I recently discovered DNSChain. It seems a bit more complicated than it really is, so I’ll try and explain what it is & why it is a novel solution to resolving DNS.
The (simplified) “old” model:
When you type in “facebook.com” into your browser, it queries the root DNS and “cascades” down the hierarchy to find who owns “facebook.com” and then returns the IP address.
This systems requires trusted 3rd parties during the process on several levels. The first is: institutions such as ICANN are responsible for maintaing the root ledgers. Secondly, DNS can be “spoofed”, in other words, someone could intercept the request to the authoritative servers and give the browser the wrong results. In other words, if not properly secured, typing in tumblr.com might give you a completely different IP. That’s why companies like Thawte & Verisign came along. They became “certificate authorities”, another 3rd party responsible for maintaining this infrastructure. A certificate authority (in simple terms), is responsible for making sure that if you type in tumblr, that you actually *are* receiving traffic from Tumblr.
It’s not too secure. A CA has been compromised in the past, in which case although everything “looks” secure, traffic could be redirected or intercepted.
Now, this is simplified way of how it works, but what’s important here: 1) DNS is currently 3rd-party based hierarchical system that 2) has security holes from the fact that we need to trust a set of 3rd-parties to act in authoritative manner to keep us secure.
Famously, Zooko’s triangle explains the problem with this: Decentralized, secure & human-readable. Pick 2. You can’t have all 3.
Namecoin is a blockchain that allows key-value storage. It’s been used to store identities (onename) or domains (.bit). It defies Zooko’s triangle.
Namecoin is decentralized (it’s a blockchain), it’s “secure” (or at least more secure and will get more secure into the future than current DNS infrastructure) and allows human-readable domain names that ends in the .bit extension. So you if have the appropriate measures set up (adding proxies or additional DNS server to resolve to), you can view .bit domains.
Currently it is a bit cumbersome. There’s currently no incentive really for the average web user to add the features. The other problem with this is, is the same problem that plagued the original DNS setup. If you have a proxy or different IP set up to view .bit domains, how do you know someone isn’t serving you the wrong IP addresses? You have to maintain your own Namecoin to check, which is cumbersome.
So: DNSChain comes along and allows an HTTP & DNS interface to the Namecoin blockchain (or any other blockchain you’d want). Additionally, each DNSChain server signs (upcoming feature) traffic it sends, so you can verify along with its fingerprint that it DID come from that DNSChain server.
In other words, instead of someone else running a proxy or a DNS server, DNSChain makes it easy for anyone set up a DNS resolver for data in the blockchain (if you add a DNSChain server you trust to your computer’s DNS settings). So, if I type in <domain>.bit, it will check with your DNS settings, find one that resolves .bit. This is of course a DNSChain server you trust. Since you trust that DNSChain data, you know, along with proper verification that the IP address is the correct one.
The great thing about this, is that because the datastore is decentralized (unlike the current authoritative infrastructure), there’s no real limit to how many DNSChain server can be run. Ideally, you’ll only need 1 DNSChain server for yourself, as that is the one you’ll trust the most. However, it doesn’t seem reasonable to expect every web user to have their own DNSChain server set up. It’s too complicated. So, the middle ground is to have a user add either a friend’s DNSChain server, or a more public one. But to forego the need for 7 billion DNSChain servers, the middle ground to me seems like having a set of many (don’t think you need a lot) DNSChain servers whom you trust (but not entirely). So if you have a friend’s DNSChain server, but you know he is a shit sys-admin, then it might be compromised. So, just to be safe, you have an additional DNSChain server of your other friend. Having 2 means you can “cross-check”, in the scenario that you don’t really trust either of them 100%.
So IF you worry that one of your DNSChain server could get compromised, or its Namecoin data could get sybil attacked, you need to simply add more DNSChain servers you trust. I’m not entirely sure if this is possible, but you could additionally (with a small overhead) add a *trust* probability to the data. In other words, when querying a .bit it checks ALL your DNSChain connections. If 99% of them return the same IP, you are pretty sure that’s the legit one.
The beauty of the DNSChain system is that also works for *other* data as well, not just IP data. Services like onename store BTC payment information.
However, currently for services to use onename in their products, they need to have the overhead of maintaining their own namecoin blockchain so they can check the data. However, if I visit a site that uses onename, there’s no way for me to easily to verify that they went direct to the source or through other services (such as block explorers). Additionally, even IF they did go direct to the source, there could be malicious extensions or MITM attacks that alters the payment address.
So as a way for your browser to verify that the address you see (that has been retrieved from onename) IS the address in the actual Namecoin blockchain, it needs to in a secure & low overhead manner query the Namecoin blockchain. So now, you can simply add, say 5 DNSChain servers you trust to get back results from all 5 to make sure that any address information ARE correct.
You don’t need DNSChain (you could simply find several namecoin exposed IP’s), but DNSChain helps in that it exposes it more easily (it comes with a HTTP resolver too) and signs the traffic.
So what we now need is a browser extension that maintains a public list of all DNSChain servers, and maintains the security of the network (throw out DNSChain servers that reply with fraudulent data). This list, like Bitcoin’s seed lists, develops a trust percentage over time so that we always have a pretty decent snapshot of data in the Namecoin blockchain. Of course, if you ever think that’s a bad idea, you can just always run your own DNSChain server. ;)
The end-goal however is to have a DNSChain server in every home (synced up to a relevant decentralized data-store)… Perhaps on the router?
I think DNSChain is such a quick, easy & novel way to secure a lot about the internet and that is relatively simple to implement. Bravo.
P.S. It’s important to note that DNSChain can be implemented with any type of decentralized data-store. It doesn’t have to be Namecoin. It could be other chains, such as NXT, or Ethereum contracts.
Here’s a video showingcasing DNSChain & OkTurtles project.
Thanks to Greg (@taoeffect) from DNSChain for fact-checking and reading through this before posting!