DNS abuse

We manage the .nl domain. Part of that role is making sure that you can reach the .nl websites you want to see. We do that using our Domain Name System (DNS). That's a system for translating the long numeric addresses that computers use into domain names that people can recognise and remember. Unfortunately, troublemakers sometimes abuse the DNS. This page explains what we mean by 'abuse' and what we do to prevent it.

SIDN and privacy

What do we mean by 'abuse'?

When people use our DNS servers, there is less server capacity available for others. Excessive use can therefore create problems for everyone else.

What forms does abuse take?

  • Abusers sometimes deliberately create very large traffic volumes, with the aim of causing our servers to crash. The tactic is known as a 'DDoS attack'.

  • So-called 'domainers' use our DNS servers to try to build up a picture of the .nl zone. Or they mount 'dictionary attacks'. That involves sending a very long series of DNS queries, based on every word in a dictionary or word list. The aim is to find attractive domain names.

  • Other abusers try to use our infrastructure to mount attacks against others ('DNS amplification attacks').

What do we do to prevent abuse?

  • We do all we can to protect our systems and infrastructure. We use anycast, for example.

  • We make sure our DNS servers have enough (over-)capacity.

What do we do if we detect abuse?

  • We immediately report the abuse to the owner of the network that the traffic is coming from. Where possible, we send the report to network owner's special abuse mailbox. We ask the owner to explain what's causing the traffic. Sometimes it's generated by a software fault or a virus.

  • If the network owner doesn't respond quickly, we mail them to say that we're starting an abuse procedure. The message goes to the owner's administrative, technical and abuse contacts. Where possible, a copy goes to the abuse contact of the owner's upstream provider.

  • If there's still no response, we try to call the network owner. If we get hold of them, we give them another chance to explain what's causing the traffic.

  • As a final warning, we write to the owner by registered post. We tell them that we intend to filter or block traffic from their network.

  • Unless there's a response, we start filtering or blocking the traffic. That means that users of the network will no longer be able to reach any .nl domains. If the network owner is also a registrar (hosting service provider), we immediately end our relationship with them.

  • It very rarely happens that abuse is so serious that it poses an immediate threat to the performance of the .nl zone. But if that does happen, we start filtering or blocking traffic from the relevant network at an earlier stage.