EmerDNS - an alternative to DNSSEC

    image

    The classic DNS that is specified in rfc1034 does not kick only lazy. With a very high efficiency, it really is not protected in any way, which allows attackers to transfer traffic to fake sites by spoofing DNS answers for intermediate cache servers (cache poisoning). Somehow https is struggling with this scourge with its SSL certificates, which allow you to detect site spoofing. But users usually don’t understand anything in SSL, and they automatically click on “continue” to warn about certificate inconsistencies, as a result of which they sometimes suffer financially .


    In order to somehow stop the disgrace of poisoning DNS caches and intercepting traffic, DNSSEC was invented , which is a security add-on to the classic DNS and is currently being implemented on the Internet, controlled by ICANN. The process of implementation, frankly, is not going so fast: the vast majority of commercial companies and other organizations openly ignore the challenges of modern times, even IT giants like Google and Yandex do not have digital signatures of their domain zones. And our competent comrades, who care about everything, are also in no hurry to protect themselves on this side. And only competent gentlemen, who really care about everything, is everything in order. Well and also at the organizations which actually are engaged in DNSSEC implementation, for example, verteiltesysteme.net . What can we say about some organizations, if so far ~ 10% of top-level domains (TLDs) do not have DNSSEC signatures !


    Why did a situation happen that can rightly be called mass sabotage? Indeed, DNSSEC technologies are free and widely available for many years! We see a number of reasons for this:


    1. Security is strong. The topic is complicated for the average system administrator, and he prefers not to mess with it. After all, the DNSSEC domain zone must not only be created, but also regularly maintained - updated keys, etc.
    2. Human optimism: Nothing will happen to us, and everything will be fine. The trouble is not with us. So, nothing needs to be done. Do not believe? Then a backfill question: Do you have a fire extinguisher at home?
    3. A very good alternative protection is provided by https / ssl, which well diagnose the user’s transfer to a fake site. Another thing is that the user usually ignores the corresponding warnings.
    4. DNSSEC only protects against cache poisoning by strangers. It does not protect the provider server from the cache, the domain zone server, or the domain registrar from being compromised by the attacker. By the way, it was the latter that led to the seizure of the blockchain.info domain .
    5. Using DNSSEC reduces the performance of the DNS subsystem by about five times , and requires more network and computing resources than classic DNS.

    Thus, we see that although DNSSEC will be safer than classical DNS, it is nevertheless a palliative, and does not completely solve the problem of data reliability - even if all admins suddenly flush up with hard work and do everything as expected. Moreover, the palliative is expensive - a fivefold decrease in the performance of the main subsystem, on which the real speed of the Internet’s work depends, is not a joke.

    Let's also pay attention to the fact that the domain search in the distributed classical DNS and its successor DNSSEC occurs at the time of the user's request. That is, just when the user most needs a computing and network resource to transfer data, and not to find out who is xy, and verify the corresponding signatures. Accordingly, cache updates and other DNS-work is done at the most “expensive” time, when the user needs his page, and not the internal work “under the hood”. Well, it’s clear that for the network to work successfully, it is necessary that all involved DNS servers are “in good health” and work as they should. If some intermediate server fails, a whole network segment “falls off”, which we observe from time to time .


    The alternative to both classical DNS and DNSSEC considered here is EmerDNS, which is built on blockchain technology. Unlike hierarchical DNS / DNSSEC, EmerDNS is a peer-to-peer "flat" network, from which domain registrars, domain zone holders and intermediate caches are excluded. And since there are none, then there is nothing and no one to compromise. In this system, each EmerDNS node holds a complete blockchain, that is, the entire database of names and other transactions. And the reliability of the data (the fact that they are the same for everyone) is provided by the blockchain technology itself and the public consensus of POS + POW miners. The latter ensures the absence of a “god mode" for anyone, including system developers. Neither we nor anyone else can voluntarily cancel or change any arbitrary entries. Entries can only be updated by their owners, and not by anyone else. In a way, EmerDNS is similar to the hosts file, where there are records of all known sites. But unlike hosts:


    • Each line in EmerDNS can only be modified by its owner, and no one else.
    • The impossibility of “the intervention of God (super-admin)” is ensured by the consensus of miners.
    • This file is the same for everyone, which is provided by the blockchain replication mechanism.
    • A quick search engine is attached to the file.

    Updates to this database occur asynchronously to user requests, at the time of the appearance of new blocks, using push technology. That is, at the moment when the user decided to go to some website, all current and verified DNS records are already located locally in a pre-indexed database, and translation of domain names into addresses is done locally, without any queries (especially recursive) to which or external resources. This approach makes EmerDNS extremely fast. In addition, it is clear that at the time of resolving a domain name, it is absolutely not required that any DNS servers somewhere on the Internet be “in good health”.

    This architectural approach makes EmerDNS extremely fast, secure and fault tolerant. The disadvantage of this architecture is the need to keep a copy of the blockchain on each node. And there is not only information about domains, but also transactions, and in general everything that all others have contributed to this database. But at the current price and capacity of disk drives, when even hundreds of gigabytes do not look like something expensive for ordinary users, this is a very reasonable price for speed and security. Moreover, the Emer blockchain weighs not more than 300 mb.


    Another drawback of such a system is the need to pay the system a certain amount of Emercoins for each update of information about domain records. But at current prices (about $ 0.1 for creating a record and $ 0.01 for updating), it is still many times cheaper than keeping names with domain registrars (about $ 10 per year). Indeed, for the same $ 10 you can buy three updates a day for a year at current prices.

    The differences between the various DNS systems are summarized in the table:

    image

    EmerDNS exists and has been operating steadily since 2014. Detailed instructions for working with it are given on the wiki of the Emercoin project .



    High fault tolerance and system security parameters resulted in the owners transferring sites blocked by RosKomNadzor to the EmerDNS domain zones. Read more about this in the article .



    Maxima and Pornolab sites provide Russian-language instructions for clients on how to connect to the system through OpenNIC . Also access for clients is provided by browser plugins from Peername and Fri-Gate .


    It is clear that when using OpenNIC or other external servers, user requests can still be intercepted and replaced. Also, theoretically, problems may arise when compromising the OpenNIC DNS gateways themselves. Therefore, the most secure option is when the gateway in EmerDNS is deployed in a trusted network (local, home, corporate), and it only holds the blockchain, and all users access it in the usual way, with lightweight DNS queries. With this architecture, users get high reliability and security, and there is no need to keep the blockchain on each computer. The wiki article provides examples of how to configure such a server with the most popular proxy DNS servers - BIND and DNSMASQ.


    For more information on EmerDNS, see this article .

    And you can learn more about Emercoin in our blog, or on Cryptor .


    Also popular now: