A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System Martin Schanzenbach Master’s Thesis September 17, 2012 Martin Schanzenbach (TUM) GNU Alternative Domain System 1
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ACensorship Resistant
andFully Decentralized
Name SystemThe GNU Alternative Domain System
Martin Schanzenbach
Master’s Thesis
September 17, 2012
Martin Schanzenbach (TUM) GNU Alternative Domain System 1
Secure, Memorable, Global: Choose Two
Zooko’s TriangleSecure
Global MemorableDNS
Tor.o
nion
Petname System
s
Tor mnemonic URLs
DN
SSEC
GADS
Martin Schanzenbach (TUM) GNU Alternative Domain System 2
Background: Domain Name System
....com Zone
(.example.com, ...)
.us Zone
(.example.us, ...)
Root Zone
(.com, .us, ...)
... ... ... ....example.us Zone
(www.example.us, ...)
... ...
Martin Schanzenbach (TUM) GNU Alternative Domain System 3
Background: Domain Name System
Wo controls the root zone? ICANN? IANA?
”The Internet Corporation for Assigned Names and Numbers(ICANN) currently performs the IANA functions, on behalf ofthe United States Government, through a contract with NTIA.”- http://www.ntia.doc.gov
Martin Schanzenbach (TUM) GNU Alternative Domain System 4
Overview
Properties of GADS
Decentralized, distributed name system
Secure, memorable, per-user name space in .gads
Secure, globally unique name space in .zkey
Linked per-user zones: delegation
Martin Schanzenbach (TUM) GNU Alternative Domain System 5
Registering a name in GADS
Bob creates a Public Key pair K Bobpub ,K Bob
priv
Zone “PKEY”: Hash(K Bobpub ) = 8FS7
Bob refers to his webserver viawww.gads or www.8FS7.zkeyHow can others resolve the IP?
Martin Schanzenbach (TUM) GNU Alternative Domain System 6
Registering a name in GADS
Bob publishes his mappings in the DHT... along with signaturesBob gives his PKEY to his friends via QR code:
Bob Builder, Ph.D.
Address: Country, Street Name 23Phone: 555-12345 Mobile: 666-54321Mail: [email protected]
Martin Schanzenbach (TUM) GNU Alternative Domain System 7
Registering a name in GADS (cont.)
Local Zone:
bob PKEY 8FS7 ...
AliceKAlice
priv
KAlicepub
...
Bob Builder, Ph.D.
Address: Country, Street Name 23Phone: 555-12345 Mobile: 666-54321Mail: [email protected]
Alice learns Bob’s PKEYAlice delegates the subdomain bob to Bob’s zone 8FS7Alice refers to Bob’s webserver viawww.bob.gads or www.8FS7.zkeyHow does she get the IP?
Martin Schanzenbach (TUM) GNU Alternative Domain System 8
Name Resolution in GADS
DHT
GET www in 8FS7
'bob'2
4
www: 5.6.7.8
5
Local Zone
...3
bob PKEY 8FS7
PKEY
...
www.bob.gads ?1
PUT www: 5.6.7.80
Bob
Alice
in 8FS7
Martin Schanzenbach (TUM) GNU Alternative Domain System 9
From DNS to GADS
Names that are not globally unique are trouble!
How do we create links?
How can we make virtual hosting work?
How will we validate X.509 Certificates?
Martin Schanzenbach (TUM) GNU Alternative Domain System 10
Solution: Relative Names
Relative Names
Bob wants to share the link www.carol.+Bob interprets this name as www.carol.gadsAlice interprets this name as www.carol.bob.gadsClient translates names appropriately:
Client-Side Local Proxy
Local
Proxy
HTTP GETHTTP GETHost: www.bob.gads
Alice<a href ="www.carol.bob.gads">
<html>...
...</html>
<a href ="www.carol.+">
<html>...
...</html>
Host: www.bob.gads
Martin Schanzenbach (TUM) GNU Alternative Domain System 11
Legacy Hostname (LEHO) Records
Virtual Hosting with LEgacy HOstnames
LEHO records provide LEgacy HOstnames for names
Example: www(.+) → www.bobswebsite.com
Local
Proxy
HTTP GETHTTP GETHost: www.bob.gads
Alice<a href ="www.carol.bob.gads">
<html>...
...</html>
<a href ="www.carol.+">
<html>...
...</html>
Host: www.bobwebsite.com
Martin Schanzenbach (TUM) GNU Alternative Domain System 12
SSL Certificates
Server offers certificate to client
Local
Proxy
HTTP GETHTTP GETHost: www.bob.gads:443 Host: www.bobswebsite.com:443
Alicewww.bobswebsite.comwww.bob.gads
Server
Verification:
Old way: Follow CA chain to “trust” anchor(s)Secure way: Use DANE1 TLSA RRs!
1rfc6698
Martin Schanzenbach (TUM) GNU Alternative Domain System 13
Status of Implementation and Migration
Implementation
GADS resolver on top of GNUnetClient ProxyZone management tools with QR export and import
Migration
DNS and GADS can co-existDNS-to-GADS gatewaysOS integration
Future Work
Usability Evaluation/User acceptanceTLSA verification in proxyInternationalized Names (IDN)Martin Schanzenbach (TUM) GNU Alternative Domain System 14
End
Thank you!
Martin Schanzenbach (TUM) GNU Alternative Domain System 15
DNS-to-GADS Gateways
Subdomain Gateway
Client DNS Root Server
www.QXDA.zkey.eu ?
try 91.200.16.100
.eu TLD Server
authoritativeDNS Server for
zkey.eu
GADS
www.QXDA.zkey.eu ?
IP: 4.3.2.1
www.QXDA.zkey.eu ?try 188.95.234.4
www.QXDA.zkey ?
IP: 4.3.2.1
DHT
GETQXDA xor H('www')
IP: 4.3.2.1
Martin Schanzenbach (TUM) GNU Alternative Domain System 16
DNS-to-GADS Gateways
Local Network Gateway
Recursive DNS Server
DNS-to-GADSproxy
gatewayClient Subnet
www.QXDA.zkey ?
IP: 4.3.2.1
GADS
DHT
GETQXDA xor H('www')
IP: 4.3.2.1
www.example.com ?
IP: 1.2.3.4
DNS Query
DNS Response
Martin Schanzenbach (TUM) GNU Alternative Domain System 17
Appendix
0
10
20
30
40
50
60
0 1000 2000 3000 4000 5000 6000 7000 8000 9000
% o
f n
ew
do
ma
ins m
an
ua
lly t
yp
ed
# of unique domains visited
User
Martin Schanzenbach (TUM) GNU Alternative Domain System 18
Appendix
responserespons
e
redirect
response
.com.gads
GADS DNS
DNSInterceptor
.com, .org, etc..gads
Stubresolver iptables
Martin Schanzenbach (TUM) GNU Alternative Domain System 19
Related Documents
