When you are informed that a registrar or registry has placed a domain on a protective hold, what does that really mean? How does it differ from a server/client hold, and what are the implications?
Defining Client/Server Holds
When a domain is placed on hold, a registry or registrar has taken the action of placing a domain on a server or client hold, respectively. This updates the domain’s status in the Domain Name System via the Extensible Provisioning Protocol (EPP). When a domain is placed on one of these EPP status codes, it will no longer be active or resolve in the DNS. This will stop all traffic to the domain from the DNS resolvers. If a registry takes action, then the domain is placed on a server hold. If a registrar takes action, then the domain is placed on a client hold. Regardless of the label, the outcome for the domain is the same. The important difference is knowing which entity placed the hold.
At CleanDNS, we work with registries and registrars to manage and mitigate their DNS abuse. In 2022, we observed an increasing number of domains registered for abusive purposes (which we shorten to “DRAP”) that have clear-cut phishing evidence within days of registration. A clear-cut evidence package for phishing is a screenshot of the login form, credit card form, or other form asking for personally identifiable information and the structure of the domain/ URL exhibits. In the case of financial institutions, a screenshot of the website presenting as the financial institution is sufficient.
CleanDNS has taken a proactive and aggressive approach against domains that have been registered for abusive purposes in order to end victimization as fast as possible. To that end, in March of 2022, we implemented what are called protective holds.
What Is a Protective Hold?
A protective hold is the same technical concept as a client/server hold but is done immediately with a 48-hour notice to appeal rather than 48 hours to mitigate. The registrar/registrant can then follow the appeals process if applicable. This process reduces the uptime of the domain, thus, less time spent targeting victims.
Key Differences Between Protective and Client/Server Holds, As Implemented by CleanDNS’s Clients
Client/Server Holds
- Domain reported
- Notify registrar/registrant
- Allow 48 hours for mitigation
- If not mitigated, domain is placed on hold
Protective Hold (“DRAP” Domains)
- Domain reported
- Domain placed on hold
- Notify registrar/registrant
- Registrar/registrant can appeal as applicable
Protective Holds Prove Effective in Mitigating DNS Abuse
During the 9 months in 2022 that CleanDNS implemented protective holds, these are the stats:
- 581,543 phishing domains
- Protective hold appeal rate: 0.017% (on 98 domain reports)
- Protective hold reversal rate: 1 in 10 (9 total)
- Hold reversal vs total mitigated: 0.00001%
This tells us that the implementation of protective holds is working. Don’t believe us, here’s what Alvaro Alvarez, EVP, General Counsel at Identity Digital had to share on the subject:
“‘Protective Holds’ allow us to take timely and decisive action on the most severe, pressing cases where the documented evidence demonstrates that the domain was primarily registered for DNS Abuse. While registries and registrars may not be able to prevent DNS Abuse from occurring, we believe that acting swiftly and reasonably is critical to promoting safety and security in Identity Digital’s top-level domains.”
The average victim loss from a phishing domain in 2022 was $173.34. With CleanDNS’s swift actions, we reduced the uptimes of these domains, saving victims ~$75M in potential fraud losses throughout the course of 2022. Protective holds not only stop the abuse of the DNS but also limit the exposure and losses to victims. Read more on the financial impact of protective holds here.