
How do we go about decentralizing dns? - bgrrtt
In light of recent events, developers, what are our options? https:&#x2F;&#x2F;www.dynstatus.com&#x2F;incidents&#x2F;nlr4yrr162t8
======
jMyles
CJDNS takes a good crack at this.

NameCoin is a pretty interesting solution as well.

But let's question for a moment whether this is actually an engineering
problem. The DNS system is pretty bad; I'm sure that a few of us can come up
with a better system in an afternoon. However, these competitors have failed
to take hold.

It's probably mostly a social or political issue. One of the things that I
think is important is to start making internet architecture issues the subject
of conversation at the dinner table, at town hall meetings, and just in
everyday life. We need to ignite a social consciousness around the internet
and its ways. We need strong, determined will to do better.

------
zzzcpan
DNS is already decentralized. Running your own is not hard. There are a lot of
misguided choices in infrastructure, though, driven by PR and marketing of
various CDN and DNS providers. They really want to convince everyone that
relying on a single company and single AS is more reliable, than rolling your
own solution.

~~~
zerognowl
That DNS is decentralized does not really mean anything when you consider how
easy it is to uncover where a site is hosted, and understand which points you
need to hit to take a site down. Whilst we can do interesting things at the
network level to mitigate (think Cloudflare, anycast, mirroring, etc), the
services sitting behind DNS are still exposed like a sitting duck.

I mean if we really wanted to DDOS Cloudflare, we just exhaustively gather all
the raw APEX/Naked IPs of their edge nodes then stress them, but I imagine
Cloudflare doesn't advertise their list of IPs and they're closely guarded, so
attackers are left in the dark. But such an attack is plausible.

What we do need are antifragile protocols like BitTorrent/IPFS/Bitcoin which
infact _reward_ swarm behavior, instead of punish it.

------
dkhenry
DNS is decentralized, There are 8 root name servers globally distributed and
operated by different entities. Whatever you think the problem is there is no
amount of "decentralizing" that could be done to address the issues you have
seen today.

~~~
detaro
Well, the attacks right now aim at only one infrastructure provider. If all
their customers had a randomly picked second provider set up as well the
attackers would have to attack those providers as well. Although it would be
interesting to see what scale the current attacks have compared to the
theoretically possible, and how well the wider DNS system could cope.

~~~
dkhenry
I wonder if there would be a way to allow for multiple NS records for a given
domain, but still maintain the idea of ownership over that domain by a single
party. Like right now I need to have a single registrar put an entry for my NS
records into their DNS database, but if the registrar goes down no one will
find my NS records. However if someone else was allowed to host my NS records
how could I update them and still prove that they all only point to my name
servers.

~~~
zzzcpan
Registrar doesn't host your NS records, they are hosted on name servers for a
particular TLD your domain belongs to. So, if registrar goes down - absolutely
nothing will happen. The only way registrar could mess things up is by
updating your records incorrectly. And these things do happen from time to
time, but are very uncommon. For example, I use domains for decades and was
never affected by it.

------
Decade
My own domain is hosted on two completely separate providers, with my own DNS
server acting as a hidden master, with DNSSEC signing to minimize the
possibility of shenanigans. I can have any number of replicas on any number of
networks.

The issue comes when you have to depend on a single service. When you're using
traffic management from NS1 or content delivery from CloudFlare, then you have
no choice but to use a single DNS provider. Unless they have some special
service for whoever pays enough.

~~~
ryanlm
How exactly did you set up this fail over scheme? You run your own instance of
bind. And I'm amusing your listing your domains NS records as your own, and
another parties (e.g. cloudflare, etc)?

~~~
Decade
I’m not running BIND. I got tired of that program. Right now I’m using
PowerDNS. Quite a bit overkill, but that server is extremely lightly loaded.

I’m not using CloudFlare, either. That’s the point. If I use CloudFlare CDN,
then I depend on CloudFlare’s DNS servers.

The way it works is that DNS servers often have a master/slave relationship.
The master sends all the records to the slave once in a while. What you’re
supposed to do is list your own server and another server as two separate NS
records, and then any client can contact either server for any record. What
I’m doing is a hidden master setup. Neither NS record refers to the master,
but both point to separate slaves.

There are some downsides. You must assume that any record is public, not
private. DNSSEC white lies[0] (and black lies[1]) are not available. And it’s
more difficult to use a CDN. But I’m not running a web site right now, so that
doesn’t matter to me.

[0] [https://blog.cloudflare.com/dnssec-complexities-and-
consider...](https://blog.cloudflare.com/dnssec-complexities-and-
considerations/)

[1] [https://blog.cloudflare.com/black-
lies/](https://blog.cloudflare.com/black-lies/)

------
tbodt
IPFS is basically the internet made peer-to-peer. I don't know a whole lot
about it, but it sounds like something worth looking it...

------
zerognowl
I know it doesn't compete with DNS directly, but the addressing in IPFS[1] is
a game changer, and the sooner it ships as a recognized protocol in browsers,
the better.

Browsers still support dated protocols like FTP[2], which shows you how much
browsers need to catch up.

[1] [https://blog.acolyer.org/2015/10/05/ipfs-content-
addressed-v...](https://blog.acolyer.org/2015/10/05/ipfs-content-addressed-
versioned-p2p-file-system/)

[2]
[https://en.wikipedia.org/wiki/Ftp#Web_browser_support](https://en.wikipedia.org/wiki/Ftp#Web_browser_support)

------
stevekemp
The best way is to upload your records to two+ providers. That might be Dyn +
Route53, or your hosting-company AND dnsmadesimple, etc.

I wrap Route53 via git at [https://dns-api.com/](https://dns-api.com/) and I'm
in the process of supporting other back-ends to help automate this process.

------
mrfusion
Whatever happened to namecoin?

------
stray
I know!

Each machine could have a file listing all other hosts. We could put it in the
/etc directory.

/etc/hosts

That would totally fix the DNS problem. But I think we should wait till Flag
Day (June 14, 2017) to make the change.

------
lossolo
Don't they have anycast IP for their DNS servers? I mean if you are running
DNS infrastructure as a service in 2016 you should have anycast IP which will
automatically offload traffic to all the servers in case of DDOS thanks to
OSPF on BGP level.

~~~
zzzcpan
Dyn uses anycast, just like everyone else. It's still a single AS and a single
company though.

