| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by yyin 3704 days ago

This is a more accurate description IMO. However DNS does not have to be that way. Before DNS there used to be file sharing of all the data via a single file in the simple "HOSTS file" format. Then there was a feature in DNS for sharing all the data of each nameserver, in a "zone file" format. With network bandwidth as it is today, sharing of data in bulk could be quite useful to make DNS more peer-to-peer like. People still share data, e.g., block lists. But, practically speaking, everyone running a nameserver connected to the public internet disables axfr.

Also, in my view peer-to-peer supernodes do not monitor or forward all data, they only maintain address information of the peers (rendezvous as you say). DNS, as it is implemented on the public internet, is ripe with passive monitoring as all data flows through centralised points in the tree. Leaves, at the network's edge, are expected to be "dumb", needing to make hundreds single requests for the same information, 365 days per year, even when the majority of it is relatively static.

Every query and response packet containing a seemingly useless "Query" field that never varies from "1". There's no pipelining (when using TCP) or packets containing more than one query.

From what I understand there was interest in so-called "P2P DNS" in reaction to various incidents of censorship via the centralised points in the tree. If the leaves were truly connected as "peers", and sharing the database data directly "peer to peer", then we might have better protections against censorship.

Incidentally, "DNSSEC", as advertised, appears to anticipate centralisation and usage as a CA-like system where peers at the network edge are not only dumb but incapable or verifying messages themselves without involvement of third parties.

In contrast, encrypting DNS packets requires no third party assistance. It can be done by peers all by themselves. A client can encrypt queries and a nameserver can encrypt replies. Well suited to peer-to-peer style usage of DNS. Bulk DNS data can be rysnc'd between peers over SSH, or perhaps mrysnc'd among groups of peers.

There is "DNS" as implemented so far and then there is "what's possible" using DNS. Peer to peer sharing of the data is hardly far-fetched. But it does not yet seem to have caught on outside of small groups doing passive monitoring, blocking and other manipulation.