ACensorship Resistant

andFully Decentralized

Name SystemThe GNU Alternative Domain System

Martin Schanzenbach

Master’s Thesis

September 17, 2012

Martin Schanzenbach (TUM) GNU Alternative Domain System 1

Secure, Memorable, Global: Choose Two

Zooko’s TriangleSecure

Global MemorableDNS

Tor.o

nion

Petname System

s

Tor mnemonic URLs

DN

SSEC

GADS

Martin Schanzenbach (TUM) GNU Alternative Domain System 2

Background: Domain Name System

....com Zone

(.example.com, ...)

.us Zone

(.example.us, ...)

Root Zone

(.com, .us, ...)

... ... ... ....example.us Zone

(www.example.us, ...)

... ...

Martin Schanzenbach (TUM) GNU Alternative Domain System 3

Background: Domain Name System

Wo controls the root zone? ICANN? IANA?

”The Internet Corporation for Assigned Names and Numbers(ICANN) currently performs the IANA functions, on behalf ofthe United States Government, through a contract with NTIA.”- http://www.ntia.doc.gov

Martin Schanzenbach (TUM) GNU Alternative Domain System 4

Overview

Properties of GADS

Decentralized, distributed name system

Secure, memorable, per-user name space in .gads

Secure, globally unique name space in .zkey

Linked per-user zones: delegation

Martin Schanzenbach (TUM) GNU Alternative Domain System 5

Registering a name in GADS

Bob creates a Public Key pair K Bobpub ,K Bob

priv

Zone “PKEY”: Hash(K Bobpub ) = 8FS7

Bob refers to his webserver viawww.gads or www.8FS7.zkeyHow can others resolve the IP?

Martin Schanzenbach (TUM) GNU Alternative Domain System 6

Registering a name in GADS

Bob publishes his mappings in the DHT... along with signaturesBob gives his PKEY to his friends via QR code:

Bob Builder, Ph.D.

Address: Country, Street Name 23Phone: 555-12345 Mobile: 666-54321Mail: bob@tum.gads

Martin Schanzenbach (TUM) GNU Alternative Domain System 7

Registering a name in GADS (cont.)

Local Zone:

bob PKEY 8FS7 ...

AliceKAlice

priv

KAlicepub

...

Bob Builder, Ph.D.

Address: Country, Street Name 23Phone: 555-12345 Mobile: 666-54321Mail: bob@tum.gads

Alice learns Bob’s PKEYAlice delegates the subdomain bob to Bob’s zone 8FS7Alice refers to Bob’s webserver viawww.bob.gads or www.8FS7.zkeyHow does she get the IP?

Martin Schanzenbach (TUM) GNU Alternative Domain System 8

Name Resolution in GADS

DHT

GET www in 8FS7

'bob'2

4

www: 5.6.7.8

5

Local Zone

...3

bob PKEY 8FS7

PKEY

...

www.bob.gads ?1

PUT www: 5.6.7.80

Bob

Alice

in 8FS7

Martin Schanzenbach (TUM) GNU Alternative Domain System 9

From DNS to GADS

Names that are not globally unique are trouble!

How do we create links?

How can we make virtual hosting work?

How will we validate X.509 Certificates?

Martin Schanzenbach (TUM) GNU Alternative Domain System 10

Solution: Relative Names

Relative Names

Bob wants to share the link www.carol.+Bob interprets this name as www.carol.gadsAlice interprets this name as www.carol.bob.gadsClient translates names appropriately:

Client-Side Local Proxy

Local

Proxy

HTTP GETHTTP GETHost: www.bob.gads

Alice<a href ="www.carol.bob.gads">

<html>...

...</html>

<a href ="www.carol.+">

<html>...

...</html>

Host: www.bob.gads

Martin Schanzenbach (TUM) GNU Alternative Domain System 11

Legacy Hostname (LEHO) Records

Virtual Hosting with LEgacy HOstnames

LEHO records provide LEgacy HOstnames for names

Example: www(.+) → www.bobswebsite.com

Local

Proxy

HTTP GETHTTP GETHost: www.bob.gads

Alice<a href ="www.carol.bob.gads">

<html>...

...</html>

<a href ="www.carol.+">

<html>...

...</html>

Host: www.bobwebsite.com

Martin Schanzenbach (TUM) GNU Alternative Domain System 12

SSL Certificates

Server offers certificate to client

Local

Proxy

HTTP GETHTTP GETHost: www.bob.gads:443 Host: www.bobswebsite.com:443

Alicewww.bobswebsite.comwww.bob.gads

Server

Verification:

Old way: Follow CA chain to “trust” anchor(s)Secure way: Use DANE1 TLSA RRs!

1rfc6698

Martin Schanzenbach (TUM) GNU Alternative Domain System 13

Status of Implementation and Migration

Implementation

GADS resolver on top of GNUnetClient ProxyZone management tools with QR export and import

Migration

DNS and GADS can co-existDNS-to-GADS gatewaysOS integration

Future Work

Usability Evaluation/User acceptanceTLSA verification in proxyInternationalized Names (IDN)Martin Schanzenbach (TUM) GNU Alternative Domain System 14

End

Thank you!

Martin Schanzenbach (TUM) GNU Alternative Domain System 15

DNS-to-GADS Gateways

Subdomain Gateway

Client DNS Root Server

www.QXDA.zkey.eu ?

try 91.200.16.100

.eu TLD Server

authoritativeDNS Server for

zkey.eu

GADS

www.QXDA.zkey.eu ?

IP: 4.3.2.1

www.QXDA.zkey.eu ?try 188.95.234.4

www.QXDA.zkey ?

IP: 4.3.2.1

DHT

GETQXDA xor H('www')

IP: 4.3.2.1

Martin Schanzenbach (TUM) GNU Alternative Domain System 16

DNS-to-GADS Gateways

Local Network Gateway

Recursive DNS Server

DNS-to-GADSproxy

gatewayClient Subnet

www.QXDA.zkey ?

IP: 4.3.2.1

GADS

DHT

GETQXDA xor H('www')

IP: 4.3.2.1

www.example.com ?

IP: 1.2.3.4

DNS Query

DNS Response

Martin Schanzenbach (TUM) GNU Alternative Domain System 17

Appendix

0

10

20

30

40

50

60

0 1000 2000 3000 4000 5000 6000 7000 8000 9000

% o

f n

ew

do

ma

ins m

an

ua

lly t

yp

ed

# of unique domains visited

User

Martin Schanzenbach (TUM) GNU Alternative Domain System 18

Appendix

responserespons

e

redirect

response

.com.gads

GADS DNS

DNSInterceptor

.com, .org, etc..gads

Stubresolver iptables

Martin Schanzenbach (TUM) GNU Alternative Domain System 19