EthDNS: an Ethereum backend for the Domain Name System

I no longer post directly on Medium; to view the latest copy of this article please go to https://www.wealdtech.com/articles/ethdns-an-ethereum-backend-for-the-domain-name-system/

What is the Domain Name System?

The Domain Name System (DNS) is a hierarchical decentralised information store, most commonly used to resolve human-readable names that you might type in to a web browser (e.g. www.my.xyz) in to numeric addresses that can be used to contact computers on the internet.

The hierarchical nature of DNS breaks names down to their component parts. For example, the name “www.my.xyz” is broken down as follows:

Breakdown of a fully qualified DNS name

These components can be found in the DNS hierarchy, as shown below:

DNS hierarchy showing the path from the DNS root to www.my.xyz

The DNS hierarchy makes it possible to traverse to any node from the DNS root by working down the hierarchy following the components of the DNS domain from right to left as it is written down.

Each node in the tree maps to a data store, where each data store for a given node must contain data about all of the nodes directly underneath it. Servers hold the data and make it available for querying by DNS clients (such servers are called “nameservers”).

The nameservers required to resolve “www.my.xyz”, along with the data that each nameserver holds, are shown below:

Traditional DNS nameserver infrastructure required for my.xyz domain

The above diagram shows one set of nameservers with the information for the DNS root, one for the “xyz” domain and one for the “my.xyz” domain. Each nameserver handles one node in the hierarchy. The root nameservers contain pointers to the nameservers directly under the root (com, net, xyz, etc.). The xyz nameservers contain pointers to the nameservers directly under xyz (my.xyz, ns.xyz, ethdns.xyz etc.). The my.xyz nameservers contains data for the DNS names directly under my.xyz (www.my.xyz etc.).

(Note that the above diagram and explanation is a simplified view of DNS but is sufficient for the purposes of this article).

With the above information it can be seen that the resolution of a name such as “www.my.xyz”to an address requires the following steps:

Resolving the address of www.my.xyz

1. The client sends a request to a root nameserver for the address of www.my.xyz
2. The nameserver checks in its local store. It does not have any information about www.my.xyz but does know the nameserver(s) for xyz
3. The nameserver returns details of the nameserver(s) that serve xyz
4. The client sends a request to an xyz nameserver for the address of www.my.xyz
5. The nameserver checks in its local store. It does not have any information about www.my.xyz but does know the nameserver(s) for my.xyz
6. The nameserver returns details of the nameserver(s) that serve my.xyz
7. The client sends a request to a my.xyz nameserver for the address of www.my.xyz
8. The nameserver checks in its local store. It does have information about www.my.xyz, and finds the answer 193.62.81.1
9. The nameserver returns the result 192.62.81.1 to the client

What is EthDNS?

EthDNS is composed of two pieces: an Ethereum Name Service (ENS) resolver and a nameserver. The former allows DNS information to be stored and accessed on the blockchain and the latter allows that information to be accessed in the same way as equivalent DNS information held on traditional name servers.

These two pieces combine to change the picture of the resolution infrastructure to the following:

DNS nameserver infrastructure with EthDNS serving my.xyz

The nameservers for the my.xyz domain have been configured to fetch information not from a local store but from the Ethereum blockchain, shown as the Ethereum symbol in the bottom-right corner of the diagram. Note that the name resolution process is exactly the same as in the previous diagram, and that the client is unaware that the information has been returned from the blockchain. This makes EthDNS a drop-in replacement for existing nameservers, working seamlessly with the existing infrastructure.

Benefits of EthDNS

There are a number of benefits to using EthDNS over a traditional DNS infrastructure.

EthDNS is more efficient than traditional DNS. DNS’s distributed architecture allows different nameservers to be responsible for different parts of the DNS hierarchy, for example one nameserver might be responsible for the root domain, another for xyz, and yet another for my.xyz. This however leads to back-and-forth requests of the sort that can be seen in the preceding diagrams. EthDNS nameservers, in comparison, purely provide information placed on the Ethereum blockchain by the respective domain owners without any ability to alter it. Because of this an EthDNS nameserver can directly provide information for any domain on Ethereum as shown below:

Direct resolution of EthDNS domain information

Another significant benefit is trust. DNS relies on a network of trust, specifically each level in the hierarchy trusts the level above it. If this trust breaks down, for example if the owner of the xyz nameservers decides to delist my.xyz, then there is nothing that the domain owner can do to allow their users to resolve their domain. This situation can be seen below:

Blacklisting a domain in traditional DNS

Here the xyz nameservers delist the my.xyz domain, so after step 6 in the resolution process the client has no way of contacting the my.xyz nameservers to find the address of www.my.xyz.

EthDNS prevents such blacklisting because it is not hierarchical and is instead rooted in the blockchain. As seen above, once a domain is registered in ENS, it can be queried directly. As such there is no way the data can be blocked (short of the EthDNS nameservers refusing to serve the data, but see below).

DNS servers are very much a trusted part of the internet infrastructure, but that trust has been abused in the past. DNS hijacking and poisoning have occurred multiple times, resulting in users giving away security details or sites being censored. Because EthDNS only provides data from the blockchain it is possible for security-conscious systems to independently confirm the information supplied and/or bypass the nameservers entirely and take data directly from the EthDNS resolver, as shown below:

Client querying EthDNS resolver directly, removing the nameserver from the process

EthDNS nameservers follow a well-described system to obtain data from the EthDNS resolver (the ENS resolution process). As such it is possible for users to build or run their own EthDNS nameservers, avoiding any possibility of malicious nameservers providing incorrect information or blocking domains.

Current status

EthDNS is running nameservers backed by ENS on Ethereum’s Ropsten test network. For example, if you visit http://www.ensdns.xyz/ the address for www.ensdns.xyz comes from EthDNS name servers. Details on how to set up EthDNS for your own domain will be the focus of the next article.

Future plans

Once the EthDNS nameserver and resolver have been tested the EthDNS resolver will be available on mainnet, and EthDNS nameservers will be deployed to allow running production-grade DNS on Ethereum.

At current EthDNS does not provide the ability to store DNSSEC records. This is due to the costs and complexities of storing this information on-chain, especially the update costs when changing keys. There are plans for EthDNS nameservers to provide live signing of DNS results as well as work to investigate the possibility of ENS supporting native DNSSEC with data held off-chain, for example on IPFS.

For further information and discussion about EthDNS please visit the Gitter discussion room for ENS at https://gitter.im/ethereum/go-ethereum/name-registry