The Case for Decentralized DNS

On Friday October 21, a major DNS provider called Dyn was hit with a massive DDoS attack, making sites like Reddit, Twitter, GitHub, Netflix, and others unavailable for many people in the eastern US. While DDoS attacks are nothing new, this attack was particularly devastating because the attacker didn’t even have to touch these sites. If knocking these sites offline was the intent of the attack, then hitting their shared DNS provider gave the attackers by far the biggest bang for their buck.

How did we get to this point?

Information gets routed across the Internet by IP addresses, which are easy for machines to use but hard for people to remember. To remedy this back in the early days of the Internet, networked computers had a special file called the HOSTS.TXT file which assigned easy-to-remember names like symbolics.com (one of the first such names) to network addresses of well-known computers.

By the mid 1980s, making sure each computer had the same HOSTS.TXT file became too hard to coordinate. To deal with this, the Domain Name System (DNS) was created to allow certain computers (DNS servers) to remember a subset of the name/IP mappings and serve them to other computers.

DNS is a hierarchical system that efficiently divides up the responsibility for translating a name to an IP addresses. When your computer looks up the IP address for webmail.cs.princeton.edu, for example, it first asks the well-known DNS server for edu for the IP address of the DNS server for princeton. It then asks princeton.edu for the IP address of the DNS server for cs.princeton.edu, and then asks cs.princeton.edu for the IP address of webmail.cs.princeton.edu.

Anyone can run a DNS server. But as the Internet became popular in the 1990s, an entire cottage industry sprang up around providing and managing DNS servers for you. As time went on, these businesses improved and consolidated, making it commonplace for a single DNS service like Dyn to manage the name/IP mappings for many different websites. These consolidations created single points of failure, which the attacker exploited. Only people who knew how to select an alternative DNS server (or happened to know the IP addresses for these websites) were able to access them during the attack.

Is this the last we’ve seen of this?

Doubtful. This particular attack hit a single DNS provider using, of all things, an army of hacked webcams. With the Internet-of-Things taking off, and with no standard way of patching and fixing IoT devices when they get hacked, we can expect to see more of these kinds attacks. In fact, this is the second major IoT-based attack this month — the other being the attack on krebsonsecurity.com.

I personally switched my computer over to OpenDNS to avoid the attack. However, this isn’t a great solution in general, since (1) the attacker could also attack OpenDNS, and (2) if enough people switched over to smaller DNS provider from a larger one like Dyn, they may accidentally overwhelm it and cause it to fail as well. While DNS servers can be configured to cache previously-queried IP addresses from other servers (to spread the request load around), this can lead to its own problems if it’s not carefully configured.

What can we do about it?

Ironically, this attack would have been impossible prior to the mid-1980s, since every computer back then already knew the name/IP mappings for every other computer via the HOSTS.TXT file. The reason the Internet switched to DNS is because it removed the bureaucratic overhead of trying to do things like add webmail.cs.princeton.edu to all the world’s billions of computers’ HOSTS.TXT files. With DNS, only Princeton’s servers have to take care of requests for cs.princeton.edu and webmail.cs.princeton.edu. Moreover, if Princeton wanted to add or remove names or change their IP addresses, they only have to modify their DNS servers.

Can we get both the redundancy of HOSTS.TXT and the ease-of-management of DNS? Can we give every computer the same HOSTS.TXT file without the overhead required to keep it up to date? Turns out we can, using Blockstack.

Blockstack not only makes decentralized naming practical, but also more secure than DNS. Each Blockstack node learns the DNS information for each name in existence, as well as a public key associated with each name. By using the Bitcoin blockchain to bind the name to a public key and DNS information, Blockstack allows anyone to register a name while simultaneously ensuring that only the name’s owner can control it. If the Dyn attackers wanted to knock websites offline in Blockstack, they would have to attack either the individual sites, or attack the Bitcoin network itself. Even then, all the Dyn attackers could do is slow down name updates.

Where can I learn more about Blockstack?

Blockstack is a peer-reviewed system (USENIX ATC 2016, DCCL 2016). It is open source, and is available here. It has been running in production for 2+ years.

Slack . chat.blockstack.org

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.