NeoDNS: A new DNS like the one we know (opens in new tab)

(rot256.io)

42 pointsgiodamelio9y ago15 comments

15 comments

So, biggest question... how is this different from Namecoin [1], and how does it improve upon it? Both are in the same 'decentralized identity/DNS' space.

Also, from a cursory glance, how does this prevent spam? There seems to be no cost to register a new name. What prevents someone from taking every possible name?

[1] https://www.namecoin.org/

ashitlerferad9y ago

Or from the GNU naming system: https://www.gnunet.org/gns

wongarsu9y ago

In this scheme, there is still a central registrar with full control over the TLD. For example to register a .com domain you would still go through verisign (and pay them). This proposal would just mean that verisign would provide a public, blockchain-verified history of their DNS zone file.

That's fundamentally different from namecoin which wants to cut the registrar (verisign, etc.) of the equation.

zokier9y ago

Seems somewhat similar to Certificate Transparency project, where issued certificates are recorded in a public (merkle tree) log.

mwilcox9y ago

It's more similar to Blockstack: https://blockstack.org

bobajeff9y ago

Well after reading this post the obvious difference is that namecoin exists and this is just a idea that the author is still trying to work out.

lol7689y ago

The site doesn't specify directly, but would the communication between Bob (the end-user) and Trent (the trusted entity) be encrypted? If not, why not?

It's always annoyed me how much of a mess DNS is when it comes to confidentiality. Why should my ISP or employer be able to deduce which sites I'm visiting by simply inspecting my UDP datagrams (filtering to port 53) and looking at the plaintext queries? Why was this thought to be a good idea?

In the wider scheme of things, there's far too much trust with many internet services/protocols. I like that NeoDNS provides a public key for the queried service - maybe with a scheme like this we can stop sending hostnames for SNI in plaintext as part of the TLS handshake too. We shouldn't accept these sorts of information leaks anymore, it's been demonstrated too many times in the past that sending things in plaintext is a bad idea.

paulddraper9y ago

(1) Your ISP and employer know which sites you're visting (modulo virtual hosting) by inspecting your IP packets and doing a reverse DNS lookup. It's the price you pay for someone routing your traffic: they have to know where to send it.

(You can use a proxy/VPN tunnel. Your ISP knows knows you're sending traffic to the proxy, and your proxy knows where you're sending traffic.)

(2) DNS encryption is certainly possible. DNSCurve and DNSCrypt are the ones I know of. But there's just not a lot of motivation. IP packets have an address on them already; the only additional thing DNS or SNI reveals is which of several (usually enumerable) hostnames they are interested at that IP. So...interesting, but generally not compelling.

lol7689y ago

> (1) Your ISP and employer know which sites you're visting (modulo virtual hosting) by inspecting your IP packets and doing a reverse DNS lookup. It's the price you pay for someone routing your traffic: they have to know where to send it.

You have a point, but as a webmaster there's surely no requirement for me to create a PTR record, right? As long as there's an A record somewhere, surely things will work? This is perhaps what you were getting at with "(modulo virtual hosting)" I guess (though to me that would suggest SNI-based certificate serving from one IP)?

aibottle9y ago

Well great, now could someone come up with DNS improved by Machine Learning trough Deep Convolutional Neural Networks? That's the only missing thing for a BS-Bingo on my card.

throwaway19749y ago

Is this resistant to domains being taken down for "copyright" reasons, which has shown that one does not really own the domain and is at a whim of a registrar.

wongarsu9y ago

Old dns entries would be recorded in the ledger forever. You would just have to write a client that ignores revocations/reassignments/updates for a chosen domain.

But in principle the registrar can still do with its domain whatever it likes for any or no reason.

drdaeman9y ago

This seem to bring up the zone enumeration issue. Except for now, approaches like used in NSEC3 won't help at all.

"Private" DNS entries matter, when one wouldn't want to remember IPs (one'd rather remember "correct-horse-battery-staple.int.example.org"), but also wouldn't want to disclose the addresses used internally and aren't exposed to the end-users (because DDoS).

matheweis9y ago

Will this scale to the pending explosion of DNS as IPv6 is deployed? The existing DNS infrastructure is already experiencing growing pains, especially wrt PTR records.

jackweirdy9y ago

Is anyone more familiar with it able to discuss how the identity part of this compares and contrasts with DANE?

j / k navigate · click thread line to collapse

15 comments

kbaker9y ago

So, biggest question... how is this different from Namecoin [1], and how does it improve upon it? Both are in the same 'decentralized identity/DNS' space.

Also, from a cursory glance, how does this prevent spam? There seems to be no cost to register a new name. What prevents someone from taking every possible name?

[1] https://www.namecoin.org/

ashitlerferad9y ago

Or from the GNU naming system: https://www.gnunet.org/gns

wongarsu9y ago

That's fundamentally different from namecoin which wants to cut the registrar (verisign, etc.) of the equation.

zokier9y ago

Seems somewhat similar to Certificate Transparency project, where issued certificates are recorded in a public (merkle tree) log.

mwilcox9y ago

It's more similar to Blockstack: https://blockstack.org

bobajeff9y ago

Well after reading this post the obvious difference is that namecoin exists and this is just a idea that the author is still trying to work out.

lol7689y ago

The site doesn't specify directly, but would the communication between Bob (the end-user) and Trent (the trusted entity) be encrypted? If not, why not?

paulddraper9y ago

(You can use a proxy/VPN tunnel. Your ISP knows knows you're sending traffic to the proxy, and your proxy knows where you're sending traffic.)

lol7689y ago

aibottle9y ago

Well great, now could someone come up with DNS improved by Machine Learning trough Deep Convolutional Neural Networks? That's the only missing thing for a BS-Bingo on my card.

throwaway19749y ago

Is this resistant to domains being taken down for "copyright" reasons, which has shown that one does not really own the domain and is at a whim of a registrar.

wongarsu9y ago

Old dns entries would be recorded in the ledger forever. You would just have to write a client that ignores revocations/reassignments/updates for a chosen domain.

But in principle the registrar can still do with its domain whatever it likes for any or no reason.

drdaeman9y ago

This seem to bring up the zone enumeration issue. Except for now, approaches like used in NSEC3 won't help at all.

matheweis9y ago

Will this scale to the pending explosion of DNS as IPv6 is deployed? The existing DNS infrastructure is already experiencing growing pains, especially wrt PTR records.

jackweirdy9y ago

Is anyone more familiar with it able to discuss how the identity part of this compares and contrasts with DANE?

j / k navigate · click thread line to collapse