NameCoin is a pretty interesting solution as well.
But let's question for a moment whether this is actually an engineering problem. The DNS system is pretty bad; I'm sure that a few of us can come up with a better system in an afternoon. However, these competitors have failed to take hold.
It's probably mostly a social or political issue. One of the things that I think is important is to start making internet architecture issues the subject of conversation at the dinner table, at town hall meetings, and just in everyday life. We need to ignite a social consciousness around the internet and its ways. We need strong, determined will to do better.
DNS is already decentralized. Running your own is not hard. There are a lot of misguided choices in infrastructure, though, driven by PR and marketing of various CDN and DNS providers. They really want to convince everyone that relying on a single company and single AS is more reliable, than rolling your own solution.
That DNS is decentralized does not really mean anything when you consider how easy it is to uncover where a site is hosted, and understand which points you need to hit to take a site down. Whilst we can do interesting things at the network level to mitigate (think Cloudflare, anycast, mirroring, etc), the services sitting behind DNS are still exposed like a sitting duck.
I mean if we really wanted to DDOS Cloudflare, we just exhaustively gather all the raw APEX/Naked IPs of their edge nodes then stress them, but I imagine Cloudflare doesn't advertise their list of IPs and they're closely guarded, so attackers are left in the dark. But such an attack is plausible.
What we do need are antifragile protocols like BitTorrent/IPFS/Bitcoin which infact reward swarm behavior, instead of punish it.
DNS is decentralized, There are 8 root name servers globally distributed and operated by different entities. Whatever you think the problem is there is no amount of "decentralizing" that could be done to address the issues you have seen today.
Well, the attacks right now aim at only one infrastructure provider. If all their customers had a randomly picked second provider set up as well the attackers would have to attack those providers as well. Although it would be interesting to see what scale the current attacks have compared to the theoretically possible, and how well the wider DNS system could cope.
I wonder if there would be a way to allow for multiple NS records for a given domain, but still maintain the idea of ownership over that domain by a single party. Like right now I need to have a single registrar put an entry for my NS records into their DNS database, but if the registrar goes down no one will find my NS records. However if someone else was allowed to host my NS records how could I update them and still prove that they all only point to my name servers.
My own domain is hosted on two completely separate providers, with my own DNS server acting as a hidden master, with DNSSEC signing to minimize the possibility of shenanigans. I can have any number of replicas on any number of networks.
The issue comes when you have to depend on a single service. When you're using traffic management from NS1 or content delivery from CloudFlare, then you have no choice but to use a single DNS provider. Unless they have some special service for whoever pays enough.
How exactly did you set up this fail over scheme? You run your own instance of bind. And I'm amusing your listing your domains NS records as your own, and another parties (e.g. cloudflare, etc)?
I’m not running BIND. I got tired of that program. Right now I’m using PowerDNS. Quite a bit overkill, but that server is extremely lightly loaded.
I’m not using CloudFlare, either. That’s the point. If I use CloudFlare CDN, then I depend on CloudFlare’s DNS servers.
The way it works is that DNS servers often have a master/slave relationship. The master sends all the records to the slave once in a while. What you’re supposed to do is list your own server and another server as two separate NS records, and then any client can contact either server for any record. What I’m doing is a hidden master setup. Neither NS record refers to the master, but both point to separate slaves.
There are some downsides. You must assume that any record is public, not private. DNSSEC white lies[0] (and black lies[1]) are not available. And it’s more difficult to use a CDN. But I’m not running a web site right now, so that doesn’t matter to me.
I know it doesn't compete with DNS directly, but the addressing in IPFS[1] is a game changer, and the sooner it ships as a recognized protocol in browsers, the better.
Browsers still support dated protocols like FTP[2], which shows you how much browsers need to catch up.
Readit News
NameCoin is a pretty interesting solution as well.
But let's question for a moment whether this is actually an engineering problem. The DNS system is pretty bad; I'm sure that a few of us can come up with a better system in an afternoon. However, these competitors have failed to take hold.
It's probably mostly a social or political issue. One of the things that I think is important is to start making internet architecture issues the subject of conversation at the dinner table, at town hall meetings, and just in everyday life. We need to ignite a social consciousness around the internet and its ways. We need strong, determined will to do better.
I mean if we really wanted to DDOS Cloudflare, we just exhaustively gather all the raw APEX/Naked IPs of their edge nodes then stress them, but I imagine Cloudflare doesn't advertise their list of IPs and they're closely guarded, so attackers are left in the dark. But such an attack is plausible.
What we do need are antifragile protocols like BitTorrent/IPFS/Bitcoin which infact reward swarm behavior, instead of punish it.
The issue comes when you have to depend on a single service. When you're using traffic management from NS1 or content delivery from CloudFlare, then you have no choice but to use a single DNS provider. Unless they have some special service for whoever pays enough.
I’m not using CloudFlare, either. That’s the point. If I use CloudFlare CDN, then I depend on CloudFlare’s DNS servers.
The way it works is that DNS servers often have a master/slave relationship. The master sends all the records to the slave once in a while. What you’re supposed to do is list your own server and another server as two separate NS records, and then any client can contact either server for any record. What I’m doing is a hidden master setup. Neither NS record refers to the master, but both point to separate slaves.
There are some downsides. You must assume that any record is public, not private. DNSSEC white lies[0] (and black lies[1]) are not available. And it’s more difficult to use a CDN. But I’m not running a web site right now, so that doesn’t matter to me.
[0] https://blog.cloudflare.com/dnssec-complexities-and-consider...
[1] https://blog.cloudflare.com/black-lies/
Browsers still support dated protocols like FTP[2], which shows you how much browsers need to catch up.
[1] https://blog.acolyer.org/2015/10/05/ipfs-content-addressed-v...
[2] https://en.wikipedia.org/wiki/Ftp#Web_browser_support
I wrap Route53 via git at https://dns-api.com/ and I'm in the process of supporting other back-ends to help automate this process.