ChainDNS

“The to-do list for those involved in Internet protocol development includes domain-name system security—preventing domain names from being hijacked for nefarious purposes and improving resilience, so that a shutdown in one part of the world doesn’t cause problems elsewhere.” (Vint Cerf, 2023 - https://spectrum.ieee.org/vint-cerf)

Many issues with the DNS exist today. These include susceptibility to data integrity attacks, privacy concerns, and denial-of-service attacks. Conventional DNS Authority Servers are often deployed with only a primary server and one or two secondary servers; this may be insufficient to withstand a large DDoS attack. User queries are transmitted in the clear and can be logged by ISPs thereby enabling user surveillance or sale of user browsing habits.

DNSSEC security extensions were developed in 2005 to protect DNS data integrity, but the actual deployment and use of DNSSEC has been disappointing. Statistics indicate that only 3.9% of .com domains use DNSSEC (as of March 2023). Despite advances in automation, DNS operators are often reluctant to deploy DNSSEC due to operational complexity and the risk of taking a zone offline should mistakes be made. The result is that most DNS messages remain vulnerable to counterfeiting.

We propose to implement “blockchain” DNS across the Ethereum, which could address censorship of the DNS access in countries where it is currently restricted (e.g. Ukraine, Iran). DNS is the internet "phonebook" and must respond with correct answers, but today it is unsafe and easily spoofed. We might be able to provide a replacement for DNSSEC that is much simpler in design and deployment. This will increase the security and integrity for anyone who uses the internet.

Our DNS Authority Server is based on a decentralized public blockchain (L1 and L2) and is integrated with the Ethereum Name System. Our ChainDNS architecture and implementation directly addresses the issues that exist with respect to data privacy, integrity, and availability in DNS. We simplify administrator workflow when compared to the procedures required to manage conventional DNS redundancy or to maintain DNSSEC signatures. ChainDNS is not meant to be a wholesale replacement for the existing DNS; it has instead been designed for compatibility and interoperability. ChainDNS is proposed as an improvement to current DNS authority server implementations and it fits well into the existing DNS ecosystem.

Prototype utility applications including the zone compiler, bcdig, port53 proxy and other tools have been written in Python. We’re requesting funding to make these early efforts more robust for scalability, performance, threading and production-level quality.

User guides, documentation and web administration tools are currently under development. In the meantime, you can try ChainDNS by invoking the linux 'dig' command to retrieve data from the ChainDNS blockchain:

• dig @bcdns.invykta.com -p 5353 invykta.com

• dig @bcdns.invykta.com -p 5353 invykta.com MX

• dig @bcdns.invykta.com -p 5353 colostate.edu

• dig @bcdns.invykta.com -p 5353 cs.colostate.edu TXT

• dig @bcdns.invykta.com -p 5353 stephen.hayne.certs.invykta2.com TXT

The results, of course, look just like a normal dig, but the data is coming from the blockchain. This demonstrates compatibility with conventional DNS.

Now try the following queries:

• dig @bcdns.invykta.com -p 5353 google.com

• dig @bcdns.invykta.com -p 5353 twitter.uk

We also still need to work on the following components, programs, and processes (but these will likely take future funding):

• Unbound Resolver plugin
• Multi-factor ERC 4733 Wallet specific to this application. (many DNS admins don’t know how to use Metamask or wallets in general).
• Mozilla TRR Trusted Resolver
• Oracle TLD validation & policy
• Testing resolvers wrt protection against man-in- the-middle attacks: Verification of provider responses using consensus checks similar to Helios.