Hacker News new | past | comments | ask | show | jobs | submit login
With Domain Name Seizures Increasing, It's Time For A Decentralized DNS System (techdirt.com)
186 points by chaostheory on Dec 5, 2010 | hide | past | web | favorite | 80 comments


1) ICANN has nothing to do with ICE seizing domains.

2) wikileaks.org was NOT seized by ICE, in case you didn't know (their nameserver operator, everydns, terminated service due to alleged AUP breach). They should probably just run their own nameservers if it's too much for a free provider to handle.

3) DNS is hierarchical in structure, but very decentralised from a technical point of view. In fact, you might call it "P2P", since anybody can join the network and run their own resolver.

4) #dnsissexy - the average user doesn't even know it exists.

5) Not happy with something? ICANN is a community. (I'm not saying it's perfect - nothing is!).

6) Really really pissed about something? Free speech, courts, democracy.

7) Really pissed AND lazy? Use a ccTLD. I hear .ly is cool.

What are people like Sunde proposing? The PR is sensationalist and contradictory, with talk of an alternative root (where would it be located? who would control it?), and a new bittorrent-like protocol (no idea how this could even work).

Anyway, I'm standing up for the status quo. It works phenomenally well.

The goal is to build a naming system that is decentralized and therefore free and hard to take down.

> You might call DNS "P2P", since anybody can join the network and run their own resolver.

Single point of attack. They shut down your custom resolver, and they shut down your custom naming system. Also this proposal fails in terms of availability and resilience.

Also it's hierarchical P2P, so if you control the root servers, you control the naming system. It is decentralized only to aid availability and resilience.

> the average user doesn't even know it exists.

Those who do, understand that it can be controlled.

> Not happy with something? ICANN is a community.

I want free names for 10 websites. ICANN't get that without paying $7 * 10 per year. Some things are not worth lobbying for, because they are obviously not going to happen.

> Really really pissed about something? Free speech, courts, democracy.

Such a naming system would be outside the immediate control of governments, therefore democracy has nothing to do with it. Indeed, the idea is that you could use this in China and Chechnya too.

> Use a ccTLD. I hear .ly is cool.

This still uses DNS, and does not solve anything.

> Single point of attack. They shut down your custom resolver, and they shut down your custom naming system. Also this proposal fails in terms of availability and resilience.

Peer-to-peer networks are easy to overthrow completely even with a relatively small number of malicious nodes.

> Also it's hierarchical P2P, so if you control the root servers, you control the naming system. It is decentralized only to aid availability and resilience.

ICANN only controls delegation to TLDs.

> I want free names for 10 websites.

I want free beer.

> Such a naming system would be outside the immediate control of governments, therefore democracy has nothing to do with it.

In the real world people care about ownership disputes, protecting trademarks, accountability and other legal matters.

> This still uses DNS, and does not solve anything.

Actually, it does. DNS solves everything just fine.

I think you're missing the point here. The goal is not to create a mainstream replacement for DNS. Its to create an "alternative" naming system.

> I want free beer.

A p2p naming system would use free software and shared computing resources. There are numerous examples of both (GNU and BOINC/Gnutella/Bittorrent respectively.) So striving for a free naming system is not the same as striving for free beer.

> Peer-to-peer networks are easy to overthrow completely even with a relatively small number of malicious nodes.

Not if your p2p model uses a web of trust model like PGP. This is what the proposed model uses.

I don't agree with the proposed model, for what its worth. I think they should be looking at leveraging the work done on semantic free referencing at MIT, instead of the existing name to IP model.


Edited to remove snark. I don't believe the protocol that you are describing exists. A quick survey of distributed systems papers and leader election strategies over the past 30 or so years says that a satisfactory completely distributed protocol may be impossible.

My main interest in a decentralized DNS system is to make it easier to do business with countries when the US decides it wants to steal their oil, and creates sanctions You couldn't purchase .ly domains until we stopped bullying Libya in 2004. If we build decentralized systems outside of the reach of the government, maybe we can even build a world free of petty politics and corrupt governments (like our own). It's a pipe dream, but it's the best dream I've got.

4) #dnsissexy - the average user doesn't even know it exists.

it's amazing how many people i see who use google as their primary resolver, by only using the search function even if they're entering a url.

Maybe they are not doing the right thing, but at least they are trying to do _something_. I will always respect that over just complaining (not aimed specifically at you).

Doing useless stuff is actually worse than just complaining, because in addition to not accomplishing anything, it wastes resources that would have been better spent elsewhere.

Also, the phrase "we must do _something_" is often used by politicians to justify stupid laws or contracts that don't help to solve the intended problem, but sometimes make things even worse. That's quite a high price to pay for the publicity shows of certain people.

That's it not how things tend to work out in my experience. Resources are almost never limited in the way you describe. Even if they are you would have to know the same people would be doing something better, which most of the time you don't. You're far more likely to transition into something useful when people are actually engaged. At least whatever you're doing can be proven wrong by it not working. If you're only complaining, you can be right forever.

To me entrepreneurship, startups, community open source software etc. is all about trying new things. Sadly I far too rarely get the feeling that people share this view in forums like this one. Even though the barrier to entry of these types of project are so low, people still rather be "right" than join in or start their own.

Politics is very different from these types of projects, in that the amount of responsibility is far greater. I don't think it's a valid comparison.

tl;dr: http://ezinearticles.com/?The-Nature-of-Attitude---3-Types-o...

Here's a quick, dirty, temporary hack I threw together today. It's a script that manages entries in your hosts file (it can do things like merge, pull from web pages, etc).


Feel free to fork and improve.

That's interesting. On "Info War Friday" I simply added this to my /etc/hosts file:  wikileaks.org
DDos? What DDos? Although it's not the content of Wikileaks that interests me most, but the people who literally scream bloody murder about it.

I just posted an update so that you can add and remove entries directly (instead of from a file). If anyone feels like testing it on something other than Linux any bug reports would be appreciated. But now I'm going to hit the sack...

How does the system like it if you actually have ~200 million entries in that file? Or make it just one million for a start.

Sure, but sometimes worse is better - a small step in a pragmatic direction can do some good now and be a stepping stone to something better in the future.

I run dnsmasq (both a dns cache and a dns server) on all my machines. Works great.

That still doesn't solve the core of the problem: How to ensure that the lists are trustworthy?

No, it doesn't. But you're implying that a small step in the right direction is pointless because we have no idea how to engineer a complete solution. I don't agree - trust is a known, hard problem and the best solutions (think about ssh) are very pragmatic about it.

Here's my problem. It's great that some censorship will be prevented, but what about stuff like child pornography. I'm worried that, if successful, this will turn into a "we don't like our government so let's go create our own country where there are no laws", without thinking about the laws that we actually do want enforced...

[Edit: I wish people would stop voting down the parent. It is a legitimate point of view and down-voting is supposed to express a lack of value, not disagreement with content]

Child pornography is basically the trump card of the pro-censorship argument. Nobody is in favour of it, everybody thinks it's awful, even really passionate freedom-of-speech types often think an "except for child pornography" clause is an allowable compromise.

But the truth is that anybody who wants child pornography on the Internet can already get it, if they try hard enough. Many of us who've worked for large web companies are aware that one of the first forms of abuse that happens to any service that allows image uploading is that it starts getting used to distribute child porn. Shutting down domain names will do nothing because the people who deal in this stuff have been having their shit seized and shut down for years already.

By the same token, DNS is not essential to preventing censorship. We can send each other IP addresses through social networks, distribute shortlinks to servers that change every hour, or any one of a hundred other methods.

The balance to strike is: is censorship of material we think legitimate happening often enough right now that we want to make it easier to route around, knowing that doing so will make it harder to censor stuff that we find universally objectionable? A month ago I'd have said no, but today I'm not so sure. And that's a dangerous consequence of the actions the US government is taking in response to these leaks. By cracking down, they risk provoking a revolution that will make it impossible to control these things in future.

Just for the record, I'm not saying that my concern would stop me supporting a non-ICANN DNS system, but I don't think that "they can do it anything" means it isn't something worth thinking about in any topic about moving the internet away from governments, even if only regarding DNS systems.

> down-voting is supposed to express a lack of value, not > disagreement with content

Let's face it: we mostly upvote posts we agree with. Then the trouble is, that for the symmetrical acction we must have symmetrical meaning. If I press on the gas and it makes a car to go faster I expect it to go slower when pressing less. If I click up-arrow to express agreement, I expect that down-arrow will express disagreemet.

I wish people will continue to vote down to express disagreement and use "flag" to express lack of the value or inapropriate content.

At the time of the edit, that post might have been in negative numbers. Voting expresses agreement, yes, but any score below 1 should be reserved for troll/frivolous/vulgar posts.

Precisely why I specified what "down-voting" is for. In my view, the correct score for a valid opinion that nobody else agrees with is 1. I feel up-voting can express both agreement and/or belief that something is valuable.

It doesn't seem particularly beneficial to the community to fade out posts simply because a few more people disagree with them than agree with them. Unless you're simply trying to encourage group think, I guess.

what about stuff like child pornography

What about people that make their own kids (I hear humans can do that) and then abuse them? Clearly we should have video cameras in every room to ensure that this doesn't happen.

What if someone, right now, is doing something I don't approve of!? Something must me done!

Let's not put up straw men. I'm surprised you have so many upvotes for such an absurd argument--not that there aren't valid ways to disagree, but I don't follow your logic.

The issue is whether there is speech that is objectionable, and whether free speech has some sort of nearly universal limit if properly considered (yeling fire in a crowded theater, for example) and whether creating a law-free zone might have unintended consequences.

I don't see how a straw man implying that all laws require draconian enforcement really benefits the conversation. So we let child molesters do as they please because somehow any law enforcement would mean total and constant invasion of privacy? Not sure I follow the leap.

I'm saying, kids are being abused, even if there aren't pictures of it on the intarwebs. The internet is not the problem.

The parent post talked about the distribution of child porn not stopping all child abuse which is why I think you're beating on a straw man.

He's not beating on a straw man. The problem is you're conflating child abuse with certain patterns of bits floating around on the Internet.

I've also heard pedophiles claim that looking at child porn sates their desire to act out those fantasies, so perhaps fewer children are being harmed? That sounds plausible to me since 'normal porn' works, to some degree, as substitute for sex for many non-pedophiles.

> The problem is you're conflating child abuse with certain patterns of bits floating around on the Internet.

Please reread my posts. I am talking about the bits. The only place where I talked about actual child molesters (child abuse) was to point out a specific false-choice that jrockway put up--that we had to put cameras everywhere to enforce child abuse laws, which really was defeating an argument that no one made--ie, jrockway was the person who brought up actual child abuse, not the bits. He has articulated his position better in other posts now.

The issue is whether there is speech that is objectionable, and whether free speech has some sort of nearly universal limit if properly considered (yeling fire in a crowded theater, for example) and whether creating a law-free zone might have unintended consequences.

Child porn isn't speech, it's evidence -- evidence of a crime that has already taken place. This crime, like other crimes, can and should be prosecuted without any sort of totemic obsession with inanimate copies of the evidence.

In general, censorship of kiddie-porn-as-speech is the greatest favor we can do these criminals. We've already taught them to hide in the real world, and hide well. Now we're teaching them to cover their tracks online.

> obsession with inanimate copies of the evidence.

If a search reveals a video of your child being abused at day camp on the internet, would you want censorship of that video?

No. I don't believe in censoring the Internet.

jrockway's post below is basically my position as well.

Based on that logic we should leave any child porn that's available online up there to avoid governments over-reaching into our privacy?

Yes, exactly. Censorship is censorship.

Child porn is illegal because its creation damages the child. Its continued distribution is not the primary problem, the fact that it was created in the first place is. So the solution to child porn is to find it, use good-old-fashioned police work to find who made it, and use the legal system to remove that person's access to children.

No need to break the Internet and restrict free speech for this very-special case. Let's spend the money we want to spend on censoring the Internet on more detectives, so that child abuse can be eliminated!

The same goes for "counterfeit goods" or whatever the DHS used as rationale for seizing domain names. Don't break the Internet; just buy one of the fake watches, ask UPS where it was shipped from, get a warrant, and bust the guys! Right?

(I fear that in the US, though, the problem with child porn is not that children were abused, but that people like something in a sexual way. Consider the person who was mailed a box of comic books that depicted "under-age" children in a sexual context. The government wanted to put him in prison for 15 years. For receiving a box of books.

"Sexting" is another example. It's doubtful that one can abuse one's self, but the government still wants to put people in prison for it.

What I find most amusing is that all people look pretty much alike when naked. I don't understand why naked pictures are such a hot-button political issue. It seems like the government just doesn't really want any depictions of sex [children, adults, tentacles, or otherwise] around at all.

But I digress.)

To go even further - by driving the distribution further and further underground it becomes harder to track down the originator and prevent the actual abuse. The police/politicians attack distribution because its easier and makes them look like they're doing something.

Exactly. Remember when file-sharing first became popular? Everyone used Napster, which had one centralized indexing server. If someone wanted content removed, they could just ask Napster and it would be gone.

This wasn't good enough for the RIAA, which shut Napster down completely. This caused the programming community to come up with an un-blockable alternative, and now everyone uses un-blockable encrypted BiTorrent with DHT. If you want something gone, there is nothing you can do short of shutting down the entire Internet.

(It wasn't un-blockable initially, but some greedy ISPs tried to block it, so now it's encrypted UDP instead of cleartext TCP. Now the ISPs can't block it reliably, and they waste their own bandwidth because UDP has no concept of a window size.)

So oops... now it's super-easy for people to distribute child porn, all because the music industry got greedy.

I should note, and I make this comment most of the time that someone mentions encrypted BitTorrent, that "encrypted" BitTorrent is not really encrypted. As you mentioned, attempts are made to fudge the protocol and make it hard to recognize that the BitTorrent protocol is being used.

It does not, however, provide any encryption or anonymity for your traffic. All packets are sent in the clear, your real IP address is still shown to all connected peers, etc.; do not rely on an "encrypted" BitTorrent connection to save you from a packet-sniffing fiend because the content you're downloading is not given any extra encryption by an encrypted BT connection, because the connection is not really encrypted in the classical sense, it's just obfuscated so that ISPs can't automatically detect BT traffic and disconnect/throttle/filter. "Encryption" was a bad thing to call BT encryption.

The IP address is an interesting issue; there is really no need to attach it the data that you send out, which is the illegal part. I guess too many ISPs use egress filtering to prevent clients from forging the source address? (Also, tit-for-tat would be harder without any verification of who's actually sending you packets.)

You know, porno is just an excuse for the government to do censorship. Before Chinese government cracked down the majority of opposing voices on the Internet, they did it in the name of anti-porno. They officially banned Google.com because they found porno there (but we all knew the real reason).

Australia learned the trick and started to do the same. Looked at how screwed it is now.

Don't be naive.

Can people stop reading opinions into what I said please - I said that it could be a problem, not that I think we need to keep government control because of it...

I didn't downvote you.

It is indeed a problem. The problem of this problem, though, is that some people are using it as an excuse to create even bigger problems. For all of us. Some experienced this before. We are experiencing it now. People making .P2P are trying to undo these problems.

The real problem of child porno is so small that it is basically a non-issue in practice compared to all the problems that are created to fix it. There should be better ways.

What is with the Australia comment?

He's talking about the Australian black list (which I think is no longer in play).

There always was a black list, for child porn etc, but the proposal was to dramatically expand it to include lots of other categories. Then the Libs said they won't support, and it seemed to have died. However, from only a couple of days ago, here is some evidence, admittedly third hand, that some of the expanding has already taken place (3rd para, and near the end):


Why is this being downvoted? While a position that I disagree with, it wasn't presented in an unreasonable way. This is the exact same question / concern many normal people will have, and what politicians and law enforcement will use as scaremongering. Might as well face the question here...

I didn't downvote, but to offer an alternate theory to silverstorm's, it might be because "think of the children" (and kiddie porn in particular) is possibly a worse debate-killing cliche than invoking Third Reich. It's essentially a fearmongering tactic most of the time, and I really think it should be ejected from intelligent conversation unless strongly justified.

Because on HN, downvoting is becoming a way to signify disagreement, rather than the intended way to remove low-value comments from the chain.

Freenet / other darkwebs trivially demonstrate that child porn isn't so easily stopped. And it's not like taking down a website participating in illegal activity is actually doing anything to stop that or enforce the laws around it; it at best sweeps it under the rug.

As jrockway points out, let's keep this discussion to the specific issue at hand. If we generalize we go to very undesirable consequences.

Unpopular and inconvenient as it might be this is a valid point and certainly one that needs to be considered. Freedom always comes at a cost, which isn't a bad thing as long as we don't forget that cost.

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."

-- H. L. Mencken

I recall reading, at one point, that the FBI is the largest distributor of child pornography in the united states, with the goal of identifying individuals who are interested in it and either keeping an eye on them or arresting them.

Reminds of the joke...if you are talking to woman in IRC chat they are most likely a guy, the FBI, or John Stossel :)

While I obviously agree that child porn is unacceptable, who do you propose stops distribution of it?


There are always going to be bad things in the world. Maybe we should be trying to focus on the problem at the source (mental health, law enforcement, etc.) and not when it's too late online.

I'm not proposing anything, nor saying that we need to stick with ICANN because of it, just thinking about the problem out loud.

Government censorship is a lot like you getting down-voted to oblivion for stating your opinion.

Which is why I up-vote everyone (except for the spammers of course.)


I can't down-vote anyone. I was actually quite disappointed when I first read that you can down-vote above some karma threshold.

Text/turn-based commenting system already ensure that one has to 'wait' for the other to finish their writing. Down-voting only seems like shouting louder and thus seems unnecessary. The only reasonable excuse is SPAM prevention. For that, however, I think that automated flagging system, that won't influence points, would do just fine. I also try to up-vote any opinions that I do not agree with, but that argument their point well.

Long story short, I think down-voting is unnecessary and even potentially harmful. I don't comment often, so it's not going to happen anytime soon, however I plan to not use my down-vote privileges, once I get them, for any reason at all. (Actually, I think I'll create greasemonkey script to ensure I won't downvote anyone accidentally.)

I can't wait for all the new logistical & security issues that come from a decentralized system. It will make the old DNS system seem like Fort Meade.

"We currently believe the best way to create a stable environment for TLDs is to enact a central authority. We know this will cause much argument within the community, but we have made the decision that we believe will be best for the continued development of this project."

That is the answer to the question I was going to ask, namely "what does decentralized DNS even mean?" People throw around the word "decentralized" as a presumed solution to centralized control, but at the end of the day someone has to decide who wins if two different people both claim that microsoft.com points to their server.

Also, "visit mybiz.yo after adding altdns.com as a DNS authority" doesn't exactly have the same ring to it as "visit mybiz.com". It also doesn't fit on the side of a truck, nor is it something that you will ever convince 99.9% of the population to do just to visit a website.

I envisage a system where a few dozen independent organisations around the World run the root. They all have the same data. If any of them modify their local copy of the data or try to poison the distributed data, their trusted status is revoked. Child DNS resolvers should be able to detect new trusted organisations and remove untrusted organisations quickly.

This could all be handled through public key encryption and automatic voting. DNSSEC or similar should be complete and enforced for all zones and lookups.

You would need to compromise over half of the trusted organisations running the root in order to break this system.

I envisage a system where a few dozen independent organisations around the World run the root. They all have the same data. If any of them modify their local copy of the data or try to poison the distributed data, their trusted status is revoked.

So what happens if someone attacks/compromises more than half of these trusted nodes at once with bad data? Is the bad data then the good data

If there are 35 trusted organisations and governments around the World colluded to take over the network by taking over 18 of these organisations and getting them to "untrust" the other 17, then this would splinter the network, and people around the World would need to manually repoint their resolvers at the other group of 17.

This system relies on the fact that it is difficult to take down lots of independent organisations that are spread around the World at the same time easily.

Yes... Of course...

But if something like that did happen, the organisations would be able to roll back the data as long as more than half of them agreed.

If public key cryptography were used, then you could make it so that only change requests signed with the domain owners private key are accepted and distributed too.

There could even be a constitution and perhaps some sort of contractual obligation to not modify the data with agreed legal consequences...?

Currently the best non-centralized solution proposed on the mailing list is to flood domain subscriptions and cache them at each node, so whoever claims a domain first will own it. This is pretty vulnerable to a variety of attacks but it does give a rough idea how a p2p dns system would work.

I suspect that if this goes anywhere it will end up much like tor, being used as a censorship circumvention tool rather being installed everywhere by the general public.

I think another big problem with ICAAN and our DNS is the TLD. The fact that somebody who wants to represent their self on the internet might not be able to do so in a manner of their choosing because the domain they want is "owned" across all major and minor TLDs is very anti-internet-philosophy.

Top-Level is anti-web, because the web is not meant to be a top-down system. To me, this is a fundamentally flawed implementation. And why not? In terms of mass web, it was the first. When are first iterations ever correct?

Destinations are IP addresses. We all have em. What you want to call yours should be up to you. Ever since there was a postal service, people could be reached at the address they had. Even phone numbers weren't top-down (area codes), so that you could reach a local address, even it was the same as one in another county, without pre-(or post-) fix. I don't have the solution, but it wouldn't hurt for the public to learn and understand their IP address same as they do their home one.

Google alone, or with the help of other major "linkers", could go a long way in changing our DNS structure, by indexing different systems.

Decentralization is every nerd's dream, aint it? Eventually the serving capacity of consumer devices should be adequate to resolve standardized requests.

I think this holds promise: telehash.org

IP address blocks are allocated by IANA, which is managed by, you guessed it, ICANN. Just sayin'.


It all is top-down at the core. (And it kind of has to be, because as much as we think of the Internet as "decentralized", it is a communication network, and so centralized administration is often the most efficient and sane way of doing things.)

A distributed DNS platform wont stop censorship. Governments will just find a different method of censorship.

Null routing IPs would cause collateral damage, but to block illegal content that the hosts refuse to take down? They might go ahead and do it anyway...

I would still love to see a distributed DNS platform. The issue that needs resolving for a distributed platform is trust. We will always need a trusted authority. That could be split over 50 hosts over 50 countries, but we still need one.

Verizon and AT&T will do what they are told as will other large ISPs, if they want to keep doing business as usual.

Please do not propose technological solutions to political problem, one that needs political solution.

Meaning, centralized DNS system will work just fine, we only need a law prohibiting government blocking or removing domain entries. That is, we need similar prohibition that limits government actions like first amendment.

I'm still not sure how a decentralized DNS would handle registration, if domains were free-for-all, what's to prevent squatters from ruining everything. What if someone's domain is totally abandoned? Is there any way for someone else to take it?

From what I understand from the dotp2p wiki, there's still going to be a registration party, OpenNIC (which is an existing alternative DNS root that runs .geek, .free, etc. I'm guessing it's a DHT but it would use some public key crypto so that each entry needs to be signed by OpenNIC.

But this still leaves OpenNIC as a central point. It wouldn't be a point of failure, but it would prevent scaling if it was taken over.

I'm not sure what they're up to these days, but I remember when they got started (by some guys from K5, IIRC). It was an alternative root, and not any more decentralized in the technical sense than "regular" DNS. More responsive to users and democratic, but the structure was exactly the same.

There were a bunch of other alternative roots that have taken on ICANN at one point or another, although it's been a long time since I've tried any of them.

It strikes me as a doomed effort unless you can get some ISPs somewhere to buy in and point users towards your root rather than ICANN's. Most users aren't going to change their DNS settings (most probably don't know how), so it seems difficult to achieve any sort of critical mass of users.

A decentralized DNS has nothing to do with solving the (presumed) problem. The solution is a registrar (and DNS) that is not answerable to any nation state.

The corollary to this demands an answer: are nation states that afraid of information (and the truth that may lurk within) ?

I'm not sure if a decentralized DNS system could ever be secure, instead the current management of the top level domain space should be taken out of the hands of ICANN and placed under the control of a internationally governed body.

Why the P2P DNS project will not work:


It's time for IPV6.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact