CryptoDNS--Should We Worry?
When the Internet was still ARPANET, hostnames were converted to numerical addresses using a hosts.txt file stored locally on each computer. This system evolved into today's hierarchical domain name system (DNS). Namecoin is a new--and old--alternative to DNS: it relies on a locally stored file, like the hosts.txt file, but the file is a blockchain, similar to that used in Bitcoin financial transactions. This cryptoDNS offers anonymity, security, and resistance to censorship--features that make it attractive to privacy advocates and criminals alike.
Modern DNS: Centralized and Distributed
DNS was developed as a way to manage the growing number of hostnames for computers connected to the early ARPANET. Initially, connected computers were identified by numeric addresses, now known as IP addresses, which were quickly replaced by mnemonic hostnames. Hostnames were more easily remembered, and they improved reliability by allowing network-aware programs to ignore a computer's changeable numeric address in favor of a stable mnemonic. Network communication was achieved by means of a hosts.txt file, which was located on each computer and mapped a computer's numeric address to the associated hostname.
As ARPANET grew and scalability became an issue, the local hosts.txt file was replaced with a hierarchical domain concept that replaced "hostname" with "hostname.domain." Simply put, when a computer looks up the address for, say, kb.cert.org, it first asks the .org top-level-domain server for the IP address of the cert.org domain, and then it asks the cert.org server for the IP address of the site kb.cert.org. Modern DNS is both centralized and distributed: top-level domains are centrally managed by ICANN/IANA, and DNS servers are distributed the world over. Domain names are issued by registrars, who collect and publish information about the domain owner. This system provides a measure of accountability: ICANN/IANA or registrars can act on reports of abuse, often in collaboration with law enforcement.
Holding abusers accountable is a game of cat and mouse. For example, botnets can hide the domains for phishing and malware delivery sites behind a rapidly rotating collection of compromised hosts. If a host's IP address gets blocked by network defenders, there are still other addresses associated with the domain in the rotation. One way to counteract botnets and other malware is to introduce a sinkhole server, like the one that trapped the WannaCry ransomware. A sinkhole is a DNS server that has been configured to return a non-routable IP address for certain domains. The higher up in the DNS hierarchy a sinkhole server is placed, the more clients it will serve and the more effectively it will stop malicious traffic. A sinkhole server in a top-level domain can completely take down a large botnet, as in the case of Avalanche.
CryptoDNS: Blockchain Replaces Hosts.txt
Namecoin is a cryptoDNS that replaces the ARPANET hosts.txt concept with a version of the Bitcoin blockchain. The top-level domain is .bit, which is not recognized by ICANN/IANA and thus decentralized, and domains are anonymously registered into the Namecoin blockchain rather than publicly with registrars. Similar to the way Bitcoin works with financial transactions, Namecoin uses a distributed peer-to-peer system to validate the DNS information in its blockchain, and a complete account of all domains that were registered and modified is available. When an application needs to convert a domain to an IP address, it queries the blockchain, similar to the way the first computers used the hosts.txt file.
In practice, dot-bit domains are resolved using either a web proxy, a browser plugin, public DNS, or a local DNS server. The first three methods are easiest, but the traffic passes through a third party, making it less private and less secure. Running a local DNS server realizes the full potential of cryptoDNS:
- Anonymity is as good as the domain owner's operational security.
- The domain is resistant to censorship: it can't be sinkholed, and if a website is taken down, the domain owner can ultimately make the site viewable worldwide again in 40 minutes.
- It is immune to man-in-the-middle attacks because the DNS traffic is local, and domain hijacking is impossible because changes require the owner-managed cryptographic key.
These features make cryptoDNS very attractive to privacy advocates. Of course, these same features also make cryptoDNS attractive to criminals.
For example, Namecoin domains have been leveraged in the Chthonic, Smoke Loader, Backdoor.Teamviewer, Necurs, Shifu, and TinyNuke malware campaigns. None of these campaigns took full advantage of cryptoDNS: they all relied on a public DNS provider to translate a dot-bit domain into the IP address for a command-and-control server. Blockchain anonymity means that identifying these criminals depends on finding holes in their operational security, such as from the domain registration with the public DNS provider or sloppy updates to the blockchain itself. Censoring their domains requires the cooperation of the DNS server's owner, and only a small minority of the public DNS providers that resolve crypto-domains enforce blacklisting. These malware campaigns are not bullet proof, but they are bullet resistant.
The Future of CryptoDNS
Future iterations of Namecoin will resolve domains without downloading and processing the blockchain, improve anonymity by implementing Zerocoin, and provide better privacy by encrypting the domain owner's data. These improvements will make dot-bit DNS more attractive to criminals. Malware is already using compromised machines to mine Bitcoin, so it's plausible to run a local DNS server on a compromised host to take full advantage of cryptoDNS. The catch is that the attacker must change the DNS settings on the compromised server--activity that defenders should notice. Then again, malware makes changes to compromised machines all the time, and these changes go unnoticed. CryptoDNS might yet provide attackers with bullet-proof resolution of IP addresses.
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.
Subscribe Get our RSS feedGet updates on our latest work.
Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.
Subscribe Get our RSS feed