tl;dr: If you go to docs.ens.domains, your DNS query was served by the Ethereum blockchain! It’s DNS, hosted on Ethereum, and you can use it for any DNS domain.
Today we’re releasing experimental support for hosting DNS domains on the Ethereum blockchain. This builds on previous work on ENS, the Ethereum Name Service, adding a DNS gateway and support for storing DNS zones inside ENS.
For those who want to try it out, a brief howto on hosting your own domain on the blockchain is here. This post aims to explain, not how to set it up, but how the system works at a technical level — gluing two different naming systems together.
First, a bit of background. DNS, as you may already know, operates on the basis of ‘zones’. A zone represents a division of authority, and a nameserver is responsible for returning authoritative answers to queries in one or more zones that it hosts, while providing references to other nameservers that host zones further down the hierarchy.
For instance, when you resolve ‘docs.ens.domains’, your resolver first consults one of the DNS root servers, who respond to the effect that they don’t know the answer, but here’s someone who might — and listing the nameservers for ‘.domains’. Your resolver then asks them the same question, and they respond with a referral to the nameservers for ‘ens.domains’. Finally, your resolver asks those nameservers, and they respond with an authoritative answer: ‘docs.ens.domains CNAME readthedocs.io’.
ENS operates in a somewhat different fashion. Unlike DNS, it has a central database — the ENS registry — mapping from domain names to resolvers. In addition, each domain has an owner, who can update the resolver address, and create and delegate subdomains. To look up information on a domain, callers first consult the registry to get the resolver address, then query that resolver to get the answer to their question. Just like DNS, it permits diversity of implementations for resolvers, and delegation of authority within the name hierarchy, but unlike DNS, it has no concept of ‘zones’.
The naive way to store DNS data on the blockchain would be to deploy a single ENS resolver for the existing DNS hierarchy, and expect resolvers pointed to by this registry to support returning zone information for their domains. A gateway could then look up the ENS registry for the domain being queried for, fetch the zone data, and satisfy any queries from that.
This works, but has a critical problem: who do you allow to update the registry? You only want the owner of a domain to be able to update their DNS entries, but there’s no obvious way to prove ownership of a DNS domain on the blockchain — especially since you can’t use the usual route for checking name ownership, requiring someone to set a specific DNS entry!
Instead, we take a slightly different approach. We allow anyone to deploy their own ENS registry and resolver, and host whatever set of domains they like on it. Then, they include the address of their ENS registry in the DNS nameserver record for their domain. Since everyone has their own registry, we no longer need to be concerned about proving you have the right to update a name — nobody will ever consult your registry unless it’s referenced by the existing DNS infrastructure.
For instance, suppose you deployed an ENS registry for your domain, ‘myawesomedomain.com’ at the address 0x1234ABCD, and configured it appropriately. To finish the process, you would go to your registrar, and tell it to set the nameservers for your myawesomedomain.com to ‘1234ABCD.ns1.ens.domains’.
Now, when someone wants to resolve ‘www.myawesomedomain.com’, the following steps happen:
If you’d like to see how all of this is implemented in practice, the — still very much a work in progress — code is available on GitHub.
First off, this isn’t automatically more censorship resistant than regular DNS servers. The zone itself becomes very difficult to censor, but for your users to find that, they still have to get referred to it via NS records in the parent zone, so it’s still vulnerable to being taken down or blocked in that manner. Moving the DNS root onto Ethereum would solve this by making every lookup backed by the blockchain, but obviously that’s not something I can hack up for a tech demo. Doing so would also raise issues around DNS zone enumeration: many people don’t want arbitrary strangers to be able to list all their DNS records, and the present solution would make that possible.
Likewise, it’s not automatically more secure; you still have to trust that referral from the parent zone, and if you’re using a public gateway (instead of running your own DNS gateway), you have to trust that it’s responding accurately. DNSSEC can be used here just as on regular DNS to secure things better. Again, a system with the root in Ethereum would solve this problem and obviate the need for DNSSEC entirely!
What this is is a really convenient way to distribute nameserver data to nameservers in a fashion that they know that insofar as they can trust their own DNS resolution, they know they can trust the validity of the data they’re fetching, and that it was written by someone authorized to do so. And it permits this in a fashion that means anyone can utilize the public DNS gateways without having to directly interact with or configure them. It’s also a neat tech demo of ENS.