Subject: Re: DNS Abuse & AI – Proposed NARALO Action: Member Guide

 

Hi Evan, Glenn, and all,

 

I wanted to add one more relevant development to our discussion that I believe significantly strengthens the case for the member guide we have been building.

 

On March 19, 2026, NIST published SP 800-81r3 — the Secure Domain Name System (DNS) Deployment Guide — the first update to this foundational document in over twelve years:

 

• Official NIST page: https://csrc.nist.gov/pubs/sp/800/81/r3/final

• Direct PDF download: https://doi.org/10.6028/NIST.SP.800-81r3

 

For the NARALO community and the end-users we represent, this is a landmark moment. Here are four takeaways directly relevant to our work:

 

1. DNS is Now Officially a "First Line of Defense"

Rather than being viewed merely as a lookup service, DNS is now officially positioned as an active enforcement layer capable of detecting and mitigating threats in real time. This gives NARALO the policy weight to advocate for Protective DNS as a standard recommendation for schools, local governments, and small businesses across North America — exactly the practical guidance our proposed member guide would provide.

 

2. Encrypted DNS is Now a Federal Standard

SP 800-81r3 addresses encrypted DNS through three key protocols — DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) — and mandates encrypted DNS for US federal civilian agencies wherever technically feasible. This directly validates what Evan highlighted: encrypted DNS is not just a privacy preference but a recognized federal standard. It also reinforces the case for CIRA Canadian Shield and Quad9 (9.9.9.9) as the practical implementations we would feature in our guide.

 

3. DNSSEC Recommendations Have Been Modernized

The publication updates DNSSEC signing recommendations to reflect current cryptographic standards. For end-users, this reinforces the importance of domain owners signing their zones — preventing website hijacking and fake site redirects that disproportionately harm non-technical users.

 

4. Zero Trust for Everyday Users

SP 800-81r3 integrates DNS into Zero Trust Architecture, positioning DNS as both a policy enforcement point and a source of information when evaluating access requests. In plain language: every connection should be verified before being trusted — a principle that becomes essential as AI-driven phishing grows more sophisticated.

 

I believe NIST SP 800-81r3 gives our proposed member guide an authoritative US federal policy foundation — one that did not exist just one week ago.

 

Best regards,

Mohibul Mahmud

NARALO Member







On Sun, Mar 22, 2026 at 11:26 PM Mohibul Mahmud <mohibul.mahmud@gmail.com> wrote:
Hi Evan, Glenn, and all,

Thank you, Evan — this is a wonderful and highly relevant addition to the discussion. CIRA's Canadian Shield is something I was not previously aware of, and it strengthens the case for our proposed guide considerably. The combination of DNSSEC support, encrypted DNS over TLS and HTTPS, and the privacy protections you highlighted makes it a compelling recommendation for Canadian members specifically — alongside Quad9 for the broader North American audience.

I think we now have the foundation for a genuinely useful resource. The outline is taking shape naturally from this thread:

• ICANN's official DNS abuse definitions as the policy anchor
• Quad9 (9.9.9.9) for general international users
• CIRA Canadian Shield for Canadian users
• RBLs such as Spamhaus for email protection
• Optional advanced protections including DNS over TLS and HTTPS

I would love to see this move forward as a NARALO initiative. I am happy to contribute to the effort and look forward to discussing next steps with the group — perhaps we can identify the right home for this on the agenda of an upcoming NARALO Monthly Call.

Best regards,
Mohibul Mahmud
NARALO Member




On Sun, Mar 22, 2026 at 9:39 PM Evan Leibovitch <evanleibovitch@gmail.com> wrote:
Hi Mohibul,

As it turns out, I have been doing some thought and research on this topic, and may expand further on it in the future.

Your idea for an end-user guide is an excellent one and I offer my assistance should NARALO pursue.

In my research I found that the only entity in the whole Internet Governance field that has given this issue any attention is Canada's ccTLD, CIRA. In a project called "Canadian Shield", CIRA has provided mobile apps and configuration guidance (for desktops and routers) on how to use its own public DNS servers (149.112.121.20/149.112.122.20).

I find in my own tests that Canadian Shield servers consistently provide the fastest response ... though that might not be the case for non-Canadians. As well as DNSSEC it supports encrypted DNS over TLS or HTTPS, which is also important in privacy considerations if you suspect your ISP is collecting data on what users access. Personally I use both CIRA and Quad9.

Even further protection is available at the DNS level if you want to extend blocking to ads or adult content.

Again, thanks for the suggestion. I hope it gets picked up and is offered some resources.

- Evan
 

On Sat, Mar 21, 2026 at 2:51 PM Mohibul Mahmud <mohibul.mahmud@gmail.com> wrote:
Subject: DNS Abuse & AI – Proposed NARALO Action: Member Guide

Dear Glenn and Evan,

I am writing to synthesize the key takeaways from the ICANN 82 roundtable discussion, "DNS Abuse and AI: Combatting and Enabling Threats," and to propose a concrete next step for NARALO.

The session highlighted a sophisticated, three-dimensional landscape regarding DNS abuse. On one hand, we have the formal ICANN policy definitions focusing on malware, botnets, phishing, pharming, and spam. On the other, we discussed the cutting-edge AI defense mechanisms presented by panelists like Jeff Bedser of CleanDNS, which leverage machine learning for near real-time detection (13:13).

However, a significant gap remains between these high-level policy discussions and the immediate, practical needs of the general internet user. As Evan highlighted in his response, many average users are bypassed by these technical efforts and remain vulnerable to daily threats.

To bridge this gap, I propose that NARALO develop a simplified, one-page guide for our members. This guide would synthesize the official ICANN focus on DNS abuse with a step-by-step tutorial on implementing effective, DIY mitigation tools — such as utilizing specific DNS providers like Quad9 (9.9.9.9) or RBLs.

This initiative would directly align NARALO's policy-driven mission with tangible, practical benefits for our community. I look forward to hearing your thoughts on this proposal.

Best regards,
Mohibul 


On Mon, Mar 9, 2026 at 8:57 PM Evan Leibovitch via NA-Discuss <na-discuss@icann.org> wrote:
Hi Glenn, and thanks for this.

I agree with you about the lack of clarity. The slide deck is very informative, but it seems to ignore what are now the most effective ways that the general public now confronts DNS abuse. They seem to be off the radar of the entire ICANN community because they've evolved as workarounds that do not wait for committees or government agencies or working groups to act, indeed they bypass ICANN completely:
  • Abuse-limiting DNS servers: Anyone can override the DNS server provided by their ISP in their phone, PC or home router if they wish. Setting this manually enables anyone to send their DNS queries to a server that maintains lists of abusing DNS domains and refuses to feed them to you. There are many examples, the best of which (IMO) is the Swiss nonprofit Quad9. Setting your DNS server to 9.9.9.9 sends queries through this well-trusted site which is free to use and does not require setting up an account. They maintain a database of millions of malicious domains which is updated in real-time. It's easy to use, and an immediate step that protects the privacy of DNS lookups while blocking bad domains.  (Quad9 provides setup guides for PCs, phones and routers; here is a video that compares it to alternatives.)

  • Spam is correctly noted in the slide deck as being an enabler of DNS abuse rather than the abuse itself. However the slide deck makes no mention of the massive amounts of volunteer time that go into creating Remote Blackhole Lists (RBLs) that maintain not only domains but also IP addresses of sources of unwanted and unsolicited email. The best known of these is Spamhaus but there are a few of them. They sometimes suffer from false positives, but there is a well-documented process for legitimate bulk-email senders to get removed from the lists. Many mail systems implement some kind of such blocking; anyone who looks at the spam folder of their Gmail will see this in action.
    Spam is specifically also the subject of legislation in both Canada (CASL) and the US (CAN-SPAM).
As the component of the ICANN that is closest to the end-user, if we in NARALO are interested in the actual practice of helping the public mitigate DNS abuse -- something that can be done by anyone, TODAY -- we can (and should) do much more than just point to internal ICANN process churn and pray that the contracted parties do the right thing. The solutions I have listed above unabashedly bypass the ICANN-registry-registrar chain in their pursuit of practical abuse mitigation. ICANN's work is trying to stop abuse at the source with limited success despite  decades of work. Well-meaning people joined NARALO chiefly to address abuse (old-timers here will remember Marc, Garth and Beau) but left out of frustration. Abuse-minded DNS servers and RBLs perform the task at the receiving end and appear to be more successful in the actual problem solving; it's much easier to ignore a bad domain than to take it down but the end-user effect is the same. The slide deck makes mention of PDNS but it's never elaborated.

I ask everyone here: what action is both easier and more likely to help you and your family reduce exposure to DNS abuse, right here right now?
  1. Explaining ICANN processes and hoping it will all work out?
  2. Monitoring Netbeacon and pressuring registries and/or ICANN to act on its information?
  3. Setting your devices' DNS to 9.9.9.9? 
Education about Abuse-resistant DNS servers and DIY abuse mitigation should be part of ICANN's (and especially At-Large's) public mandate. That these solutions did not come from within ICANN (and indeed ignore it completely) does not negate their intense potential for public benefit in this realm. NIH thinking must be resisted.

- Evan
 

On Mon, Mar 9, 2026 at 1:01 PM Glenn McKnight via NA-Discuss <na-discuss@icann.org> wrote:
Hi Greg and Rookayya 

I  attended and watched the  recordings of the  DNS Abuse Mitigation sessions in Mumbai ( remotely )  and I need to confess that the group dance around the concrete issues which impacts the user community. 

As a result I spent some time tailoring a AI Gemini  slideshow given the parameters of making sense of the topic and I've added the result of slideshow as a EBOOK 

We are suffering by a lack of clarity and plain speaking on this topic.  I hope this slideshow can help our membership in trying to undersatnd the basics.

Glenn








Glenn McKnight, MA 
Virtual School of Internet Governance 
Chief Information Officer
YOUR SOURCE FOR INTERNET GOVERNANCE EDUCATION 
Mobile  437-237-4655

------
NA-Discuss mailing list -- na-discuss@icann.org
To unsubscribe send an email to na-discuss-leave@icann.org

Visit the NARALO online at http://www.naralo.org
------
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.


--
Evan Leibovitch, Toronto Canada
@evanleibovitch / @el56
------
NA-Discuss mailing list -- na-discuss@icann.org
To unsubscribe send an email to na-discuss-leave@icann.org

Visit the NARALO online at http://www.naralo.org
------
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.


--
Evan Leibovitch, Toronto Canada
@evanleibovitch / @el56