NSD: DNS is Not Sufficiently Decentralized

Tagged: decentralized & social media

DNS, the domain name system, is one of the most critical parts of how our Internet works, yet few of the billions of people using it every day actually understand what it is.

Back to the IP, a Primer

Back in the early days of computer networking, computers simply used numbers to call (address) each other. IP (Internet Protocol) addresses are basically telephone numbers. For example, a US phone number has the format (AAA) BBB-CCCC, where section AAA is an area code (originally the middle digit had to be 0 or 1 and the others couldn't be), each area code originally mapping to US metropolitan areas ordered by population (lower numbers = bigger city), and section BBB is a smaller "area" code. Call it a district. The whole 10 digit string can be prefixed by "1", the country code for the US. So the sections go: country : city : district : household, each section increasingly more specific. IP addresses are usually displayed as octets (e.g. and there's kind of also a logical hierarchy as you look at each octet from left to right. You could imagine the octets being Country, City, District, Household (e.g. 127 is a Country). Phone numbers were designed to be 7 digits for most use cases (people living in the same local area code i.e. city), 7 being a length which humans remember in their head before the age of smartphones. IP addresses written like can be up to 12 digits, or 8 hexadecimals, in length. IPv6 increases this even further. Humans aren't going to remember all those digits. This is why we need a domain name system to be able to refer to yahoo.com instead of a long, hard to remember phone number. The easy to remember and refer to name maps to a long string of numbers.

What happens when I look up a domain name

So how does DNS even work? Is it just one giant phone book, an Internet Yellow Pages? From the consumer's side, you are trying to reach a certain domain name, like www.google.com (there's a difference between www.google.com and google.com). Your computer will use its configured DNS server "resolver" setting, and ask that server what the IP address for www.google.com is. That server either knows it already because it's cached from an earlier request, or maybe it knows because it is the authoritative server responsible for everything google.com (could happen if you were using Google's DNS server). But if it doesn't know, then it needs to traverse the domain name "chain" to find the answer.

We want to resolve "www.google.com". Since we don't know the answer to even the "www" sub-domain portion, we will first go down and inquire about "google.com" domain first.

Now we want to resolve "google.com" but don't know the answer so we will go down to the ".com" portion.

We want to resolve ".com" but and don't know the answer... so we need to ask "."

How do we even go about querying "."?

The Dot in Dot Com

Sun Microsystems used to have that slogan, before they were bought by Oracle. But ".com" actually has two dots, a hidden dot at the end. So it's actually ".com.". That hidden dot is the Root of the Internet.

Our DNS server in our example doesn't need to ask anyone who the root of the internet is because it's already preconfigured. The software comes set with 13 Root Servers who share the iron root throne. And this is also the root of DNS centralized control.

These 13 include Verisign (having 2, who are also the real owners of .com), NASA, the Department of Defense, the US Army, and some other US organizations. You might believe that the US federal government, which created the Internet through DARPA (military), controls the internet's DNS. You would at least be partially right. Might this be concerning for information war adversaries of the US, like maybe China?

These root servers will tell us who has authority for the next up level from root, which are the Top Level Domains (TLDs). [Until not too long ago, the TLDs were just .org, .com, .gov, .edu, and .mil, a very US-centric hierarchy.] And then the .com authority can tell us who is authoritative for google.com. Then google.com's authoritative DNS server can tell us the address for www.google.com. And now we have our answer, having traversed the chain of command.

Domain Name Fiefdoms

So now we know how domain names get resolved to IP addresses. And we've encountered authority at 3 levels. At each of these levels we can say that one entity centrally controls or dominates its "dominion" or "domain", where that be ".com" or "google.com". All these fiefdoms get their authority delegated to them by the TLDs and the root name servers.

We can see that ultimately the 13 root servers, in a top down manner, control the entire domain name system and therefore the Internet.

This cabal could decide that .ve, the country code TLD for Venezuela, should be taken away from its current government and perhaps given to an opposition party in Venezuela politically aligned with the West, or perhaps the White House takes over .ve.

What if Islamic State wanted its own country code TLD? Unfortunately for them, .is is already taken by Iceland. But it's very unlikely this proto-state would be recognized by the DNS lords with its own TLD.

What could authoritarian countries do with their power over DNS? China Internet Network Information Center (CNNIC), who controls the .cn country code TLD of China, might get pressure to wipe wuhanvirusdata.cn (not a real example) off the Internet (you can come up with your own conspiracy theories).

At a more local level, how about the subdomains mail.google.com or maps.google.com? Of course, it's the google.com authoritative DNS servers that can create or destroy those. No surprises there. It is google.com's "domain".

The point is that every domain name depends on some authority to permit them to exist. That permission can be taken away at any time. This is a way to police the Internet.

If you don't fully control a domain name, you don't really own it. Any brand building efforts around a name could be taken away at any time, like a state using eminent domain to seize the land under your shop. The Internet police could even decide to give your name to a competitor. Don't assume this doesn't happen.

Decentralized properties of DNS

Looking at the flip side, DNS also exhibits some decentralized properties.

Local governance and policy: Domain management happens at the most local level rather than being orchestrated completely from the root. Within a domain, one party can transfer a subdomain to another party without permission from other domains nor from the parent TLD. So a Google employee might transfer control of Gmail (mail.google.com) to another Google employee, without asking permission from ".com". Or a company might sell megacorp.co.uk to another company and the registrar for .co.uk would manage the transfer because it's within their direct authority.

Open and standard protocol: The protocol is open and standard and has many implementations in software preventing any one company from de facto controlling the protocol (and future development). You are free to use the DNS protocol using any software you like. You can run your own caching, recursive name server and configure it to answer to name lookups however you want it to respond. For example, you could redirect google.com to yourself! (SSL certificates might cause other problems though.) You can send advertiser domains into a black hole. Maybe you want to block adult sites or subversive social networks and you and others can and do. You can provide an answer to people looking up the above-mentioned virusdata.cn, if they used your DNS server, so that it continued working while officially blocked.

The protocol itself doesn't require centralization but does assume that everyone on the Internet agrees on who has authority over what. It won't work without some level of authority.

Cutting off the heads of the Hydra.

The protocol and software do leave open the possibility to completely separate from the ICANN DNS system. You could set up BIND (or other DNS software) to use a different set of 13 root name servers which are independent from the original 13 servers. You could join an alliance of other name servers who chose the same set of alternate roots, thus forking the network. These alternative root servers under your federation's control could create an alternate set of TLDs as well as redirecting requests to the current common TLDs like .com or .net.

All these things are possible and have been done in forked off projects like AlterNIC or OpenNIC (material for another blog post). Practically speaking, you've never heard of AlterNIC and have never used it and never will. It's dead. And so DNS remains centralized in practice. DNS servers around the world overwhelmingly maintain the default root server configuration and clients of ISP DNS servers use those by default. The .com TLD remains king despite numerous new TLDs and the world only recognizes one authority for .com. The system is not democratic and there's no recourse for states to be truly sovereign on the Internet. The current ICANN regime has the whole world under its spell and it's perhaps too much for anyone to try and fight.