With Domain Name Seizures Increasing, It's Time For A Decentralized DNS System
from the bye-bye-icann dept
We’ve already written about the latest legal loss for The Pirate Bay, as well as Homeland Security’s new domain seizure campaign. With the former, the entertainment industry has already declared that it hopes this ruling will lead ISPs in various countries to start blocking The Pirate Bay entirely. It may also seek to use other tools — like the pending COICA bill — to see if it can seize the domain name. This presents all sorts of troubling questions concerning free speech and prior restraint. However, as is often the case when the law does a weak job trying to respond to a changing technological world, technology figures out a way to leap ahead.
Case in point, fresh off the legal loss, Peter Sunde, who has been focused on Flattr rather than The Pirate Bay, for quite some time anyway, has noted that he’s working with some folks to set up a competing root server system that avoids ICANN. ICANN, of course, has been instrumental in helping Homeland Security with its domain seizures (and has apparently handed over Sunde’s domain names to the recording industry in the past). The idea, apparently, is to set up a truly distributed and more secure DNS system that does not rely on a single party, like ICANN.
This certainly seems like a big challenge, and one that has a high likelihood of failure. But it does appear that we’re seeing more and more problems with the way ICANN operates (though, it’s been trouble since it first came into being). An alternative system, actually set up by folks who understand the technology could actually catch on, and could present a serious challenge for those who think they can censor the web in any manner — whether for political or corporate purposes.
Filed Under: distributed, dns, domain names, peter sunde
Companies: icann
Comments on “With Domain Name Seizures Increasing, It's Time For A Decentralized DNS System”
I’d use it. If software like Firefox can achieve so much overtime, I’d say almost anything is possible. I bet Google would be on, as long as it wasn’t called ‘The Pirate DNS’
There has been rumblings about COICA having the potential to end up fragmenting the internet from some fairly heavy industry people for a long time now.
With that in mind, making a decentralized system that cannot fall under one single countrys control seems to be the right cure.
Then again, all ICANN had to do was to refuse to be a tool to be used by politicians and it would never have been a problem to start with.
Can't see how this is supposed to work
You can’t fix broken US law with technical workaround. If I own whateverdomain.com DNS will hold record about
“whateverdomain.com my.ip.address”. And this record is authoritative, i.e. there’s only 1 (and only) place which determine IP address for whateverdomain.com.
What does it mean “distributed” here? Not shadow of root DNS (because this already exists). Do you mean there will be 2 (or more) places determining where whateverdomain.com go? Like one will say “my.ip” and another one “riaa.ip”? And how client will know which one is true? Right, you have no idea.
Broken law should be fixed by politics; corruption – by law enforcement (and politics).
Re: Can't see how this is supposed to work
Easy, unless you specify wich DNS to use in your operating system you get the default DNS for your ISP, now if you specify a DNS that is not under political control – politicians cannot determine wich domains you should or should not have access to.
Distributed means that it will not be in one single location, and thus will never fall under one single countrys influence.
Re: Re: Can't see how this is supposed to work
The problem is, not falling under one country’s control means falling under several countries’ competing control. As a guy who’s had to run corporate DNS servers, I really don’t want the headache of having to shop around for the least bad root server only to find out that six months later half the civilized world has null routed it because it doesn’t censor to their tastes.
Yeah, ICANN needs to be replaced but whatever the solution is it does not need to be of a distributed nature. DNS needs to be authoritative even if you don’t care for how the current authority does things.
Re: Re: Re: Can't see how this is supposed to work
Decentralized makes good sense for the sake of redundancy though. 4-5 servers with a voting system to prevent injection of erroneous data should one server be compromised.
Re: Re: Re:2 Can't see how this is supposed to work
You assume China’s, for example, .com server will take into account the votes of the other 4. It won’t. Sites it doesn’t like for political reasons will fail to resolve. Wikileaks will eventually fail to resolve in the US. It’s not a matter of them getting compromised, they’re going to start out, and stay, that way because they’re legally required to wherever they’re hosted.
Re: Re: Re:3 Can't see how this is supposed to work
Nothing stops an American surfer from specifying a Canadian or Mexican DNS (except maybe performance), that is how the people in China do it right now, proxies and external DNS servers to get an unfiltered internet.
Re: Re: Re:4 Can't see how this is supposed to work
Nothing stops an American surfer from specifying a Canadian or Mexican DNS (except maybe performance),
It’s quite easy to block alternate DNS resolvers — see for example the current flap between Verizon Wireless and OpenDNS. It’s also nearly as easy to return bogus DNS results, given the (current) low adoption rate of DNSSEC.
One of the inevitable (and positive) results of this little adventure, as well as the tactics of the MAFIAA, as well as the those of cockroaches like Phorm, is that encryption will become increasingly utilized. That alone is not enough to evade all the countermeasures — since it doesn’t address routing — but it’s a good start.
Re: Re: Re: Can't see how this is supposed to work
Why?
Most if not all the functions of an authoritative authority can be automated, why do we need people in the mix?
Even next features can be added in a true democratic way, with a system that can vote things requiring super-majorities, like banning certain websites or restoring domains.
Besides this would be a overlay and would function in parallel to the old system.
Re: Re: Can't see how this is supposed to work
That may sound like an easy solution, but it will turn into a complete mess. DNS without authority is not a DNS at all. To call it distributed DNS is almost a conflict in terms. DNS is based on hierarchical trust models that essentially form a backbone of functionality and trust on the web as we know it so far. Moreover, current web security models RELY on DNS to be the same wherever you go (sessions with cookies which are security boondoggles in themselves and are a part of another conversation). If there’s no central point of trust, the system doesn’t have a uniform behavior that everybody can rely on and anticipate. Who do you trust? What do you do if somebody else trusts somebody you don’t? What do you do about namespace conflics (i.e, there are multiple IP addresses given for a particular domain from different sources).
If you’re worried about COICA fragmenting the web, just wait and see what will happen when everybody turns on a “distributed DNS” system.
Re: Can't see how this is supposed to work
Bitcoin may have solved that problem already.
A DNS can be issued to somebody, the DNS system creates a key for it and check a distribute database that is maintained in the cloud only then it gives the domain to the person making the request if there is no one else requiring it.
Squatters would be a problem though 🙂
Re: Re: Can't see how this is supposed to work
If we use Bitcoin’s solution for DNS then every web surfer will have to download 10 TB of DNS records just to get started.
Re: Can't see how this is supposed to work
Probably you want to see how Netsukuku, Osiris SP, TOR, Bitcoin solved that problem.
Re: Can't see how this is supposed to work
Like one will say “my.ip” and another one “riaa.ip”? And how client will know which one is true? Right, you have no idea.
People don’t care, they want options. Some people want the ability to switch over to an alternative DNS to get the content they desire. While you may find it inconvenient, others easily work around.
Re: Can't see how this is supposed to work
Here is another way to do alternate DNS.
http://dns.telecomix.org/
Your links bring me to the empty Twitter frontpage, I couldn’t read the tweets 🙁
Who is shadowserver.org?
I did some investigations and discovered that you can get a list of domains that were seized through RobTex: http://www.robtex.com/ip/74.208.15.160.html
All these sites now seem to lead to 74-208-15-160.sinkhole.shadowserver.org and thus to shadowserver.org. Now I cannot help but wonder who or what this shadowserver.org organisation is. Who are they? Why are they apparently hosting this page? What is their part in this whole case?
I also think they only seized domain names that were registered with an US registrar, not any foreign registrars.
It is however an interesting list of sites to see. They all seem to be related to sites supporting copyright violations in some way…
Re: Who is shadowserver.org?
A whois lookup reveals that shadowserver.org belongs to an organization called “The Shadowserver Foundation” based out of Westwood, NJ.
There are multiple problems here
ICANN’s an obvious problem: it’s become an example of regulatory capture, which is why its policies are designed to maximize registrar profits — no matter what the damage to the Internet. (That’s why we got several years of “domain tasting”, even though everyone with the slightest clue knew that there is absolutely no legitimate use for such a thing.) This latest move is merely more ICANN pandering — it has nothing to do with the merits of the case or the purported principles behind it.
The US-centric control of DNS is another problem. It’s been obvious for some time (and this latest example just reinforces this) that this control will be exerted with it’s politically expedient.
Allocation policies (especially now that we are approaching the exhaustion of IPv4 space) are yet another issue: it’s far easier for spammers and other abusers to get a /16 than it is for legitimate operations. Network hijacking has become an epidemic problem and no effective response exists.
Toss into the mix the problem of multiple roots (which has technical issues as well as political ones) and I think it’d just get worse. But frankly, it already has gotten worse, so perhaps it’s just a matter of which swamp we’d like to wade through.
.onion?
AlterNIC? (defunct)
http://en.wikipedia.org/wiki/AlterNIC
Freenet
When they keep doing this, it’s going to push more and more people to Freenet.
Freenet has been in beta for a long time, but even back in 0.1, it was semi-usable. It consumes a decent amount more bandwidth than BT because of the way it’s setup and you can’t help but host parts of other people’s files, but it’s currently the only secure P2P client that won’t get you sued by **AA and the government can’t touch.
Short of making Freenet illegal, it may take off with the way all these crackdowns have been happening.
Re: Freenet
Forgot to add, Freenet is legitimate. It has been getting supported by “Google’s Summer of Code” for quite a while and Google has even made direct cash donations.
I haven’t used it in over 8 years now, but I would assume it’s better than it use to be.
Re: Re: Freenet
Freenet’s developers also fucked up so bad that it’s inspired a fork, called FCON. Been around for a few years now. The 0.7 net is _still_ damn near unusable, after they entirely dropped support for 0.5 close to 3 years ago now. In other words, for more than 3 years they were pushing software that was Alpha quality at best. It’s still only now reaching Beta quality software…
Re: Freenet
If only they coded that in C or even python but JAVA?
That is why I don’t use the others like oneswarm and I2P(Italian).
But Netsukuku(Italian), Osiris Serverless Portal System(Italian) and GNUNet(Probably USA) are all good.
Stumbled across this yesterday while reading about the take downs.
Was it really ICANN or was it Verisign?
Either way I still think there should be an alternate DNS method.
http://nenolod.net/did-icann-really-seize-torrent-finder-com-or-was-it-verisign/
P2P DNS has a blog now.
Not a Problem
They’ll just outlaw anything they can’t control.
Re: Not a Problem
How do you outlaw something you can’t control? The laws of physics? I mean the laws of physics trump the laws of man every time.
Re: Re: Not a Problem
> How do you outlaw something you can’t control?
It’s like encryption. They can’t control encryption, so eventually they’ll just outlaw its use. It won’t matter if they can break it or not. Just using it will be the crime.
DNS
The domain controlling group was originally composed of ex-government service people. That should say enough about why things go down the way they do. Once poisoned by government brainwashing….always poisoned by government brainwashing!
What's new about this?
Honestly what’s new about this at all? I’ve been using my own DNS/Zone files for years to bypass iCANN’t.
I would be shocked if there aren’t already a number of pirate/file share networks out there using the same process.
For security purposes to help me protect some of my servers I setup my own DNS Servers with zone files for non-existant domains that allow me to have customers simply add my DNS Server on their machines, use their systems like normal for accessing everything. My DNS forwards their normal requests to them, and when they hit one of my non existing domains it sends them my zone file.
As for making this distributed, still not too hard to do. MY DNS Server relies on my ISP’s DNS Servers to get all domain information other than it’s local Zone Files… Wouldn’t be hard to configure a distributed DNS system that doesn’t NEED iCANN’t at all, just uses them for traditional stuff when needed.
Sick of Homeland Security yet?
hmmm .... what can I say ....
Told you so 🙂
The domain that Sunde is referring to, which was handed over to the IFPI, was ifpi.org. Sunde had somehow obtained the domain after the IFPI had let it expire. The details of how he obtained it aren’t clear, but he claimed it was given to him by someone else who snagged it after it expired. He had then set up a landing page on the site calling it the International Federation of Pirates Interests. ICANN then decided to seize the domain and return it to the IFPI.
Errors.
This piece creates a straw man using inaccurate information.
1. “ICANN, of course, has been instrumental in helping Homeland Security with its domain seizures”
Incorrect. VeriSign handed over the domains after receiving a court order. ICANN knew nothing about it.
2. ICANN “apparently handed over Sunde’s domain names to the recording industry”.
Incorrect. Sunde lost a UDRP case to the International Federation of the Phonographic Industry over the domain ifpi.com. The case was decided by the World Intellectual Property Organization, not ICANN.
You can read the decision here. http://www.udrpsearch.com/wipo/d2007-1328
“However, as is often the case when the law does a weak job trying to respond to a changing technological world, technology figures out a way to leap ahead. “
While this is probably true, I don’t see decentralized DNS as that strong step in the right direction. Governments can force ISP’s to block IP addresses or to disconnect the servers from their ISP’s.
The closest next step that I could see would have to be something like creating a wireless internet. Wireless routing technology is improving and, if it weren’t for FCC regulations, it can probably already reach distances sufficient (though slow and inefficient) to create a big decentralized P2P wireless net if enough people get routers (broadcasting signals can travel miles if you set directional antennas to the right frequencies with a decent amount of intensity). Sure, the technology is still somewhat expensive, but it’ll come down in price even if it has to be sold via the black market. and people will pay for the technology, many people used to pay for those huge directional antennas that you put in your back yard, or place in a high location, and connect them to receivers to watch satellite T.V. stations from other countries (though, due to technological improvements, no one really uses those huge directional antennas anymore). Many of those directional antennas even had the ability to automatically change their own direction to point to the appropriate satellite that was broadcasting the station you were watching (they had a motor that could move it around). The ability to transmit signals for miles, even with obstacles in the way, is hardly an issue, corporations even know that a determined wardriver can pick up corporate WiFi from a good distance with the right equipment. If people want they can get a hold of the equipment necessary to transmit signals across long distances, even if expensive, buying huge directional antennas was done by many people in the past to receive signals from satellites.
Of course, the biggest obstacle is to avoid getting detected by the government for breaking FCC laws. People might find ways around that too, if they can figure out ways to point directional antennas at each other and better focus the beam (like a laser pointer sorta) so that it doesn’t give out much detectable ambient light to non intended targets. I don’t really see a widescale wireless internet of such being undetectable by the government though, at least not with today’s technology.
Who knows what future advancements might be made within the next couple hundred years though. Maybe quantum non local communication. Technology has gone an incredibly far way within the last 20 years alone, and some new technology might come out that could negate all of the governments current efforts. But this decentralized DNS thing alone isn’t it, at least not its use with currently existing Internet technology. We have to lose our dependency on centralized ISP’s that are subject to government law before we can really avoid being blocked by any government mandates. and don’t think encryption (like TOR) can save you, the government can simply decide (as they do in some countries) that no encrypted messages from unauthorized sources are allowable and that transceiving such messages is punishable by law. The solution is to route around the current information gatekeepers and we currently do not have the technology for that.
Reading the project homepage (http://dot-p2p.org/index.php?title=Main_Page) this seems a whole lot simpler than many of the specualtions in the comments make it out to be.
It will basically be an application that updates an url list on your computer (think hosts or lmhosts) specifically for the new TLD .p2p.
No mucking about with paralell DNS systems, just a new TLD outside of government control.
The Shadowserver Foundation
Domain Name:SHADOWSERVER.ORG
Created On:29-Mar-2004 04:50:33 UTC
Last Updated On:28-Jan-2010 08:51:47 UTC
Expiration Date:29-Mar-2011 04:50:33 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:40855724-NSI
Registrant Name:The Shadowserver Foundation
Registrant Organization:The Shadowserver Foundation
Registrant Street1:700-76 Broadway
Registrant Street2:Suite 236
Registrant Street3:
Registrant City:Westwood
Registrant State/Province:NJ
Registrant Postal Code:07675
Registrant Country:US
Registrant Phone:+1.9144106480
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
SHADOWSERVER FOUNDATION
http://www.shadowserver.org/wiki/
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient’s own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. Public Interest Registry reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.
Domain ID:D104165407-LROR
Domain Name:SHADOWSERVER.ORG
Created On:29-Mar-2004 04:50:33 UTC
Last Updated On:28-Jan-2010 08:51:47 UTC
Expiration Date:29-Mar-2011 04:50:33 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:40855724-NSI
Registrant Name:The Shadowserver Foundation
Registrant Organization:The Shadowserver Foundation
Registrant Street1:700-76 Broadway
Registrant Street2:Suite 236
Registrant Street3:
Registrant City:Westwood
Registrant State/Province:NJ
Registrant Postal Code:07675
Registrant Country:US
Registrant Phone:+1.9144106480
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:40855725-NSI
Admin Name:Shadowserver Foundation
Admin Organization:The Shadowserver Foundation
Admin Street1:700-76 Broadway – Suite 236
Admin Street2:
Admin Street3:
Admin City:Westwood
Admin State/Province:NJ
Admin Postal Code:07675
Admin Country:US
Admin Phone:+1.9144106480
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Tech ID:40855725-NSI
Tech Name:Shadowserver Foundation
Tech Organization:The Shadowserver Foundation
Tech Street1:700-76 Broadway – Suite 236
Tech Street2:
Tech Street3:
Tech City:Westwood
Tech State/Province:NJ
Tech Postal Code:07675
Tech Country:US
Tech Phone:+1.9144106480
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS1.SHADOWSERVER.ORG
Name Server:NS2.SHADOWSERVER.ORG
Name Server:NS3.SHADOWSERVER.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
The DNS system is allready decentralized.
Thats right, there is no one single point or place where all the domain names are served up.
I dont know about today, but about 10 years ago there was at least 10 DNS server farms, in different places around the globe.
As well as that, you can create your very own DNS server, its very easy with a linux system, and probably with windows as well.
You can make a PC on your network the DNS server, and that can speed up your web searching, especially with DNS caching enabled.
There is nothing stopping you from building your own DNS server and placing it on the internet. If you have the bandwidth, and you can get people to set your IP as the DNS address for their web surfing..
Could even be a techdirt server,
Re: The DNS system is allready decentralized.
But it all depends on a root file controlled by ICANN. Indeed, the use of “decentralized” bothers me here too, especially since of the suggestions are simply to build a system that works the same way but trusts someone else with the root file.
So DNS is already decentralized, yes, but ultimately it’s centralized, in the same way torrents that require trackers are ultimately centralized
The new DNS system would not compete with ICANN. All your DNS requests would still go to the good old goverment controlled DNS servers.
ONLY if you try to access a site ending in “.P2P” would the program instead check a file on your own computer for the IP number of that address.
That file is in turn kept up to date by being connected to a special bittorrent swarm coded for that specific purpose.
At no point is there any conflict between P2PDNS and ICANN, other than castrating ICANNs ability to censor the web.
Alternative DNS already here (DASHCOMs)
Non-ICANN Domain names are already available at http://dashworlds.com
New DASHCOM domains can now be registered totally free (Includes option to create your own TLDs)
Examples of new domains:
business-com
travel-net
happy-birthday
thank-you
(DASHCOM domains also offers ISP link in options)
A simple hack for now
I just finished throwing this script together – it helps you manage, update and share entries in the hosts file. It’s not a distributed DNS, but it’s a simple work-around that others could build on…
Re: A simple hack for now
I guess it may not be obvious, but the link, which is in “GhettoNet” above the post is https://github.com/ghettonet/GhettoNet
tinkle
Your order of (1) one Male Adult Tinkerbell Costume is complete, please proceed to checkout.