A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System Martin Schanzenbach Master’s Thesis September 17, 2012 Martin Schanzenbach (TUM) GNU Alternative Domain System 1 Secure, Memorable, Global: Choose Two Zooko’s Triangle Secure t Pe DNSSEC DS GA ms ne UR mo Ls nic ste Sy To r.o n me ion na To rm Global Martin Schanzenbach (TUM) DNS GNU Alternative Domain System Memorable 2 Background: Domain Name System Root Zone (.com, .us, ...) .com Zone (.example.com, ...) ... ... .us Zone (.example.us, ...) ... ... ....example.us Zone (www.example.us, ...) ... Martin Schanzenbach (TUM) GNU Alternative Domain System ... 3 Background: Domain Name System Wo controls the root zone? ICANN? IANA? ”The Internet Corporation for Assigned Names and Numbers (ICANN) currently performs the IANA functions, on behalf of the United States Government, through a contract with NTIA.” - http://www.ntia.doc.gov Martin Schanzenbach (TUM) GNU Alternative Domain System 4 Overview Properties of GADS Decentralized, distributed name system Secure, memorable, per-user name space in .gads Secure, globally unique name space in .zkey Linked per-user zones: delegation Martin Schanzenbach (TUM) GNU Alternative Domain System 5 Registering a name in GADS Bob , K Bob Bob creates a Public Key pair Kpub priv Bob ) = 8FS7 Zone “PKEY”: Hash(Kpub Bob refers to his webserver via www.gads or www.8FS7.zkey How can others resolve the IP? Martin Schanzenbach (TUM) GNU Alternative Domain System 6 Registering a name in GADS Bob publishes his mappings in the DHT ... along with signatures Bob gives his PKEY to his friends via QR code: Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321 Mail: [email protected] Martin Schanzenbach (TUM) GNU Alternative Domain System 7 Registering a name in GADS (cont.) Alice Local Zone: Kpub . . . bob Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321 Mail: [email protected] PKEY . . . 8FS7 Alice Kpriv Alice Alice learns Bob’s PKEY Alice delegates the subdomain bob to Bob’s zone 8FS7 Alice refers to Bob’s webserver via www.bob.gads or www.8FS7.zkey How does she get the IP? Martin Schanzenbach (TUM) GNU Alternative Domain System 8 Name Resolution in GADS 1 www.bob.gads ? Local Zone 2 . . . 'bob' bob Alice 5 3 PKEY PKEY 8FS7 . . . 4 www: 5.6.7.8 GET www in 8FS7 DHT Martin Schanzenbach (TUM) 0 PUT www: 5.6.7.8 in 8FS7 GNU Alternative Domain System Bob 9 From DNS to GADS Names that are not globally unique are trouble! How do we create links? How can we make virtual hosting work? How will we validate X.509 Certificates? Martin Schanzenbach (TUM) GNU Alternative Domain System 10 Solution: Relative Names Relative Names Bob wants to share the link www.carol.+ Bob interprets this name as www.carol.gads Alice interprets this name as www.carol.bob.gads Client translates names appropriately: Client-Side Local Proxy HTTP GET HTTP GET Host: www.bob.gads Host: www.bob.gads Local Proxy <html>... Alice <a href ="www.carol.bob.gads"> <html>... <a href ="www.carol.+"> ...</html> ...</html> Martin Schanzenbach (TUM) GNU Alternative Domain System 11 Legacy Hostname (LEHO) Records Virtual Hosting with LEgacy HOstnames LEHO records provide LEgacy HOstnames for names Example: www(.+) → www.bobswebsite.com HTTP GET HTTP GET Host: www.bob.gads Host: www.bobwebsite.com Local Proxy <html>... Alice <a href ="www.carol.bob.gads"> <html>... <a href ="www.carol.+"> ...</html> ...</html> Martin Schanzenbach (TUM) GNU Alternative Domain System 12 SSL Certificates Server offers certificate to client HTTP GET Host: www.bob.gads:443 HTTP GET Local Host: www.bobswebsite.com:443 Proxy Alice www.bobswebsite.com www.bob.gads Server Verification: Old way: Follow CA chain to “trust” anchor(s) Secure way: Use DANE1 TLSA RRs! 1 rfc6698 Martin Schanzenbach (TUM) GNU Alternative Domain System 13 Status of Implementation and Migration Implementation GADS resolver on top of GNUnet Client Proxy Zone management tools with QR export and import Migration DNS and GADS can co-exist DNS-to-GADS gateways OS integration Future Work Usability Evaluation/User acceptance TLSA verification in proxy Alternative Domain System Internationalized NamesGNU (IDN) Martin Schanzenbach (TUM) 14 End Thank you! Martin Schanzenbach (TUM) GNU Alternative Domain System 15 DNS-to-GADS Gateways Subdomain Gateway www.QXDA.zkey.eu ? DHT try 91.200.16.100 Client ww w.Q X tr y w w 18 w. Q IP :4 .3 DNS Root Server DA .zk e 8.9 5 y.e u .23 XD A. z .2 .1 GET QXDA xor H('www') ? 4.4 ke y.e u ? IP: 4.3.2.1 .eu TLD Server www.QXDA.zkey ? GADS authoritative DNS Server for zkey.eu Martin Schanzenbach (TUM) IP: 4.3.2.1 GNU Alternative Domain System 16 DNS-to-GADS Gateways Local Network Gateway DHT GET QXDA xor H('www') ? key DA.z .QX ww w GADS .1 .3.2 IP: 4 DNS Query ww w .exa m DNS Response Client Subnet IP: 4.3.2.1 DNS-to-GADS proxy gateway IP: 1 .2.3 ple.c om ? .4 Recursive DNS Server Martin Schanzenbach (TUM) GNU Alternative Domain System 17 Appendix % of new domains manually typed 60 User 50 40 30 20 10 0 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 # of unique domains visited Martin Schanzenbach (TUM) GNU Alternative Domain System 18 Appendix .com .gads Stub resolver re sp on s iptables e redirect DNS Interceptor se pon res ds .ga res pon .co se m, .org , et c. GADS Martin Schanzenbach (TUM) DNS GNU Alternative Domain System 19
© Copyright 2026 Paperzz