EmerDNS - an alternative to DNSSEC

The classic DNS that is specified in rfc1034 does not kick only lazy. With a very high work efficiency, it is really not secure at all, which allows attackers to transfer traffic to fake websites by substituting DNS responses for intermediate caching servers (cache poisoning). Somehow https is struggling with this scourge with its SSL certificates that allow you to detect the substitution of the site. But users usually do not understand anything in SSL, and the warnings about certificate mismatch are automatically clicked “continue”, and therefore they suffer from time to time financially .

In order to somehow stop the mess with poisoning of DNS caches and interception of traffic, DNSSEC was invented, which is a security add-on to classic DNS and is currently being implemented on the Internet controlled by ICANN. The process of implementation, frankly, is not shaky or shaky: The vast majority of commercial companies and other organizations frankly ignore the challenges of the new time, even such IT grandees like Google and Yandex do not have digital signatures of their domain zones. Yes, and our competent comrades, who care about everything, are also not in a hurry to protect themselves from this side. And only competent gentlemen who really care about everything, everything is in order . Well, also from organizations that are actually involved in the implementation of DNSSEC, for example, verteiltesysteme.net . But what about some organizations, if up to now ~ 10% of top-level domains (TLDs) do not have DNSSEC signatures !

Why did the situation, which is well called mass sabotage, happen? After all, DNSSEC technologies are free and massively available for many years! We see a number of reasons for this:

1. Security is strong. The topic is complex for the average sysadmin, and he prefers not to get involved with it. After all, the domain zone DNSSEC should not only be created, but also maintained regularly - update keys, and so on.
2. Human optimism: Nothing will happen to us, and everything will be fine. Troubles do not happen to us. So, do not need to do anything. Do not believe? Then a question about backfilling: Do you have a fire extinguisher at home?
3. Https / ssl provides a very good alternative protection, which well diagnose the user's transfer to a fake website. Another thing is that the user usually ignores the corresponding warnings.
4. DNSSEC only protects against unauthorized cache poisoning. It doesn’t protect against the compromise of the provider’s server, which contains the cache, the domain zone server, or the domain registrar. By the way, it was the latter that led to the seizure of the blockchain.info domain.
5. Using DNSSEC reduces the performance of the DNS subsystem by approximately fivefold , and requires more network and computational resources than classical DNS.

Thus, we see that although DNSSEC will be safer than a classic DNS, it is nevertheless a palliative, and does not completely solve the problem of data reliability - even if all admins suddenly become ill-working and do everything as expected. And the expensive palliative is a five-fold reduction in the performance of the main subsystem, on which the real speed of the Internet depends - this is not a joke.

Let's also pay attention to the fact that the domain search in the distributed classical DNS and its successor DNSSEC occurs at the time of the user's request. That is just when the user needs the most computing and network resources for transferring data, and not to find out who is xy and verify the corresponding signatures. Accordingly, updates of caches and other DNS work are performed at the very “expensive” time, when the user needs his page, and not internal work “under the hood”. Well, it is clear that for the successful operation of the network, it is necessary that all involved DNS servers are “in good health” and work as they should. When any intermediate server fails, a whole network segment “falls off”, which we observe from time to time.

The alternative considered here for both classic DNS and DNSSEC is EmerDNS, which is built on blockchain technology. Unlike hierarchical DNS / DNSSEC, EmerDNS is a peer-to-peer “flat” network, from which domain registrars, domain zone holders and intermediate caches are excluded. And since there are none, then there is nothing to compromise. In this system, each EmerDNS node holds a full blockchain, that is, the entire database of names and other transactions. And the accuracy of the data (the fact that they are all the same) is provided by the blockchain technology itself and the public consensus of miners POS + POW . The latter ensures that there is no “god mode” for anyone else, including system developers. Neither we nor anyone else can voluntarily cancel or change any arbitrary entries. Entries can be updated only by their owners, and no one else. In a sense, EmerDNS is similar to the hosts file, where there are entries for all known sites. But unlike hosts:

• Each line in EmerDNS can only be modified by its owner, and no one else.
• The impossibility of "the intervention of God (super-admin)" is provided by the consensus of the miners.
• This file is the same for everyone, which is provided by the blockchain replication mechanism.
• A fast search engine is attached to the file.

Updates to this database occur asynchronously to user requests, when new units appear, using push technology. That is, at the moment when the user decided to go to a website, all the actual and verified DNS records are already located locally in a previously indexed database, and the translation of domain names to addresses is done locally, without queries (especially recursive) to any or external resources. This approach makes EmerDNS extremely fast. In addition, it is clear that at the time of resolution of a domain name it is absolutely not required that some DNS servers somewhere on the Internet be “in perfect health”.
')

This architectural approach makes EmerDNS a system that is exceptionally fast, safe, and fault tolerant. The disadvantage of this architecture is the need to keep a copy of the blockchain on each node. And there is not only information about domains, but also transactions, and in general everything that all others have contributed to this database. But at the current price and capacity of disk drives, when even hundreds of gigabytes do not look like something expensive for ordinary users, this is quite a reasonable price for speed and security. Moreover, Emer's blockchain doesn’t weigh much more than 300 MB.

Another drawback of such a system is the need to pay the system a certain amount of Emercoins for each update of information on domain records. But at current prices (about $ 0.1 for creating a record and $ 0.01 for an update), this is still many times cheaper than keeping names with domain registrars (about $ 10 per year). Indeed, for the same $ 10, you can buy three updates per day during the year at current rates.

The differences between the various DNS systems are summarized in the table:



The EmerDNS system has been in existence and has been working steadily since 2014. Detailed instructions for working with it are provided on the Emercoin project wiki .

High parameters of fault tolerance and security of the system led to the fact that the sites blocked by RosKomNadzor were transferred to the EmerDNS domain zones by the owners. Read more about this in the article .

Maxim and Pornolab websites provide Russian-language instructions for customers on how to connect to the system through OpenNIC . Also access for customers is provided by browser plug-ins from Peername and Fri-Gate .

It is clear that when using OpenNIC or other external servers, user requests can still be intercepted and replaced. Also, theoretically, there may be problems with the compromise of the OpenNIC DNS gateways themselves. Therefore, the safest option is when the gateway in EmerDNS is deployed in a trusted network (local, home, corporate), and it only holds the blockchain, and all users access it in the usual way, with lightweight DNS queries. With this architecture, users get high reliability and security, and no need to keep the blockchain on each computer. A wiki article provides examples of how to configure such a server with the most popular proxying DNS servers - BIND and DNSMASQ.

Further information about EmerDNS can be found in this article .

And you can learn more about Emercoin in our blog, or on Cryptore .