Abstract
The Domain Name System (DNS) provides the critical service of mapping canonical names to IP addresses. Recognizing this, a number of parties have increasingly attempted to perform “domain seizures” on targets by having them delisted from DNS. Such operations often occur without providing due process to the owners of these domains, a practice made potentially worse by recent legislative proposals. We address this problem by creating OnionDNS, an anonymous top-level domain and resolution service for the Internet. Our solution relies on the establishment of a hidden service running DNS within Tor and uses a variety of mechanisms to ensure a high-performance architecture with strong integrity guarantees for resolved records. We then present our anonymous domain registrar and detail the protocol for securely transferring the service to another party. Finally, we also conduct both performance and legal analyses to further demonstrate the robustness of this approach. In so doing, we show that the delisting of domains from DNS can be mitigated in an efficient and secure manner.
Similar content being viewed by others
Notes
Our solution neither requires nor requests endorsement or support from ICANN.
OS support for end-to-end DNSSEC validation is growing and many public resolvers, such as Google and Comcast, currently perform DNSSEC validation.
This type of privacy service is common among domain registrars, where a customer may be charged a service fee to obscure the domain’s WHOIS information.
References
112th Congress of the United States of America. H.R. 3261—Stop Online Piracy (SOPA) Act. http://thomas.loc.gov/cgi-bin/query/z?c112:H.R.3261: (2011)
112th Congress of the United States of America. Senate Bill 986—Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PIPA). http://thomas.loc.gov/cgi-bin/query/z?c112:S.968: (2011)
Alexa. Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
Anderson, R., et al.: The eternity service. In: Pragocrypt96, pp. 242–252 (1996)
Androulaki, E., Karame, G., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. IACR Cryptol. ePrint Arch. 2012, 596 (2012)
Anonymous: The collateral damage of internet censorship by DNS injection. ACM SIGCOMM Comput. Commun. Rev. 42(3), 21–27 (2012)
Asia Pacific Network Information Centre Labs. Measuring DNSSEC performance. http://labs.apnic.net/?p=341 (2013)
Awerbuch, B., Scheideler, C.: Group spreading: a protocol for provably secure distributed name service. Autom. Lang. Program. 3142, 187–210 (2004)
Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On bitcoin and red balloons. In: Proceedings of the 13th ACM Conference on Electronic Commerce, pp. 56–73. ACM (2012)
Bambauer, D.E.: Orwell’s armchair. Univ. Chic. Law Rev. 79(3), 863–944 (2012)
Biryukov, A., Pustogarov, I., Weinmann, R.-P.: Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization, IEEE (2013)
Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J.D.,Nielsen, J.B., Nielsen, K., Pagter, J., et al.: Secure multiparty computation goes live. In: Financial Cryptography and Data Security, pp. 325–343. Springer, Berlin (2009)
Boyle, J.: Foucault in cyberspace: surveillance, sovereignty, and hardwired censors. Univ. Cincinnati Law Rev. 66, 177 (1997)
Carter, H., Mood, B., Traynor, P., Butler, K.: Secure outsourced garbled circuit evaluation for mobile devices. In: Proceedings of the USENIX Security Symposium (2013)
Chaitovitz, A., Hampton, C., Rosenbaum, K., Salem, A., Stoll, T., Tramposch, A.: Responding to online piracy: mapping the legal and policy boundaries. Comm. Law Conspec. 20(1), 1–40 (2012)
Cheriton, D.R., Mann, T.P.: Decentralizing a global naming service for improved performance and fault tolerance. ACM Trans. Comput. Syst. 7(2), 147–183 (1989)
Clarke, I., Sandberg, O., Wiley, B., Hong, T.: Freenet: a distributed anonymous information storage and retrieval system. In: Designing Privacy Enhancing Technologies, pp. 46–66. Springer, Berlin (2001)
Cox, R., Muthitacharoen, A., Morris, R.: Serving DNS using a peer-to-peer lookup service. Peer-to-Peer Syst. 2429,155–165 (2002)
Cranor, L.F., LaMacchia, B.A.: Spam!. Commun. ACM 41(8), 74–83 (1998)
D. E. 3rd.Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066 (Proposed Standard) (2011)
Dingledine, R.: Obfsproxy: the next step in the censorship arms race. Tor Project official blog (2012)
Dingledine, R., Freedman, M., Molnar, D.: The free haven project: distributed anonymous storage service. In: Designing Privacy Enhancing Technologies, pp. 67–95. Springer, Berlin (2001)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. Technical report, DTIC Document (2004)
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Advances in Cryptology, pp. 139–147. Springer, Berlin (1993)
Eastlake, D.E., et al.: Domain Name System Security Extensions, IETF (1999)
Electronic Frontier Foundation. Anti-Counterfeiting Trade Agreement (ACTA). http://www.eff.org/issues/acta (2012)
Feamster, N., Balazinska, M., Harfst, G., Balakrishnan, H., Karger, D.: Infranet: circumventing web censorship and surveillance. In: Proceedings of the 11th USENIX Security Symposium, pp. 247–262. San Francisco, CA (2002)
Fischer, B.R.: OnionCat: a Tor-based anonymous VPN. In: Proceedings of the 25th Chaos Communication Congress (2008)
Froomkin, A.M.: Wrong turn in cyberspace: using ICANN to route around the APA and the constitution. Duke Law J. 50(1), 17–186 (2000)
Henkin, L.: Restatement of the Law, Third: The Foreign Relations Law of the United States. American Law Institute-American Bar Association (ALI-ABA) (1987)
Internet Systems Consortium. http://www.isc.org/downloads/bind/
Johnson, A., Wacek, C., Jansen, R., Sherr, M., Syverson, P.: Users get routed: traffic correlation on Tor by realistic adversaries. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)
Juels, A., Brainard, J.G.: Client puzzles: a cryptographic countermeasure against connection depletion attacks. NDSS 99, 151–165 (1999)
Kamara, S., Mohassel, P., Riva, B.: Salus: a system for server-aided secure function evaluation. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2012)
Karame, G., Androulaki, E., Capkun, S.: Two bitcoins at the price of one? Double-spending attacks on fast payments in bitcoin. IACR Cryptol. ePrint Arch. 2012, 248 (2012)
Kolkman, O., Gieben, M.: RFC 4161 DNSSEC Operational Practices (2006)
Kopel, K.: Operation seizing our sites: how the federal government is taking domain names without prior notice. Berkeley Technol. Law J. 28, 859–900 (2013)
Laurie, B., Clayton, R.: “Proof-of-Work” proves not to work; version 0.2. In: Workshop on Economics and Information, Security (2004)
Lee, T.B.: ICE Admits Year-long Seizure of Music Blog was a Mistake. http://arstechnica.com/tech-policy/2011/12/ice-admits-months-long-seizure-of-music-blog-was-a-mistake/ (2011)
Mann, F.A.: The Doctrine of International Jurisdiction Revisited After Twenty Years (1984)
Mestdagh, C.D.V., Rijgersberg, R.W.: Rethinking accountability in cyberspace: a new perspective on ICANN. Int. Rev. Law Comput. Technol. 21(1), 27–38 (2007)
Microsoft.Dnssec performance considerations.http://technet.microsoft.com/en-us/library/dn593667(v=ws.11).aspx (2014)
Microsoft Corporation. Microsoft Corporation v. Dominique Alexander Piatti; Jone Does1-22.2011. Virginia Eastern District Court
Microsoft Corporation. Microsoft Corporation v. Peng Yong et. al. 2012. Virginia Eastern District Court
Microsoft Corporation.Microsoft v. John Does 1-39. 2012. New York Eastern District Court
Miers, I., Garman, C., Green, M., Rubin, A.D: Zerocoin: anonymous distributed E-cash from bitcoin. In: IEEE Symposium on Security and Privacy (2013)
Mittal, P., Khurshid, A., Juen, J., Caesar, M., Borisov, N.: Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, pp. 215–226 (2011)
Mody, S.S.: National cyberspace regulation: unbundling the concept of jurisdiction. Stan. J. Int. 37, 365 (2001)
Namecoin was stillborn, I had to switch off life-support. http://bitcointalk.org/index.php?topic=310954 (archived at http://www.webcitation.org/6KXauX8uC)
Namecoin, http://namecoin.info/ (2015)
Nadji, Y., Antonakakis, M., Perdisci, R., Dagon, D., Lee, W.: Beheading hydras: performing effective botnet takedowns. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)
Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. Consulted 1, 2012 (2008)
Naraine, R.: Massive DDoS attack hit DNS root servers. http://www.internetnews.com/dev-news/article.php/1486981 (2002)
Order, puerto 80 projects, s.l.u. v united states. http://www.eff.org/files/rojadirectaorder.pdf (2011)
Overlier, L., Syverson, P.: Locating hidden servers. In: 2006 IEEE Symposium on Security and Privacy, p. 15. IEEE (2006)
Panzarino, M.: Syrian Electronic Army Apparently Hacks DNS Records Of Twitter, NYT Through Registrar Melbourne IT. http://techcrunch.com/2013/08/27/syrian-electronic-army-apparently-hacks-dns-records-of-twitter-new-york-times-through-registrar-melboune-it/ (2013)
Pappas, V., Massey, D., Terzis, A., Zhang, L.: A comparative study of the dns design with DHT-based alternatives. In: Proceedings of the IEEE INFOCOM 2006, 25th IEEE International Conference on Computer Communications, pp. 1–13 (2006)
Park, K., Pai, V., Peterson, L., Wang, Z.: CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups. In: OSDI, pp. 199–214 (2004)
Piscitello, D.: Anatomy of a DNS DDoS Amplification Attack. http://www.watchguard.com/infocenter/editorial/41649.asp (2011)
Poole, L., Pai, V.: ConfiDNS: leveraging scale and history to improve DNS security. In: Proceedings of the WORLDS (2006)
Ramasubramanian, V., Sirer, E.: The design and implementation of a next generation name service for the internet. ACM SIGCOMM Comput. Commun. Rev. 331, 331–342 (2004)
Scaife, N., Carter, H., Traynor, P.: OnionDNS: a seizure-resistant top-level domain. In: Proceedings of the IEEE Conference on Communications and Network Security (CNS) (2015)
Song, Y., Koyanagi, K.: Study on a hybrid P2P based DNS. In: 2011 IEEE International Conference on Computer Science and Automation Engineering, pp. 152–155 (2011)
The List Of Sites Challenging Domain Seizures. http://www.techdirt.com/articles/20110612/21573514664/list-sites-challenging-domain-seizures.shtml
Testimony of John Morton, Director, U.S. Immigration and Customs Enforcement, Before the U.S. House of Representatives Committee on the Judiciary, Subcommittee on Intellectual Property, Competition and the Internet on “Promoting Investment and Protecting Commerce Online: Legitimate Sites v. Parasites, Part II”. http://www.dhs.gov/news/2011/04/05/testimony-john-morton-director-us-immigration-and-customs-enforcement-promoting (2011)
TorrentFreak.U.S. Government Shuts Down 84,000 Websites, ‘By Mistake’. http://torrentfreak.com/u-s-government-shuts-down-84000-websites-by-mistake-110216/
U.S. Copyright Office. Circumvention of copyright protection systems. http://copyright.gov/title17/92chap12.html (2015)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Making the case for elliptic curves in DNSSEC. SIGCOMM Comput. Commun. Rev. 45(5), 13–19 (2015)
Waldman, M., Mazieres, D.: Tangler: a censorship-resistant publishing system based on document entanglements. In: Proceedings of the 8th ACM conference on computer and communications security, pp. 126–135. ACM (2001)
Waldman, M., Rubin, A.D., Cranor, L.F.: Publius: a robust, tamper-evident, censorship-resistant, web publishing system. In: 9th USENIX Security Symposium, pp. 59–72 (2000)
Wang, Q., Gong, X., Nguyen, G.T., Houmansadr, A., Borisov, N.: CensorSpoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing. In: Proceedings of the 2012 ACM conference on Computer and Communications Security, pp. 121–132. ACM (2012)
Wang, X., Reiter, M.K.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of the 2003 Symposium on Security and Privacy, 2003, pp. 78–92. IEEE (2003)
Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX annual technical conference, pp. 321–334. static.usenix.org (2008)
Yadron, D.: Syrian Electronic Army’s Alleged Attacks Expose Soft Spot. http://online.wsj.com/news/articles/SB10001424127887324009304579040900023429122 (2013)
Acknowledgements
The authors would like to thank an anonymous contributor for inspiration and assistance with the development of this system. This work was supported in part by the US National Science Foundation under Grant Number CNS-1464088. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Scaife, N., Carter, H., Lidsky, L. et al. OnionDNS: a seizure-resistant top-level domain. Int. J. Inf. Secur. 17, 645–660 (2018). https://doi.org/10.1007/s10207-017-0391-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-017-0391-z