How to build a more secure domain system

This morning all over the world major websites like Twitter, Spotify and Github were made inaccessible to their users. The cause? DNS records contained on Dyn’s nameservers were poisoned, causing increased latency and outages concentrated mostly around the East Coast of the United States. Even now at time of writing, Dyn’s own website is inaccessible.

As it happens, my own project Nebulis is building a new domain directory using the Interplanetary File System (IPFS) and the Ethereum blockchain, so I thought I’d weigh in.

Try this experiment. Copy the following into your address bar:

31.13.76.68.

See what happens?

This is one of the many IP addresses for Facebook (they have hundreds of IP addresses to handle user requests for “Facebook.com”). But all you truly need to access it is this number, not the full domain name.

That is the DNS system in a nutshell; the phone book of the internet which maps human-readable names like Facebook.com to the IP address of the host (along well the legal owner of the domain).

DNS is insecure

Most people have heard that countries like China, Turkey, Russia and North Korea censor their internet. Not as many people know how this is achieved: by poisoning the DNS system. When a Chinese user tries to access “Twitter.com” they are redirected to the wrong IP address or blocked altogether. The same goes for requests that contain keywords that have been banned by the regime.

It would be no exaggeration to say that DNS is the weak link of the internet, exploited by rogue ISP’s, censors, and hackers to create an unreliable web.

How Ethereum will fix it

What is Ethereum? To put it simply, Ethereum is a global network of nodes which keep track of a shared record. Whenever a change is made anywhere on the network, all the nodes are updated simultaneously in a cryptographically secure manner to reflect the change in state. This feature happens to be useful for currencies, property-titles, identity- basically any use case that requires decidability over scarce resources without the need for some trusted entity overseeing it.

For developers, one of the outstanding features of the Ethereum platform (and emerging blockchain platforms like Synereo and Tezos) is the ability to create “smart contracts”, which are small pieces of code embedded into the blockchain which set various rules for how the record it stored, retrieved, as well as ownership and financial logic. Because of Ethereum’s ability to perform computation, it has become fondly known as the “World Computer”.

What is Nebulis?

Nebulis is a secure, globally-shared directory of domain names, which is structured like a file system. The default protocol scheme is ipfs:// instead of http://, although users of the system can dynamically add compatibility with other protocols and file systems, as long as the content-hash fits into 32 bytes. Unlike other “Blockchain DNS” projects like Blockstack and DNSChain, Nebulis is a fully parallel system with its own syntax and is also aimed at replacing the HTTP protocol and geographical IP addresses (more on that later).

Current domain names tend to follow the following syntax:

scheme://subdomain.domain.tld/

Originally, Nebulis followed this syntax, with the difference that it used ipfs:// instead of http:// to avoid name clashes. However it soon became apparent that if we went this path, Nebulis would soon be swarmed by squatters trying to sell ipfs://bankofantarctica.com to Bank of Antarctica.

Part of the original purpose of DNS was to avoid browser wars, so that a wide variety of users and commercial stakeholders could agree on one system for the sake of an open internet. Deliberately conflicting with the existing namespace would be in violation of this principle. So we decided to take a different path (and, it turns out, a better one).

The URL scheme on Nebulis is more like a federated file system. Whereas “subdomain.domain.tld/” starts out specific and gets more generic the further into the name, Nebulis starts out generic and gets more specific.

Think of your “documents” folder on your computer:

/home/documents/file.txt

Generic => Specific. Nebulis follows a similar structure:

scheme://cluster.domain.outerdomain

Nebulis reverses the traditional syntax. “Clusters” are the Nebulis equivalent to top-level-domains, generic genres of content. The reason for this is because a federated structure would make the internet much more navigable, while still being beautiful and memorable. With this desire to imitate the file systems, the first cluster on Nebulis will be ipfs://home. Home is a generic cluster and “.com” equivalent. So “http://google.com” on Nebulis would look something like “ipfs://home.google”.

Users of Nebulis are able to create new clusters if the existing set are unsatisfactory. This is a major improvement on the bureaucratic process for creating new top-level-domains with ICANN.

Security

When you query a record in the existing DNS system, you almost always get back a result that is cached in several places; either your own machine or on a DNS zone that is geographically closest to you. If all requests had to be directed right to the root DNS zone the wires would melt. It is by poisoning these “caches” that hackers and censors alike manage to shut down networks.

Using Ethereum to keep DNS records minimizes many of the redundancies of the current system, such as an over-reliance on caching and TTL (time-to-live), which is the frequency that zone caches ping the source record to check for any changes.

Writes (transactions) on Ethereum are expensive and involve updating the whole network, however reads are instant and free and do not impose costs. This means there is not so much a danger of the wires melting for high-traffic; as long as people have their own copy of the blockchain, they can just read the information and find the resource quickly.

Project Status

I’m planning to publish the smart contracts of the Directory this weekend or early next week. After that the goal will be to get the contracts audited and run a period of rigorous testing. We currently have an informal team of six people working on the Nebulis CLI and the Nebulis Core for registrar/browser integration as well as for the simulcra system. The long term goal is to also build a browser that is compatible with IPFS, Ethereum and Nebulis.

If you wish to follow Nebulis, we are competing in Ether Camp this year. Please give us an upvote!

Read the First Memorandum (which is uploaded to IPFS): https://goo.gl/1flMgG

Are you a developer interested in working on Nebulis? Please contact nebulisworkinggroup@protonmail.com.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.