A Censorship Resistant and Fully Decentralized Name System The - - PowerPoint PPT Presentation

A Censorship Resistant and Fully Decentralized Name System

The GNU Alternative Domain System Martin Schanzenbach

Master’s Thesis

October 5, 2012

Martin Schanzenbach (TUM) GNU Alternative Domain System 1

Secure, Memorable, Global: Choose Two

Zooko’s Triangle

Secure Global Memorable DNS T

• r

.

• n

i

• n

Petname Systems T

• r mnemonic

URLs DNSSEC GADS Martin Schanzenbach (TUM) GNU Alternative Domain System 2

Background: Domain Name System

...

.com Zone

(.example.com, ...)

.us Zone

(.example.us, ...)

Root Zone

(.com, .us, ...)

... ... ... ....example.us

Zone

(www.example.us, ...)

... ...

Martin Schanzenbach (TUM) GNU Alternative Domain System 3

Background: Domain Name System

Wo controls the root zone? ICANN? IANA? ”The Internet Corporation for Assigned Names and Numbers (ICANN) currently performs the IANA functions, on behalf of the United States Government, through a contract with NTIA.”

• http://www.ntia.doc.gov

Martin Schanzenbach (TUM) GNU Alternative Domain System 4

Overview

Properties of GADS Decentralized, distributed name system Secure, memorable, per-user name space in .gads Secure, globally unique name space in .zkey Linked per-user zones: delegation

Martin Schanzenbach (TUM) GNU Alternative Domain System 5

Registering a name in GADS

Bob creates a Public Key pair K Bob

pub , K Bob priv

Zone “PKEY”: Hash(K Bob

pub ) = 8FS7

Bob refers to his webserver via www.gads or www.8FS7.zkey How can others resolve the IP?

Martin Schanzenbach (TUM) GNU Alternative Domain System 6

Registering a name in GADS

Bob publishes his mappings in the DHT ... along with signatures Bob gives his PKEY to his friends via QR code:

Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321 Mail: bob@tum.gads

Martin Schanzenbach (TUM) GNU Alternative Domain System 7

Registering a name in GADS (cont.)

Local Zone: bob PKEY 8FS7

. . .

Alice

K

Alice priv

K

Alice pub

. . .

Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321 Mail: bob@tum.gads

Alice learns Bob’s PKEY Alice delegates the subdomain bob to Bob’s zone 8FS7 Alice refers to Bob’s webserver via www.bob.gads or www.8FS7.zkey How does she get the IP?

Martin Schanzenbach (TUM) GNU Alternative Domain System 8

Name Resolution in GADS

DHT

GET www in 8FS7 'bob' 2 4 www: 5.6.7.8

5

Local Zone

. . .

3

bob PKEY 8FS7 PKEY

. . .

www.bob.gads ? 1 PUT www: 5.6.7.8 Bob Alice in 8FS7

Martin Schanzenbach (TUM) GNU Alternative Domain System 9

From DNS to GADS

Names that are not globally unique are trouble! How do we create links? How can we make virtual hosting work? How will we validate X.509 Certificates?

Martin Schanzenbach (TUM) GNU Alternative Domain System 10

Solution: Relative Names

Relative Names Bob wants to share the link www.carol.+ Bob interprets this name as www.carol.gads Alice interprets this name as www.carol.bob.gads Client translates names appropriately: Client-Side Local Proxy

Local Proxy

HTTP GET HTTP GET

Host: www.bob.gads

Alice

<a href ="www.carol.bob.gads"> <html>... ...</html> <a href ="www.carol.+"> <html>... ...</html>

Host: www.bob.gads

Martin Schanzenbach (TUM) GNU Alternative Domain System 11

Legacy Hostname (LEHO) Records

Virtual Hosting with LEgacy HOstnames LEHO records provide LEgacy HOstnames for names Example: www(.+) → www.bobswebsite.com

Local Proxy

HTTP GET HTTP GET

Host: www.bob.gads

Alice

<a href ="www.carol.bob.gads"> <html>... ...</html> <a href ="www.carol.+"> <html>... ...</html>

Host: www.bobwebsite.com

Martin Schanzenbach (TUM) GNU Alternative Domain System 12

SSL Certificates

Server offers certificate to client

Local Proxy

HTTP GET HTTP GET

Host: www.bob.gads:443 Host: www.bobswebsite.com:443

Alice

www.bobswebsite.com www.bob.gads

Server

Verification: Old way: Follow CA chain to “trust” anchor(s) Secure way: Use DANE1 TLSA RRs!

1rfc6698 Martin Schanzenbach (TUM) GNU Alternative Domain System 13

Status of Implementation and Migration

Implementation GADS resolver on top of GNUnet Client Proxy Zone management tools with QR export and import Migration DNS and GADS can co-exist DNS-to-GADS gateways OS integration Future Work Usability Evaluation/User acceptance TLSA verification in proxy Internationalized Names (IDN)

Martin Schanzenbach (TUM) GNU Alternative Domain System 14

End

Thank you!

Martin Schanzenbach (TUM) GNU Alternative Domain System 15

DNS-to-GADS Gateways

Subdomain Gateway

Client DNS Root Server

www.QXDA.zkey.eu ? try 91.200.16.100

.eu TLD Server

authoritative DNS Server for zkey.eu

GADS

www.QXDA.zkey.eu ? IP: 192.0.2.1 www.QXDA.zkey.eu ? try 188.95.234.4 www.QXDA.zkey ? IP: 192.0.2.1

DHT GET QXDA xor H('www')

IP: 192.0.2.1

Martin Schanzenbach (TUM) GNU Alternative Domain System 16

DNS-to-GADS Gateways

Local Network Gateway

Recursive DNS Server

DNS-to-GADS proxy gateway Client Subnet

www.QXDA.zkey ? IP: 192.0.2.2

GADS DHT GET QXDA xor H('www')

IP: 192.0.2.1 www.example.com ? IP: 192.0.2.1 DNS Query DNS Response

Martin Schanzenbach (TUM) GNU Alternative Domain System 17

Appendix

10 20 30 40 50 60 1000 2000 3000 4000 5000 6000 7000 8000 9000

% of new domains manually typed # of unique domains visited

User

Martin Schanzenbach (TUM) GNU Alternative Domain System 18

Appendix

response r e s p

• n

s e redirect response .com .gads

GADS DNS DNS Interceptor

.com, .org, etc. . g a d s

Stub resolver

iptables

Martin Schanzenbach (TUM) GNU Alternative Domain System 19