICANN asking to renegotiate contracts to change responsibilities.  


Beyond experiences from the global North, there were contributions from the African and Latin American perspective. Carolina Aguerre explained how the technical community in the LAC region is aware of the level of centralization that exists (the region relies on large, international providers). She also pointed out that concerns around privacy on the DNS are not being matched with initiatives to deploy privacy protections and protocols at the architecture level. APNIC has done a good job of mapping the adoption of protocols for the protection of privacy on the DNS, in Latin America there are some initiatives, like in Brazil and Chile, but very little data. The community is currently focusing on raising awareness among users and policy makers around this particular issue. It will likely generate tensions in the region as DNS blocking is common practice.


Biyi Oladipo from .ng spoke about not just Nigeria but how ccTLDs are managed in Africa. He expressed concerns about recent developments where governments take over the running of ccTLDs and potential implications of such developments on how freely and easily users access domain names. The regulatory environment is far more complex in Africa, with each country having its own data protection laws; he sees data protection as a potential opportunity for evidence-based policymaking to take place. Lastly, in practice there are few domain names taken down due to abuse in the continent, this is an additional area for collaboration with law enforcement and where an evidence-based system would be important. Some developments are taking place, a coalition is forming to collaborate with law enforcement on abuse and takedowns.


Lastly, Nigel Hickson from DCMS added a government perspective. He highlighted the importance that government officials be involved in these discussions to address valid government concerns as they impact government policy and regulatory development. He also called the group to reflect on ongoing UN processes and our vision for the DNS, particularly in the face of the WSIS +20 review and UNGA.