
DNS-on-Blockchain is the next step after DNS-over-HTTPS - dominicl
https://diode.io/distributed-infrastructure/Why-DNS-on-Blockchain-is-the-next-step-after-DNS-over-HTTPS-19231/
======
zaarn
DoB will have to deal with some problems, especially bad actors; people will
squat on domains, register typos (fscebook.com) or even bitflips
(fabebook.com, b is one bitflip from c). Malware owners will run their C&C
servers on domains.

Malicious domains will require someone removing them or blocking them even,
unless you want the DoB namespace to turn into a cesspool of malware, phishing
and nazis. Not something the average person wants.

~~~
m-p-3
You either have the freedom of decentralization and all the benefits and
drawbacks that comes with it, or you have our current system with the ability
to centrally manage but then you depend on those large, centralized entities
to do an impartial job. And we know that nobody is impartial.

~~~
zaarn
Why is it always so black-and-white with blockchain people?

There is no reason we can't deploy something that takes the good parts of
decentralized operation without having to commit to a full P2P blockchain IoT
buzzword fiasko.

------
cobbzilla
Yes, DNS should be like the old phone book — published regularly, pick one up
anywhere & everywhere, look things up anonymously (granted, authenticity
guarantees were somewhat lacking).

My question - Sure blockchain can do this, but couldn’t a simpler DHT-based
p2p system would work just as well or better? I like the
distributed/anonymity/authenticity, but why is blockchain required?

~~~
badrabbit
Ipfs.io can solve this easily.

~~~
zaarn
Ipfs requires a DNS server to bootstrap the P2P network, not a good idea.

Plus, Ipfs isn't that good when it comes to authentic data, if it's signed,
there is only one key, so it's centralized again.

~~~
momack2
There are capabilities to use the existing DNS system (or an EthDNS system in
the works) for human readable names with IPFS, but you can also use other
channels like pubsub to resolve mutable content like IPNS names quickly - so
IPFS doesn't actually require DNS at all. Multiwriter IPNS records are also a
work in progress, though I disagree with your characterization that somehow
only allowing one key to edit a particular signed record somehow makes the
network itself centralized...

~~~
zaarn
This isn'T about the IPFS Application Layer but the Link layer.

Bootstrapping a P2P system efficiently requires known P2P nodes and those will
require DNS unless you want to shell out for a static IP permanently (and hope
nobody poisons ARP!)

------
troquerre
Handshake is another DNS on blockchain project that's taking a different
approach — it's aiming to decentralize the root zone (TLDs) instead of
domains, because the root zone is where the centralization happens.

This MIT Tech Review article gives a good overview of Handshake's goals:
[https://www.technologyreview.com/s/613446/the-ambitious-
plan...](https://www.technologyreview.com/s/613446/the-ambitious-plan-to-make-
the-internets-phone-book-more-trustworthy/)

~~~
dogma1138
Every time I see an article claiming that someone is building some
“decentralized” system to make censorship harder I wonder if anyone of those
people even understands how the internet is censored at scale in places like
China.

For the censorship we have in the west e.g. blacklisting torrent sites a non-
ISP DNS and or CDN already solve that problem, for anything beyond that
nothing would help.

~~~
mlyle
There's also various kinds of registrar concerns; registrars revoking domains
for questionable reasons, the WIPO/UDRP regime, etc.

It all comes down to whether you think the current stewards and legal regimes
and ICANN are doing a good job or not. [I'm undecided].

------
pjc50
You've reinvented the HOSTS file, which used to be manually updated by John
Postel or someone and passed around the internet before DNS was invented.

~~~
isostatic
But it's on the blockchain! That means it's a billion-dollar idea!

------
LeoPanthera
So, NameCoin again? I think it was the first ever bitcoin fork.

[https://en.wikipedia.org/wiki/Namecoin](https://en.wikipedia.org/wiki/Namecoin)

~~~
ur-whale
Indeed, this was my first thought when I read the title, and IMO, it still
remains the other obious killer app. for blockchain (besides store of value /
currency, obviously).

Namecoin is an idea (that failed because IMO it was too early) so old by now
that I am truly surprised there hasn't been a full blown distributed DNS
solution that works in parallel to the existing one based on blockchain.

------
rubyfan
I don’t get why blockchain is any different for the list of complaints the
author highlights.

Also, reminds me of the old saying about “now you have two problems”

------
Dylan16807
I'll go ahead and note that this doesn't require a blockchain. Each TLD is
controlled by a single entity. Anything a site would store on a blockchain,
they could easily submit to that single entity to be published.

------
joosters
When the DNS blockchain forks, your browser just opens two new tabs instead of
one and you get to visit both sites. Simple!

------
LIV2
What is the proof? That the domain owner signed it with a certain key? Is that
key shared out-of-band? If so why do we even need the blockchain?

~~~
bouncycastle
Yes, the proof would be some sort of signature.

No, public key cryptography means that the key doesn't need to be shared.

A blockchain is only needed if parties need to write to the database in a
decentralized manner, and the order of the writes is important & can't be
tampered with.

~~~
SAI_Peregrinus
The public key still needs to be shared.

~~~
bouncycastle
Of course. The OP didn't mention which key, so assumed they are talking about
the private key, especially when they mentioned out-of-bound sharing, usually
terminology used for asymmetric cryptography. Public keys don't need to be
shared out-of-band, in fact they are always published along with the
transaction on the blockchain. (well technically, only the curve points and
the hash are, but using these, we can re-create the public key)

------
tylerl
Oh wait, you're serious. Let me laugh even harder.

------
lowestlatency
The article explains the censorship resistance aspect but not the security.
How does Handshake deal with the things Cloudflare does for me? DDoS and WAF
protection, at least?

~~~
southerntofu
Firewalls and DDOS protection have nothing at all to do with name resolution.
These are routing concerns that require taking a deep look into the packets
(DPI), while name resolution and key exchange are prior steps.

Also, what does CloudFlare bring to you? 99% of websites don't need DDOS
protection or a complex firewall. Using CloudFlare for these websites means:

\- CloudFlare gets to inspect and snoop 100% of your "HTTPS" trafic (because
the TLS termination happens on their side)

\- Users without Javascript (command-line browsers or GUI browsers disabling
JS for performance/security concerns) cannot access your website

\- Tor users most times cannot access your services at all because CloudFlare
and Google work hand-in-hand to prevent them from using the web by serving
infinite CAPTCHA loops (see #FuckCloudFlare)

\- CloudFlare becomes a SPOF for much of the web, like other "cloud" providers
; accessing your website depends on the availability and good will of a huge
multinational

So if you want to help people access the Internet without censorship and
surveillance, please never use CloudFlare or equivalent services. They make
everything so much worse through centralization. If we wait too much, it will
become a HUGE problem.

------
foxhill
is this not what [https://www.namecoin.org](https://www.namecoin.org) does..?

~~~
wallacoloo
> Namecoin and the Ethereum Name System were the first attempts at bringing
> name resolution to the Blockchain. At Diode we’re going the next step and
> are moving PKI & DNS into the Blockchain

The article specifically calls out Namecoin, but doesn’t say anything about
how Namecoin falls short or why it can’t be augmented/improved instead of
building a whole new thing.

I know I’ll sound like a grump here, but why does the bar for HN front page
feel so low these days?

------
Communitivity
There's some interesting work on this going on in W3C, in the Verifiable
Claims Working Group [1] and in the newly minted Decentralized Identifier
Working Group [2]. I'm a member of the W3C Credentials Community Group (CCG)
[3], which is where those two WGs started.

There are also a number of other valuable efforts. Both in other Standards
Development Organizations (SDOs), such as Decentralized Identity Foundation
(DIF) [4], Apache HyperLedger projects like Aries [5], etc. And in working
conferences/unconferences like Rebooting Web of Trust (RWOT) [6], and Internet
Identity Workshop (IIW) [7]. On a tangential note, Unconferences are an
interesting concept [8].

[1] [https://www.w3.org/2017/vc/WG/](https://www.w3.org/2017/vc/WG/) [2]
[https://www.w3.org/2019/08/did-wg-
charter.html](https://www.w3.org/2019/08/did-wg-charter.html) [3]
[https://w3c-ccg.github.io/](https://w3c-ccg.github.io/) [4]
[https://identity.foundation/](https://identity.foundation/) [5]
[https://www.hyperledger.org/projects/aries](https://www.hyperledger.org/projects/aries)
[6] [https://www.weboftrust.info/](https://www.weboftrust.info/) [7]
[https://internetidentityworkshop.com/](https://internetidentityworkshop.com/)
[8] [http://unconference.net/](http://unconference.net/)

------
jeffk_teh_haxor
So every DNS change is stored into the blockchain, forever? Will you have to
download terabytes and terabytes of the blockchain in order to serve as a
node? Why is that kind of audit history necessary?

Why is the solution to every problem "blockchain" these days?

~~~
Kiro
> Why is the solution to every problem "blockchain" these days?

That is a trope and is no longer true. If you say blockchain is the solution
you get laughed at.

~~~
zaarn
Being laughed at doesn't seem to stop people from trying to solve problems by
throwing more blockchain at it.

------
yellow_postit
The wave of “x, but on the blockchain!” Patents is going to be amusing and sad
to watch.

------
asdf333
question—can’t a government actor like china just watch the record for where
it points to and just filter that address? doesn’t that defeat the whole
purpose of this uncensorability?

while it may be harder in the US i could legitimately see a mechanism
developing to make that a requirement for isps

~~~
freeone3000
They can, and do, already do this for regular DNS. This would prevent US-style
domain name seizures but would do nothing against actual competent censorship.

------
Causality1
Correct me if I'm wrong, but wouldn't DNS-on-blockchain make lookups orders of
magnitude slower than they are now, especially with many DNS services
advertising based on speed?

~~~
tinybeagle
Yes, DNS-on-blockchain would likely make lookups orders of magnitude slower
than they are now -- it's making a trade-off between security and performance.

------
rolltiide
A lot of blockchain projects coordinate "seed nodes" by storing collections of
IP addresses within the DNS records of websites that community members run,
because it is an already decentralized enough record

This is going full circle

------
Vosporos
Uh no thank you, I do not wish to synchronise half a terabyte per month to be
able to resolve domains.

