Hacker News new | past | comments | ask | show | jobs | submit login
DNS-on-Blockchain is the next step after DNS-over-HTTPS (diode.io)
68 points by dominicl on Aug 22, 2019 | hide | past | favorite | 64 comments

DoB will have to deal with some problems, especially bad actors; people will squat on domains, register typos (fscebook.com) or even bitflips (fabebook.com, b is one bitflip from c). Malware owners will run their C&C servers on domains.

Malicious domains will require someone removing them or blocking them even, unless you want the DoB namespace to turn into a cesspool of malware, phishing and nazis. Not something the average person wants.

You either have the freedom of decentralization and all the benefits and drawbacks that comes with it, or you have our current system with the ability to centrally manage but then you depend on those large, centralized entities to do an impartial job. And we know that nobody is impartial.

Why is it always so black-and-white with blockchain people?

There is no reason we can't deploy something that takes the good parts of decentralized operation without having to commit to a full P2P blockchain IoT buzzword fiasko.

There are some proposals that use mechanisms like Harberger tax to combat squatting. https://discuss.ens.domains/t/highlight-robin-hansons-more-o...

For DNS, does that mean that if Facebook wants any domain I own, like my homepage for the last 20 years, they'll just get it?

Because an amount of money I can afford to protect it is tiny compared to FB's marketing budgets.

You could probably say the same thing about DNS right before it was introduced to the mainstream.

DNS was introduced when a centrally managed /etc/hosts file was no longer feasible, it was a simple solution to a problem that fairly few people (mostly computer researchers) had. It solved the problem and not much more.

Computers weren't mainstream when DNS was invented.

Then Facebook can buy the space of typos around their name? Just because Facebook (or Twitter, Instagram, et al) are popular sites, doesn't mean registrars should give them special treatment. What happens when they stop being popular?

Most larger registrars give you the same protection if you run any type of business. Though below certain threshold typo-squatting will simply not happen, but atleast in my jurisdiction I can actually sue the owner of the typosquat for the ownership of the domain.

We girls at your pub will truck and stuck you right off, just drink a beer or two, and come down to the pub. It'll be fantastic.

I guarantee you will have luck. Let's truck it. Have some self-hope. It'll be grand <3

Nazis and malware authors are out there using email right now. What are we going to do about it?

Yeah, why even let the Nazis have IP addresses? In fact, if we took away their computers, pens, and papers, surely that would make them less likely to lash out violently.

Seems to have worked with 8chan, last I checked it's still offline on the clearnet.

Yes, DNS should be like the old phone book — published regularly, pick one up anywhere & everywhere, look things up anonymously (granted, authenticity guarantees were somewhat lacking).

My question - Sure blockchain can do this, but couldn’t a simpler DHT-based p2p system would work just as well or better? I like the distributed/anonymity/authenticity, but why is blockchain required?

> published regularly, pick one up anywhere & everywhere, look things up anonymously

...and controlled by whoever has the most computing power. ;-)

My guess is because some crypto provider wants to manage it and charge you to publish to it.

Because any random local dictatorship, be it the FBI or Kim-Jong can decide what does and does not go in the book.

Ipfs.io can solve this easily.

Ipfs requires a DNS server to bootstrap the P2P network, not a good idea.

Plus, Ipfs isn't that good when it comes to authentic data, if it's signed, there is only one key, so it's centralized again.

There are capabilities to use the existing DNS system (or an EthDNS system in the works) for human readable names with IPFS, but you can also use other channels like pubsub to resolve mutable content like IPNS names quickly - so IPFS doesn't actually require DNS at all. Multiwriter IPNS records are also a work in progress, though I disagree with your characterization that somehow only allowing one key to edit a particular signed record somehow makes the network itself centralized...

This isn'T about the IPFS Application Layer but the Link layer.

Bootstrapping a P2P system efficiently requires known P2P nodes and those will require DNS unless you want to shell out for a static IP permanently (and hope nobody poisons ARP!)

You have to keep in mind ipfs is content-addressed. Instead of resolving names you can resolve certificates by their content addressed thumbprint.

1) boostrap 2) find the cert thumbprint for site.com 3) find the cert by the thumbprint and connect to one if IP SAN records

How do you securely get the cert thumbprint?

You don't need to,even if you get a malicious thumbprint,the associated cert still needs to be signed by a trusted CA. CA list for TLDs will be distributed with the resolver software just like browsers ship with such a list (or rely on your browser/client preferred list)

The implementation could easily change to not require DNS. You only need to find a single live node to bootstrap, so hardcoding a bunch of high-quality nodes works perfectly fine.

Also you don't need the "Where is IPFS?" DNS query to be anonymous in the first place.

Then you still need to trust the initial node to not provide you with a poisoned peer list (ie, a list of peers that are wholely isolated from the proper IPFS network and provide bogus DNS answers).

And you need to bootstrap without DNS if you plan to actually replace DNS, not live beside it.

Anything in the world could theoretically be poisoned. There's no point in worrying about attacks above a certain level of difficulty. If you can check in with a certain number of builtin peers, that's about as solid as we can make things.

> And you need to bootstrap without DNS if you plan to actually replace DNS, not live beside it.

Whatever. DNS itself is never going to shut down, so 100% replacement even for bootstrapping isn't a real concern. And if starting with 13 fixed IP addresses is good enough for DNS, then it should be good enough for IPFS.

Bootstrapping without DNS or bootstrap nodes is possible, if hard, but still leaves some open questions.

Not everything in the world can be poisoned if you design carefully enough, but IPFS isn't a design I'd pick for building the foundation of an internet.

What's the economic incentive structure to continue serving all the data in a performant manner?

Handshake is another DNS on blockchain project that's taking a different approach — it's aiming to decentralize the root zone (TLDs) instead of domains, because the root zone is where the centralization happens.

This MIT Tech Review article gives a good overview of Handshake's goals: https://www.technologyreview.com/s/613446/the-ambitious-plan...

Every time I see an article claiming that someone is building some “decentralized” system to make censorship harder I wonder if anyone of those people even understands how the internet is censored at scale in places like China.

For the censorship we have in the west e.g. blacklisting torrent sites a non-ISP DNS and or CDN already solve that problem, for anything beyond that nothing would help.

There's also various kinds of registrar concerns; registrars revoking domains for questionable reasons, the WIPO/UDRP regime, etc.

It all comes down to whether you think the current stewards and legal regimes and ICANN are doing a good job or not. [I'm undecided].

The real innovation of Handshake is that is allows you to verify the public key associated with a name. This opens the door to enabling SSL/TLS without relying on Certificate Authorities, which is a vulnerability point in the security of the Internet today. The additional benefit is that the names are difficult to censor. Governments can still censor by IP of course, but the point is that it forces bad actors to censor at a deeper level (and there are other projects tackling solving that).

You've reinvented the HOSTS file, which used to be manually updated by John Postel or someone and passed around the internet before DNS was invented.

But it's on the blockchain! That means it's a billion-dollar idea!

So, NameCoin again? I think it was the first ever bitcoin fork.


Indeed, this was my first thought when I read the title, and IMO, it still remains the other obious killer app. for blockchain (besides store of value / currency, obviously).

Namecoin is an idea (that failed because IMO it was too early) so old by now that I am truly surprised there hasn't been a full blown distributed DNS solution that works in parallel to the existing one based on blockchain.

I don’t get why blockchain is any different for the list of complaints the author highlights.

Also, reminds me of the old saying about “now you have two problems”

I'll go ahead and note that this doesn't require a blockchain. Each TLD is controlled by a single entity. Anything a site would store on a blockchain, they could easily submit to that single entity to be published.

When the DNS blockchain forks, your browser just opens two new tabs instead of one and you get to visit both sites. Simple!

What is the proof? That the domain owner signed it with a certain key? Is that key shared out-of-band? If so why do we even need the blockchain?

Yes, the proof would be some sort of signature.

No, public key cryptography means that the key doesn't need to be shared.

A blockchain is only needed if parties need to write to the database in a decentralized manner, and the order of the writes is important & can't be tampered with.

The public key still needs to be shared.

Of course. The OP didn't mention which key, so assumed they are talking about the private key, especially when they mentioned out-of-bound sharing, usually terminology used for asymmetric cryptography. Public keys don't need to be shared out-of-band, in fact they are always published along with the transaction on the blockchain. (well technically, only the curve points and the hash are, but using these, we can re-create the public key)

Oh wait, you're serious. Let me laugh even harder.

The article explains the censorship resistance aspect but not the security. How does Handshake deal with the things Cloudflare does for me? DDoS and WAF protection, at least?

Firewalls and DDOS protection have nothing at all to do with name resolution. These are routing concerns that require taking a deep look into the packets (DPI), while name resolution and key exchange are prior steps.

Also, what does CloudFlare bring to you? 99% of websites don't need DDOS protection or a complex firewall. Using CloudFlare for these websites means:

- CloudFlare gets to inspect and snoop 100% of your "HTTPS" trafic (because the TLS termination happens on their side)

- Users without Javascript (command-line browsers or GUI browsers disabling JS for performance/security concerns) cannot access your website

- Tor users most times cannot access your services at all because CloudFlare and Google work hand-in-hand to prevent them from using the web by serving infinite CAPTCHA loops (see #FuckCloudFlare)

- CloudFlare becomes a SPOF for much of the web, like other "cloud" providers ; accessing your website depends on the availability and good will of a huge multinational

So if you want to help people access the Internet without censorship and surveillance, please never use CloudFlare or equivalent services. They make everything so much worse through centralization. If we wait too much, it will become a HUGE problem.

is this not what https://www.namecoin.org does..?

> Namecoin and the Ethereum Name System were the first attempts at bringing name resolution to the Blockchain. At Diode we’re going the next step and are moving PKI & DNS into the Blockchain

The article specifically calls out Namecoin, but doesn’t say anything about how Namecoin falls short or why it can’t be augmented/improved instead of building a whole new thing.

I know I’ll sound like a grump here, but why does the bar for HN front page feel so low these days?

There's some interesting work on this going on in W3C, in the Verifiable Claims Working Group [1] and in the newly minted Decentralized Identifier Working Group [2]. I'm a member of the W3C Credentials Community Group (CCG) [3], which is where those two WGs started.

There are also a number of other valuable efforts. Both in other Standards Development Organizations (SDOs), such as Decentralized Identity Foundation (DIF) [4], Apache HyperLedger projects like Aries [5], etc. And in working conferences/unconferences like Rebooting Web of Trust (RWOT) [6], and Internet Identity Workshop (IIW) [7]. On a tangential note, Unconferences are an interesting concept [8].

[1] https://www.w3.org/2017/vc/WG/ [2] https://www.w3.org/2019/08/did-wg-charter.html [3] https://w3c-ccg.github.io/ [4] https://identity.foundation/ [5] https://www.hyperledger.org/projects/aries [6] https://www.weboftrust.info/ [7] https://internetidentityworkshop.com/ [8] http://unconference.net/

So every DNS change is stored into the blockchain, forever? Will you have to download terabytes and terabytes of the blockchain in order to serve as a node? Why is that kind of audit history necessary?

Why is the solution to every problem "blockchain" these days?

> Why is the solution to every problem "blockchain" these days?

That is a trope and is no longer true. If you say blockchain is the solution you get laughed at.

Being laughed at doesn't seem to stop people from trying to solve problems by throwing more blockchain at it.

From my PoV blockchain can be the solution for a lot of things, but is not suited for most of these problems. It is "just" a technology like any other, but with a focus on trust in decentralized systems. If you need this then blockchain could be a good solution, but this does not mean that it fit your needs in transaction speed etc.

You don’t necessarily need to store DNS changes into the blockchain. The blockchain will only keep the current state and would prune the changes. According to Diode’s blog posts, 20kb of storage is all it needs with BlockQuick, the newly developed light-client protocol.

The point is less about storing the audit history, but more about preventing Man-in-the-Middle attacks and solving the timestamp-certificate chicken-egg problem.

As I read it, this proposal only stores the keys used for signing in the blockchain. You could use DNSSEC though to archive basically the same thing.

You'd only need to put the NS records in for each domain.

The wave of “x, but on the blockchain!” Patents is going to be amusing and sad to watch.

question—can’t a government actor like china just watch the record for where it points to and just filter that address? doesn’t that defeat the whole purpose of this uncensorability?

while it may be harder in the US i could legitimately see a mechanism developing to make that a requirement for isps

They can, and do, already do this for regular DNS. This would prevent US-style domain name seizures but would do nothing against actual competent censorship.

Correct me if I'm wrong, but wouldn't DNS-on-blockchain make lookups orders of magnitude slower than they are now, especially with many DNS services advertising based on speed?

Yes, DNS-on-blockchain would likely make lookups orders of magnitude slower than they are now -- it's making a trade-off between security and performance.

A lot of blockchain projects coordinate "seed nodes" by storing collections of IP addresses within the DNS records of websites that community members run, because it is an already decentralized enough record

This is going full circle

Uh no thank you, I do not wish to synchronise half a terabyte per month to be able to resolve domains.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact