The Problem With DNS Today
DNS stands for Domain Name Service, so "DNS as a service" might sound redundant.
DNS is already a distributed system, but it has some pitfalls:
- When domain names expire, a completely different organization can own and operate a website without your knowledge.
- For example, when you go to bed, Good Guys Corp. may be running example.com, but in the morning, Bad Guys Inc. could be running example.com.
- Distributed Denial of Service attacks can bring down large websites, and are frequently being extored for money with no real guarantee that the attack will be avoided if the money is paid
- Websites are not secure by default. Very few websites uses SSL/TLS encryption by default, allowing every computer between you and the website to snoop on your activity.
- ISPs are being court ordered to block certain websites
- Governments actively censor thousands of websites
- Phishing attacks trick users into believing they are viewing their bank's website by using very similarly looking domain names.
- For example, ciibc.com might be used to trick users into thinking they are viewing cibc.com
- Cybersquatters purchase domain names, like pepsi.com, in hopes that the real Pepsi company will pay millions of dollars to own the domain name.
- Cybersquatters also purchase domain names in bulk, creating an artifical shortage of available domain names, and forcing people to purchase domain names at a much higher price.
- A few key U.S. organizations, like ICANN, have complete control on how our current DNS system works. The Internet belongs to everyone, and as such, no one country should have monopoly control on DNS, if it can be avoided.
- SSL/TLS certificates are expensive to purchase and own long-term.
- For most of the history of the Internet, Verisign Inc. owned a monopoly on SSL/TLS certificates, and would charge exorbitant prices.
Is There Any Solution?
Yes. Instead of using domain names, like example.com, we could use the SHA-512 fingerprint of SSL/TLS certificates as the top level of a naming tree.
Each entry, hereby known as a "Product Namespace", in this naming tree would consist of the following:
- A SSL/TLS public certificate - hereby known as the "Product Namespace Certificate"
- A SHA-512 fingerprint of the Product Namespace Certificate
- A person or organization name
- One or more products or services
Each product/service would contain the following:
- An identifier - either a title or picture
- Routing information - several IP addresses and Time-To-Live (TTL) information
- A self-signed SSL/TLS certificate - signed using the Product Namespace Certificate
- In effect, each entry in this naming tree is a Root Certiciate Authority for the products in their own Product Namespace.
Enter gitDNS - a custom perspective of the Internet
This naming tree could be stored in a git repository, hence the name gitDNS. Changes could be pulled in using `git pull`, branches could be created, merged, etc, to create a custom tailored slice of the Internet.
For example, for a very narrow view of the Internet, you could merge the "Anglican" branch of the github.com/christian-network/gitdns repository, and also merge the "Computer Science" branch of github.com/uwaterloo/gitdns repository.
For a very broad view of the Internet, you could simply pull all the root entries from the github.com/gitdns/root-keys repository.
Security and Privacy By Default
Every product/service in a Product Namespace contains its own SSL/TLS certificate, which we can use to create an encrypted communication channel to the website.
Stop Internet Censoring
gitDNS allows us to stop Internet censorship.
- Domain name blocking would not be possible, since you are in control of which gitDNS entries you would like to use
- IP address blocking would not be possible
- ISPs would find it difficult to censor by IP address, as IP addresses can be easily changed
- Furthermore, IP adress blocking can be avoided by grabbing IP addresses dynamically out of a common large pool (mesh IP addressing)
Advertising Your Produce Namespace
There are various ways you could advertise your Product Namespace.
Longevity of Services
Websites are no longer threatened by domain name expiration or domain name ownership transfer.
Distributed Caching Web Servers
Instead of DNS servers, distributed caching web servers could be placed around the world that would serve you encrypted gitDNS websites. Tampering with the website data would be easily detected by your browser.
Distributed caching web servers would provide us with:
- Added protection from DDOS attacks - there is no single point of entry to attack (i.e. it would be impossible to DDOS a specific website)
- Added privacy - logging the IP addresses that end users connect to does not reveal anything, as a single IP address can be used to serve a million different websites in a single day
But Is It Web-Scale?
According to NetCraft, there are about a billion websites on the Internet. Using the SSL public certificate on FreeBSD.org as an example, the average size of certificate with a 4096-bit key might be about 5 Kilobytes. The average gitDNS entry, with one product, might be around 10 Kilobytes. Multiplied by a billion, the entire Internet might be about 10 Terabytes, which could easily be stored on two or three consumer harddrives, or just one 10TB Ultrastar Archive Ha10.
Dealing With Phising Attacks
One way might be to use client certificates.
When you first create an account with your bank, for example, your browser should create a client certificate and send the public key to your bank for storage, along with your username. Your browser should store your client certificate in a password protected key store.
When you log into your bank's website, or a website designed to trick you into believing it's your bank's website, your bank's website should:
- Ask you for your username
- Encrypt the remainder of your banking session using your stored certificate
- If your browser detects that the page is not encrypted with your certificate, it should prevent you from viewing the potential phishing attack website