DNS-on-Blockchain is the next step after DNS-over-HTTPS (opens in new tab)

(diode.io)

68 pointsdominicl6y ago64 comments

64 comments

54 comments · 19 top-level

zaarn6y ago· 12 in thread

DoB will have to deal with some problems, especially bad actors; people will squat on domains, register typos (fscebook.com) or even bitflips (fabebook.com, b is one bitflip from c). Malware owners will run their C&C servers on domains.

Malicious domains will require someone removing them or blocking them even, unless you want the DoB namespace to turn into a cesspool of malware, phishing and nazis. Not something the average person wants.

m-p-36y ago

You either have the freedom of decentralization and all the benefits and drawbacks that comes with it, or you have our current system with the ability to centrally manage but then you depend on those large, centralized entities to do an impartial job. And we know that nobody is impartial.

zaarn6y ago

Why is it always so black-and-white with blockchain people?

There is no reason we can't deploy something that takes the good parts of decentralized operation without having to commit to a full P2P blockchain IoT buzzword fiasko.

tinybeagle6y ago

There are some proposals that use mechanisms like Harberger tax to combat squatting. https://discuss.ens.domains/t/highlight-robin-hansons-more-o...

theamk6y ago

For DNS, does that mean that if Facebook wants any domain I own, like my homepage for the last 20 years, they'll just get it?

Because an amount of money I can afford to protect it is tiny compared to FB's marketing budgets.

pkhamre6y ago

You could probably say the same thing about DNS right before it was introduced to the mainstream.

zaarn6y ago

DNS was introduced when a centrally managed /etc/hosts file was no longer feasible, it was a simple solution to a problem that fairly few people (mostly computer researchers) had. It solved the problem and not much more.

Computers weren't mainstream when DNS was invented.

Karrot_Kream6y ago

Then Facebook can buy the space of typos around their name? Just because Facebook (or Twitter, Instagram, et al) are popular sites, doesn't mean registrars should give them special treatment. What happens when they stop being popular?

zaarn6y ago

Most larger registrars give you the same protection if you run any type of business. Though below certain threshold typo-squatting will simply not happen, but atleast in my jurisdiction I can actually sue the owner of the typosquat for the ownership of the domain.

girlATthepub6y ago

We girls at your pub will truck and stuck you right off, just drink a beer or two, and come down to the pub. It'll be fantastic.

I guarantee you will have luck. Let's truck it. Have some self-hope. It'll be grand <3

woah6y ago

Nazis and malware authors are out there using email right now. What are we going to do about it?

sundbry6y ago

Yeah, why even let the Nazis have IP addresses? In fact, if we took away their computers, pens, and papers, surely that would make them less likely to lash out violently.

zaarn6y ago

Seems to have worked with 8chan, last I checked it's still offline on the clearnet.

cobbzilla6y ago· 6 in thread

Yes, DNS should be like the old phone book — published regularly, pick one up anywhere & everywhere, look things up anonymously (granted, authenticity guarantees were somewhat lacking).

My question - Sure blockchain can do this, but couldn’t a simpler DHT-based p2p system would work just as well or better? I like the distributed/anonymity/authenticity, but why is blockchain required?

SrslyJosh6y ago

> published regularly, pick one up anywhere & everywhere, look things up anonymously

...and controlled by whoever has the most computing power. ;-)

techntoke6y ago

My guess is because some crypto provider wants to manage it and charge you to publish to it.

ur-whale6y ago

Because any random local dictatorship, be it the FBI or Kim-Jong can decide what does and does not go in the book.

_8j506y ago

Ipfs.io can solve this easily.

zaarn6y ago

Ipfs requires a DNS server to bootstrap the P2P network, not a good idea.

Plus, Ipfs isn't that good when it comes to authentic data, if it's signed, there is only one key, so it's centralized again.

3 more replies

lazzlazzlazz6y ago

What's the economic incentive structure to continue serving all the data in a performant manner?

jeffk_teh_haxor6y ago· 6 in thread

So every DNS change is stored into the blockchain, forever? Will you have to download terabytes and terabytes of the blockchain in order to serve as a node? Why is that kind of audit history necessary?

Why is the solution to every problem "blockchain" these days?

Kiro6y ago

> Why is the solution to every problem "blockchain" these days?

That is a trope and is no longer true. If you say blockchain is the solution you get laughed at.

zaarn6y ago

Being laughed at doesn't seem to stop people from trying to solve problems by throwing more blockchain at it.

annnoo6y ago

From my PoV blockchain can be the solution for a lot of things, but is not suited for most of these problems. It is "just" a technology like any other, but with a focus on trust in decentralized systems. If you need this then blockchain could be a good solution, but this does not mean that it fit your needs in transaction speed etc.

tinybeagle6y ago

You don’t necessarily need to store DNS changes into the blockchain. The blockchain will only keep the current state and would prune the changes. According to Diode’s blog posts, 20kb of storage is all it needs with BlockQuick, the newly developed light-client protocol.

The point is less about storing the audit history, but more about preventing Man-in-the-Middle attacks and solving the timestamp-certificate chicken-egg problem.

heythere226y ago

As I read it, this proposal only stores the keys used for signing in the blockchain. You could use DNSSEC though to archive basically the same thing.

sundbry6y ago

You'd only need to put the NS records in for each domain.

troquerre6y ago· 3 in thread

Handshake is another DNS on blockchain project that's taking a different approach — it's aiming to decentralize the root zone (TLDs) instead of domains, because the root zone is where the centralization happens.

This MIT Tech Review article gives a good overview of Handshake's goals: https://www.technologyreview.com/s/613446/the-ambitious-plan...

dogma11386y ago

Every time I see an article claiming that someone is building some “decentralized” system to make censorship harder I wonder if anyone of those people even understands how the internet is censored at scale in places like China.

For the censorship we have in the west e.g. blacklisting torrent sites a non-ISP DNS and or CDN already solve that problem, for anything beyond that nothing would help.

mlyle6y ago

There's also various kinds of registrar concerns; registrars revoking domains for questionable reasons, the WIPO/UDRP regime, etc.

It all comes down to whether you think the current stewards and legal regimes and ICANN are doing a good job or not. [I'm undecided].

troquerre6y ago

The real innovation of Handshake is that is allows you to verify the public key associated with a name. This opens the door to enabling SSL/TLS without relying on Certificate Authorities, which is a vulnerability point in the security of the Internet today. The additional benefit is that the names are difficult to censor. Governments can still censor by IP of course, but the point is that it forces bad actors to censor at a deeper level (and there are other projects tackling solving that).

LIV26y ago· 2 in thread

What is the proof? That the domain owner signed it with a certain key? Is that key shared out-of-band? If so why do we even need the blockchain?

bouncycastle6y ago

Yes, the proof would be some sort of signature.

No, public key cryptography means that the key doesn't need to be shared.

A blockchain is only needed if parties need to write to the database in a decentralized manner, and the order of the writes is important & can't be tampered with.

SAI_Peregrinus6y ago

The public key still needs to be shared.

1 more reply

pjc506y ago· 1 in thread

You've reinvented the HOSTS file, which used to be manually updated by John Postel or someone and passed around the internet before DNS was invented.

isostatic6y ago

But it's on the blockchain! That means it's a billion-dollar idea!

LeoPanthera6y ago· 1 in thread

So, NameCoin again? I think it was the first ever bitcoin fork.

https://en.wikipedia.org/wiki/Namecoin

ur-whale6y ago

Indeed, this was my first thought when I read the title, and IMO, it still remains the other obious killer app. for blockchain (besides store of value / currency, obviously).

Namecoin is an idea (that failed because IMO it was too early) so old by now that I am truly surprised there hasn't been a full blown distributed DNS solution that works in parallel to the existing one based on blockchain.

lowestlatency6y ago· 1 in thread

The article explains the censorship resistance aspect but not the security. How does Handshake deal with the things Cloudflare does for me? DDoS and WAF protection, at least?

southerntofu6y ago

Firewalls and DDOS protection have nothing at all to do with name resolution. These are routing concerns that require taking a deep look into the packets (DPI), while name resolution and key exchange are prior steps.

Also, what does CloudFlare bring to you? 99% of websites don't need DDOS protection or a complex firewall. Using CloudFlare for these websites means:

- CloudFlare gets to inspect and snoop 100% of your "HTTPS" trafic (because the TLS termination happens on their side)

- Users without Javascript (command-line browsers or GUI browsers disabling JS for performance/security concerns) cannot access your website

- Tor users most times cannot access your services at all because CloudFlare and Google work hand-in-hand to prevent them from using the web by serving infinite CAPTCHA loops (see #FuckCloudFlare)

- CloudFlare becomes a SPOF for much of the web, like other "cloud" providers ; accessing your website depends on the availability and good will of a huge multinational

So if you want to help people access the Internet without censorship and surveillance, please never use CloudFlare or equivalent services. They make everything so much worse through centralization. If we wait too much, it will become a HUGE problem.

foxhill6y ago· 1 in thread

is this not what https://www.namecoin.org does..?

wallacoloo6y ago

> Namecoin and the Ethereum Name System were the first attempts at bringing name resolution to the Blockchain. At Diode we’re going the next step and are moving PKI & DNS into the Blockchain

The article specifically calls out Namecoin, but doesn’t say anything about how Namecoin falls short or why it can’t be augmented/improved instead of building a whole new thing.

I know I’ll sound like a grump here, but why does the bar for HN front page feel so low these days?

asdf3336y ago· 1 in thread

question—can’t a government actor like china just watch the record for where it points to and just filter that address? doesn’t that defeat the whole purpose of this uncensorability?

while it may be harder in the US i could legitimately see a mechanism developing to make that a requirement for isps

freeone30006y ago

They can, and do, already do this for regular DNS. This would prevent US-style domain name seizures but would do nothing against actual competent censorship.

Causality16y ago· 1 in thread

Correct me if I'm wrong, but wouldn't DNS-on-blockchain make lookups orders of magnitude slower than they are now, especially with many DNS services advertising based on speed?

tinybeagle6y ago

Yes, DNS-on-blockchain would likely make lookups orders of magnitude slower than they are now -- it's making a trade-off between security and performance.

rubyfan6y ago

I don’t get why blockchain is any different for the list of complaints the author highlights.

Also, reminds me of the old saying about “now you have two problems”

Dylan168076y ago

I'll go ahead and note that this doesn't require a blockchain. Each TLD is controlled by a single entity. Anything a site would store on a blockchain, they could easily submit to that single entity to be published.

joosters6y ago

When the DNS blockchain forks, your browser just opens two new tabs instead of one and you get to visit both sites. Simple!

tylerl6y ago

Oh wait, you're serious. Let me laugh even harder.

Communitivity6y ago

There's some interesting work on this going on in W3C, in the Verifiable Claims Working Group [1] and in the newly minted Decentralized Identifier Working Group [2]. I'm a member of the W3C Credentials Community Group (CCG) [3], which is where those two WGs started.

There are also a number of other valuable efforts. Both in other Standards Development Organizations (SDOs), such as Decentralized Identity Foundation (DIF) [4], Apache HyperLedger projects like Aries [5], etc. And in working conferences/unconferences like Rebooting Web of Trust (RWOT) [6], and Internet Identity Workshop (IIW) [7]. On a tangential note, Unconferences are an interesting concept [8].

[1] https://www.w3.org/2017/vc/WG/ [2] https://www.w3.org/2019/08/did-wg-charter.html [3] https://w3c-ccg.github.io/ [4] https://identity.foundation/ [5] https://www.hyperledger.org/projects/aries [6] https://www.weboftrust.info/ [7] https://internetidentityworkshop.com/ [8] http://unconference.net/

yellow_postit6y ago

The wave of “x, but on the blockchain!” Patents is going to be amusing and sad to watch.

rolltiide6y ago

A lot of blockchain projects coordinate "seed nodes" by storing collections of IP addresses within the DNS records of websites that community members run, because it is an already decentralized enough record

This is going full circle

Vosporos6y ago

Uh no thank you, I do not wish to synchronise half a terabyte per month to be able to resolve domains.

j / k navigate · click thread line to collapse

64 comments

54 comments · 19 top-level

zaarn6y ago· 12 in thread

m-p-36y ago

zaarn6y ago

Why is it always so black-and-white with blockchain people?

There is no reason we can't deploy something that takes the good parts of decentralized operation without having to commit to a full P2P blockchain IoT buzzword fiasko.

tinybeagle6y ago

There are some proposals that use mechanisms like Harberger tax to combat squatting. https://discuss.ens.domains/t/highlight-robin-hansons-more-o...

theamk6y ago

For DNS, does that mean that if Facebook wants any domain I own, like my homepage for the last 20 years, they'll just get it?

Because an amount of money I can afford to protect it is tiny compared to FB's marketing budgets.

pkhamre6y ago

You could probably say the same thing about DNS right before it was introduced to the mainstream.

zaarn6y ago

Computers weren't mainstream when DNS was invented.

Karrot_Kream6y ago

zaarn6y ago

girlATthepub6y ago

We girls at your pub will truck and stuck you right off, just drink a beer or two, and come down to the pub. It'll be fantastic.

I guarantee you will have luck. Let's truck it. Have some self-hope. It'll be grand <3

woah6y ago

Nazis and malware authors are out there using email right now. What are we going to do about it?

sundbry6y ago

Yeah, why even let the Nazis have IP addresses? In fact, if we took away their computers, pens, and papers, surely that would make them less likely to lash out violently.

zaarn6y ago

Seems to have worked with 8chan, last I checked it's still offline on the clearnet.

cobbzilla6y ago· 6 in thread

Yes, DNS should be like the old phone book — published regularly, pick one up anywhere & everywhere, look things up anonymously (granted, authenticity guarantees were somewhat lacking).

SrslyJosh6y ago

> published regularly, pick one up anywhere & everywhere, look things up anonymously

...and controlled by whoever has the most computing power. ;-)

techntoke6y ago

My guess is because some crypto provider wants to manage it and charge you to publish to it.

ur-whale6y ago

Because any random local dictatorship, be it the FBI or Kim-Jong can decide what does and does not go in the book.

_8j506y ago

Ipfs.io can solve this easily.

zaarn6y ago

Ipfs requires a DNS server to bootstrap the P2P network, not a good idea.

Plus, Ipfs isn't that good when it comes to authentic data, if it's signed, there is only one key, so it's centralized again.

3 more replies

lazzlazzlazz6y ago

What's the economic incentive structure to continue serving all the data in a performant manner?

jeffk_teh_haxor6y ago· 6 in thread

Why is the solution to every problem "blockchain" these days?

Kiro6y ago

> Why is the solution to every problem "blockchain" these days?

That is a trope and is no longer true. If you say blockchain is the solution you get laughed at.

zaarn6y ago

Being laughed at doesn't seem to stop people from trying to solve problems by throwing more blockchain at it.

annnoo6y ago

tinybeagle6y ago

The point is less about storing the audit history, but more about preventing Man-in-the-Middle attacks and solving the timestamp-certificate chicken-egg problem.

heythere226y ago

As I read it, this proposal only stores the keys used for signing in the blockchain. You could use DNSSEC though to archive basically the same thing.

sundbry6y ago

You'd only need to put the NS records in for each domain.

troquerre6y ago· 3 in thread

This MIT Tech Review article gives a good overview of Handshake's goals: https://www.technologyreview.com/s/613446/the-ambitious-plan...

dogma11386y ago

For the censorship we have in the west e.g. blacklisting torrent sites a non-ISP DNS and or CDN already solve that problem, for anything beyond that nothing would help.

mlyle6y ago

There's also various kinds of registrar concerns; registrars revoking domains for questionable reasons, the WIPO/UDRP regime, etc.

It all comes down to whether you think the current stewards and legal regimes and ICANN are doing a good job or not. [I'm undecided].

troquerre6y ago

LIV26y ago· 2 in thread

What is the proof? That the domain owner signed it with a certain key? Is that key shared out-of-band? If so why do we even need the blockchain?

bouncycastle6y ago

Yes, the proof would be some sort of signature.

No, public key cryptography means that the key doesn't need to be shared.

A blockchain is only needed if parties need to write to the database in a decentralized manner, and the order of the writes is important & can't be tampered with.

SAI_Peregrinus6y ago

The public key still needs to be shared.

1 more reply

pjc506y ago· 1 in thread

You've reinvented the HOSTS file, which used to be manually updated by John Postel or someone and passed around the internet before DNS was invented.

isostatic6y ago

But it's on the blockchain! That means it's a billion-dollar idea!

LeoPanthera6y ago· 1 in thread

So, NameCoin again? I think it was the first ever bitcoin fork.

https://en.wikipedia.org/wiki/Namecoin

ur-whale6y ago

Indeed, this was my first thought when I read the title, and IMO, it still remains the other obious killer app. for blockchain (besides store of value / currency, obviously).

lowestlatency6y ago· 1 in thread

The article explains the censorship resistance aspect but not the security. How does Handshake deal with the things Cloudflare does for me? DDoS and WAF protection, at least?

southerntofu6y ago

Also, what does CloudFlare bring to you? 99% of websites don't need DDOS protection or a complex firewall. Using CloudFlare for these websites means:

- CloudFlare gets to inspect and snoop 100% of your "HTTPS" trafic (because the TLS termination happens on their side)

- Users without Javascript (command-line browsers or GUI browsers disabling JS for performance/security concerns) cannot access your website

- Tor users most times cannot access your services at all because CloudFlare and Google work hand-in-hand to prevent them from using the web by serving infinite CAPTCHA loops (see #FuckCloudFlare)

- CloudFlare becomes a SPOF for much of the web, like other "cloud" providers ; accessing your website depends on the availability and good will of a huge multinational

foxhill6y ago· 1 in thread

is this not what https://www.namecoin.org does..?

wallacoloo6y ago

> Namecoin and the Ethereum Name System were the first attempts at bringing name resolution to the Blockchain. At Diode we’re going the next step and are moving PKI & DNS into the Blockchain

The article specifically calls out Namecoin, but doesn’t say anything about how Namecoin falls short or why it can’t be augmented/improved instead of building a whole new thing.

I know I’ll sound like a grump here, but why does the bar for HN front page feel so low these days?

asdf3336y ago· 1 in thread

question—can’t a government actor like china just watch the record for where it points to and just filter that address? doesn’t that defeat the whole purpose of this uncensorability?

while it may be harder in the US i could legitimately see a mechanism developing to make that a requirement for isps

freeone30006y ago

They can, and do, already do this for regular DNS. This would prevent US-style domain name seizures but would do nothing against actual competent censorship.

Causality16y ago· 1 in thread

Correct me if I'm wrong, but wouldn't DNS-on-blockchain make lookups orders of magnitude slower than they are now, especially with many DNS services advertising based on speed?

tinybeagle6y ago

Yes, DNS-on-blockchain would likely make lookups orders of magnitude slower than they are now -- it's making a trade-off between security and performance.

rubyfan6y ago

I don’t get why blockchain is any different for the list of complaints the author highlights.

Also, reminds me of the old saying about “now you have two problems”

Dylan168076y ago

joosters6y ago

When the DNS blockchain forks, your browser just opens two new tabs instead of one and you get to visit both sites. Simple!

tylerl6y ago

Oh wait, you're serious. Let me laugh even harder.

Communitivity6y ago

yellow_postit6y ago

The wave of “x, but on the blockchain!” Patents is going to be amusing and sad to watch.

rolltiide6y ago

This is going full circle

Vosporos6y ago

Uh no thank you, I do not wish to synchronise half a terabyte per month to be able to resolve domains.

j / k navigate · click thread line to collapse