A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System Martin Schanzenbach Master’s Thesis October 5, 2012 Martin Schanzenbach (TUM) GNU Alternative Domain System 1
Secure, Memorable, Global: Choose Two Zooko’s Triangle Secure Petname Systems n o i n T o or mnemonic . r o T GADS URLs DNSSEC Global DNS Memorable Martin Schanzenbach (TUM) GNU Alternative Domain System 2
Background: Domain Name System Root Zone (.com, .us, ...) ... .com Zone .us Zone (.example.com, ...) (.example.us, ...) ... ... ... ... .example.us Zone (www.example.us, ...) ... ... Martin Schanzenbach (TUM) GNU Alternative Domain System 3
Background: Domain Name System Wo controls the root zone? ICANN? IANA? ”The Internet Corporation for Assigned Names and Numbers (ICANN) currently performs the IANA functions, on behalf of the United States Government, through a contract with NTIA.” - http://www.ntia.doc.gov Martin Schanzenbach (TUM) GNU Alternative Domain System 4
Overview Properties of GADS Decentralized, distributed name system Secure, memorable, per-user name space in .gads Secure, globally unique name space in .zkey Linked per-user zones: delegation Martin Schanzenbach (TUM) GNU Alternative Domain System 5
Registering a name in GADS Bob creates a Public Key pair K Bob pub , K Bob priv Zone “PKEY”: Hash ( K Bob pub ) = 8FS7 Bob refers to his webserver via www.gads or www.8FS7.zkey How can others resolve the IP? Martin Schanzenbach (TUM) GNU Alternative Domain System 6
Registering a name in GADS Bob publishes his mappings in the DHT ... along with signatures Bob gives his PKEY to his friends via QR code: Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321 Mail: bob@tum.gads Martin Schanzenbach (TUM) GNU Alternative Domain System 7
Registering a name in GADS (cont.) Local Zone: Alice K pub . . . bob PKEY 8FS7 . Bob Builder, Ph.D. . . Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321 Mail: bob@tum.gads Alice K priv Alice Alice learns Bob’s PKEY Alice delegates the subdomain bob to Bob’s zone 8FS7 Alice refers to Bob’s webserver via www.bob.gads or www.8FS7.zkey How does she get the IP? Martin Schanzenbach (TUM) GNU Alternative Domain System 8
Name Resolution in GADS www.bob.gads ? 1 Local Zone . . . 'bob' 2 bob PKEY 8FS7 . . . Alice 3 PKEY 5 4 www: 5.6.7.8 GET www in 8FS7 0 PUT www: 5.6.7.8 DHT Bob in 8FS7 Martin Schanzenbach (TUM) GNU Alternative Domain System 9
From DNS to GADS Names that are not globally unique are trouble! How do we create links? How can we make virtual hosting work? How will we validate X.509 Certificates? Martin Schanzenbach (TUM) GNU Alternative Domain System 10
Solution: Relative Names Relative Names Bob wants to share the link www.carol. + Bob interprets this name as www.carol. gads Alice interprets this name as www.carol. bob.gads Client translates names appropriately: Client-Side Local Proxy HTTP GET HTTP GET Host: www.bob.gads Host: www.bob.gads Local Proxy <html>... <html>... <a href ="www.carol.bob.gads"> <a href ="www.carol.+"> Alice ...</html> ...</html> Martin Schanzenbach (TUM) GNU Alternative Domain System 11
Legacy Hostname (LEHO) Records Virtual Hosting with LEgacy HOstnames LEHO records provide LEgacy HOstnames for names Example: www(.+) → www.bobswebsite.com HTTP GET HTTP GET Host: www.bob.gads Host: www.bobwebsite.com Local Proxy <html>... <html>... <a href ="www.carol.bob.gads"> <a href ="www.carol.+"> Alice ...</html> ...</html> Martin Schanzenbach (TUM) GNU Alternative Domain System 12
SSL Certificates Server offers certificate to client HTTP GET HTTP GET Host: www.bobswebsite.com:443 Host: www.bob.gads:443 Local Proxy Alice Server www.bob.gads www.bobswebsite.com Verification: Old way: Follow CA chain to “trust” anchor(s) Secure way: Use DANE 1 TLSA RRs! 1 rfc6698 Martin Schanzenbach (TUM) GNU Alternative Domain System 13
Status of Implementation and Migration Implementation GADS resolver on top of GNUnet Client Proxy Zone management tools with QR export and import Migration DNS and GADS can co-exist DNS-to-GADS gateways OS integration Future Work Usability Evaluation/User acceptance TLSA verification in proxy Internationalized Names (IDN) Martin Schanzenbach (TUM) GNU Alternative Domain System 14
End Thank you! Martin Schanzenbach (TUM) GNU Alternative Domain System 15
DNS-to-GADS Gateways Subdomain Gateway www.QXDA.zkey.eu ? DHT try 91.200.16.100 Client DNS Root Server www.QXDA.zkey.eu ? try 188.95.234.4 GET www.QXDA.zkey.eu ? IP: 192.0.2.1 QXDA xor H('www') IP: 192.0.2.1 .eu TLD Server www.QXDA.zkey ? GADS IP: 192.0.2.1 authoritative DNS Server for zkey.eu Martin Schanzenbach (TUM) GNU Alternative Domain System 16
DNS-to-GADS Gateways Local Network Gateway DHT GET IP: 192.0.2.1 QXDA xor H('www') www.QXDA.zkey ? GADS IP: 192.0.2.2 DNS Query www.example.com ? DNS Response DNS-to-GADS proxy IP: 192.0.2.1 gateway Client Subnet Recursive DNS Server Martin Schanzenbach (TUM) GNU Alternative Domain System 17
Appendix 60 User % of new domains manually typed 50 40 30 20 10 0 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 # of unique domains visited Martin Schanzenbach (TUM) GNU Alternative Domain System 18
Appendix .com Stub .gads iptables resolver response redirect DNS Interceptor response e s n o .com, .org, etc. p s e r s d a g . GADS DNS Martin Schanzenbach (TUM) GNU Alternative Domain System 19
Recommend
More recommend
