Skip to main content
SpringerLink
Log in

OnionDNS: a seizure-resistant top-level domain

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The Domain Name System (DNS) provides the critical service of mapping canonical names to IP addresses. Recognizing this, a number of parties have increasingly attempted to perform “domain seizures” on targets by having them delisted from DNS. Such operations often occur without providing due process to the owners of these domains, a practice made potentially worse by recent legislative proposals. We address this problem by creating OnionDNS, an anonymous top-level domain and resolution service for the Internet. Our solution relies on the establishment of a hidden service running DNS within Tor and uses a variety of mechanisms to ensure a high-performance architecture with strong integrity guarantees for resolved records. We then present our anonymous domain registrar and detail the protocol for securely transferring the service to another party. Finally, we also conduct both performance and legal analyses to further demonstrate the robustness of this approach. In so doing, we show that the delisting of domains from DNS can be mitigated in an efficient and secure manner.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. Our solution neither requires nor requests endorsement or support from ICANN.

  2. OS support for end-to-end DNSSEC validation is growing and many public resolvers, such as Google and Comcast, currently perform DNSSEC validation.

  3. This type of privacy service is common among domain registrars, where a customer may be charged a service fee to obscure the domain’s WHOIS information.

References

  1. 112th Congress of the United States of America. H.R. 3261—Stop Online Piracy (SOPA) Act. http://thomas.loc.gov/cgi-bin/query/z?c112:H.R.3261: (2011)

  2. 112th Congress of the United States of America. Senate Bill 986—Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PIPA). http://thomas.loc.gov/cgi-bin/query/z?c112:S.968: (2011)

  3. Alexa. Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

  4. Anderson, R., et al.: The eternity service. In: Pragocrypt96, pp. 242–252 (1996)

  5. Androulaki, E., Karame, G., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. IACR Cryptol. ePrint Arch. 2012, 596 (2012)

    Google Scholar 

  6. Anonymous: The collateral damage of internet censorship by DNS injection. ACM SIGCOMM Comput. Commun. Rev. 42(3), 21–27 (2012)

    Article  Google Scholar 

  7. Asia Pacific Network Information Centre Labs. Measuring DNSSEC performance. http://labs.apnic.net/?p=341 (2013)

  8. Awerbuch, B., Scheideler, C.: Group spreading: a protocol for provably secure distributed name service. Autom. Lang. Program. 3142, 187–210 (2004)

  9. Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On bitcoin and red balloons. In: Proceedings of the 13th ACM Conference on Electronic Commerce, pp. 56–73. ACM (2012)

  10. Bambauer, D.E.: Orwell’s armchair. Univ. Chic. Law Rev. 79(3), 863–944 (2012)

    Google Scholar 

  11. Biryukov, A., Pustogarov, I., Weinmann, R.-P.: Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization, IEEE (2013)

  12. Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J.D.,Nielsen, J.B., Nielsen, K., Pagter, J., et al.: Secure multiparty computation goes live. In: Financial Cryptography and Data Security, pp. 325–343. Springer, Berlin (2009)

    Chapter  Google Scholar 

  13. Boyle, J.: Foucault in cyberspace: surveillance, sovereignty, and hardwired censors. Univ. Cincinnati Law Rev. 66, 177 (1997)

    Google Scholar 

  14. Carter, H., Mood, B., Traynor, P., Butler, K.: Secure outsourced garbled circuit evaluation for mobile devices. In: Proceedings of the USENIX Security Symposium (2013)

  15. Chaitovitz, A., Hampton, C., Rosenbaum, K., Salem, A., Stoll, T., Tramposch, A.: Responding to online piracy: mapping the legal and policy boundaries. Comm. Law Conspec. 20(1), 1–40 (2012)

  16. Cheriton, D.R., Mann, T.P.: Decentralizing a global naming service for improved performance and fault tolerance. ACM Trans. Comput. Syst. 7(2), 147–183 (1989)

    Article  Google Scholar 

  17. Clarke, I., Sandberg, O., Wiley, B., Hong, T.: Freenet: a distributed anonymous information storage and retrieval system. In: Designing Privacy Enhancing Technologies, pp. 46–66. Springer, Berlin (2001)

    Chapter  Google Scholar 

  18. Cox, R., Muthitacharoen, A., Morris, R.: Serving DNS using a peer-to-peer lookup service. Peer-to-Peer Syst. 2429,155–165 (2002)

  19. Cranor, L.F., LaMacchia, B.A.: Spam!. Commun. ACM 41(8), 74–83 (1998)

    Article  Google Scholar 

  20. D. E. 3rd.Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066 (Proposed Standard) (2011)

  21. Dingledine, R.: Obfsproxy: the next step in the censorship arms race. Tor Project official blog (2012)

  22. Dingledine, R., Freedman, M., Molnar, D.: The free haven project: distributed anonymous storage service. In: Designing Privacy Enhancing Technologies, pp. 67–95. Springer, Berlin (2001)

    Chapter  Google Scholar 

  23. Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. Technical report, DTIC Document (2004)

  24. Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Advances in Cryptology, pp. 139–147. Springer, Berlin (1993)

  25. Eastlake, D.E., et al.: Domain Name System Security Extensions, IETF (1999)

  26. Electronic Frontier Foundation. Anti-Counterfeiting Trade Agreement (ACTA). http://www.eff.org/issues/acta (2012)

  27. Feamster, N., Balazinska, M., Harfst, G., Balakrishnan, H., Karger, D.: Infranet: circumventing web censorship and surveillance. In: Proceedings of the 11th USENIX Security Symposium, pp. 247–262. San Francisco, CA (2002)

  28. Fischer, B.R.: OnionCat: a Tor-based anonymous VPN. In: Proceedings of the 25th Chaos Communication Congress (2008)

  29. Froomkin, A.M.: Wrong turn in cyberspace: using ICANN to route around the APA and the constitution. Duke Law J. 50(1), 17–186 (2000)

    Article  Google Scholar 

  30. Henkin, L.: Restatement of the Law, Third: The Foreign Relations Law of the United States. American Law Institute-American Bar Association (ALI-ABA) (1987)

  31. Internet Systems Consortium. http://www.isc.org/downloads/bind/

  32. Johnson, A., Wacek, C., Jansen, R., Sherr, M., Syverson, P.: Users get routed: traffic correlation on Tor by realistic adversaries. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)

  33. Juels, A., Brainard, J.G.: Client puzzles: a cryptographic countermeasure against connection depletion attacks. NDSS 99, 151–165 (1999)

    Google Scholar 

  34. Kamara, S., Mohassel, P., Riva, B.: Salus: a system for server-aided secure function evaluation. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2012)

  35. Karame, G., Androulaki, E., Capkun, S.: Two bitcoins at the price of one? Double-spending attacks on fast payments in bitcoin. IACR Cryptol. ePrint Arch. 2012, 248 (2012)

    Google Scholar 

  36. Kolkman, O., Gieben, M.: RFC 4161 DNSSEC Operational Practices (2006)

  37. Kopel, K.: Operation seizing our sites: how the federal government is taking domain names without prior notice. Berkeley Technol. Law J. 28, 859–900 (2013)

  38. Laurie, B., Clayton, R.: “Proof-of-Work” proves not to work; version 0.2. In: Workshop on Economics and Information, Security (2004)

  39. Lee, T.B.: ICE Admits Year-long Seizure of Music Blog was a Mistake. http://arstechnica.com/tech-policy/2011/12/ice-admits-months-long-seizure-of-music-blog-was-a-mistake/ (2011)

  40. Mann, F.A.: The Doctrine of International Jurisdiction Revisited After Twenty Years (1984)

  41. Mestdagh, C.D.V., Rijgersberg, R.W.: Rethinking accountability in cyberspace: a new perspective on ICANN. Int. Rev. Law Comput. Technol. 21(1), 27–38 (2007)

    Article  Google Scholar 

  42. Microsoft.Dnssec performance considerations.http://technet.microsoft.com/en-us/library/dn593667(v=ws.11).aspx (2014)

  43. Microsoft Corporation. Microsoft Corporation v. Dominique Alexander Piatti; Jone Does1-22.2011. Virginia Eastern District Court

  44. Microsoft Corporation. Microsoft Corporation v. Peng Yong et. al. 2012. Virginia Eastern District Court

  45. Microsoft Corporation.Microsoft v. John Does 1-39. 2012. New York Eastern District Court

  46. Miers, I., Garman, C., Green, M., Rubin, A.D: Zerocoin: anonymous distributed E-cash from bitcoin. In: IEEE Symposium on Security and Privacy (2013)

  47. Mittal, P., Khurshid, A., Juen, J., Caesar, M., Borisov, N.: Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, pp. 215–226 (2011)

  48. Mody, S.S.: National cyberspace regulation: unbundling the concept of jurisdiction. Stan. J. Int. 37, 365 (2001)

    Google Scholar 

  49. Namecoin was stillborn, I had to switch off life-support. http://bitcointalk.org/index.php?topic=310954 (archived at http://www.webcitation.org/6KXauX8uC)

  50. Namecoin, http://namecoin.info/ (2015)

  51. Nadji, Y., Antonakakis, M., Perdisci, R., Dagon, D., Lee, W.: Beheading hydras: performing effective botnet takedowns. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)

  52. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. Consulted 1, 2012 (2008)

    Google Scholar 

  53. Naraine, R.: Massive DDoS attack hit DNS root servers. http://www.internetnews.com/dev-news/article.php/1486981 (2002)

  54. Order, puerto 80 projects, s.l.u. v united states. http://www.eff.org/files/rojadirectaorder.pdf (2011)

  55. Overlier, L., Syverson, P.: Locating hidden servers. In: 2006 IEEE Symposium on Security and Privacy, p. 15. IEEE (2006)

  56. Panzarino, M.: Syrian Electronic Army Apparently Hacks DNS Records Of Twitter, NYT Through Registrar Melbourne IT. http://techcrunch.com/2013/08/27/syrian-electronic-army-apparently-hacks-dns-records-of-twitter-new-york-times-through-registrar-melboune-it/ (2013)

  57. Pappas, V., Massey, D., Terzis, A., Zhang, L.: A comparative study of the dns design with DHT-based alternatives. In: Proceedings of the IEEE INFOCOM 2006, 25th IEEE International Conference on Computer Communications, pp. 1–13 (2006)

  58. Park, K., Pai, V., Peterson, L., Wang, Z.: CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups. In: OSDI, pp. 199–214 (2004)

  59. Piscitello, D.: Anatomy of a DNS DDoS Amplification Attack. http://www.watchguard.com/infocenter/editorial/41649.asp (2011)

  60. Poole, L., Pai, V.: ConfiDNS: leveraging scale and history to improve DNS security. In: Proceedings of the WORLDS (2006)

  61. Ramasubramanian, V., Sirer, E.: The design and implementation of a next generation name service for the internet. ACM SIGCOMM Comput. Commun. Rev. 331, 331–342 (2004)

    Article  Google Scholar 

  62. Scaife, N., Carter, H., Traynor, P.: OnionDNS: a seizure-resistant top-level domain. In: Proceedings of the IEEE Conference on Communications and Network Security (CNS) (2015)

  63. Song, Y., Koyanagi, K.: Study on a hybrid P2P based DNS. In: 2011 IEEE International Conference on Computer Science and Automation Engineering, pp. 152–155 (2011)

  64. The List Of Sites Challenging Domain Seizures. http://www.techdirt.com/articles/20110612/21573514664/list-sites-challenging-domain-seizures.shtml

  65. Testimony of John Morton, Director, U.S. Immigration and Customs Enforcement, Before the U.S. House of Representatives Committee on the Judiciary, Subcommittee on Intellectual Property, Competition and the Internet on “Promoting Investment and Protecting Commerce Online: Legitimate Sites v. Parasites, Part II”. http://www.dhs.gov/news/2011/04/05/testimony-john-morton-director-us-immigration-and-customs-enforcement-promoting (2011)

  66. TorrentFreak.U.S. Government Shuts Down 84,000 Websites, ‘By Mistake’. http://torrentfreak.com/u-s-government-shuts-down-84000-websites-by-mistake-110216/

  67. U.S. Copyright Office. Circumvention of copyright protection systems. http://copyright.gov/title17/92chap12.html (2015)

  68. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Making the case for elliptic curves in DNSSEC. SIGCOMM Comput. Commun. Rev. 45(5), 13–19 (2015)

    Article  Google Scholar 

  69. Waldman, M., Mazieres, D.: Tangler: a censorship-resistant publishing system based on document entanglements. In: Proceedings of the 8th ACM conference on computer and communications security, pp. 126–135. ACM (2001)

  70. Waldman, M., Rubin, A.D., Cranor, L.F.: Publius: a robust, tamper-evident, censorship-resistant, web publishing system. In: 9th USENIX Security Symposium, pp. 59–72 (2000)

  71. Wang, Q., Gong, X., Nguyen, G.T., Houmansadr, A., Borisov, N.: CensorSpoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing. In: Proceedings of the 2012 ACM conference on Computer and Communications Security, pp. 121–132. ACM (2012)

  72. Wang, X., Reiter, M.K.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of the 2003 Symposium on Security and Privacy, 2003, pp. 78–92. IEEE (2003)

  73. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX annual technical conference, pp. 321–334. static.usenix.org (2008)

  74. Yadron, D.: Syrian Electronic Army’s Alleged Attacks Expose Soft Spot. http://online.wsj.com/news/articles/SB10001424127887324009304579040900023429122 (2013)

Download references

Acknowledgements

The authors would like to thank an anonymous contributor for inspiration and assistance with the development of this system. This work was supported in part by the US National Science Foundation under Grant Number CNS-1464088. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.

Author information

Authors and Affiliations

  1. Department of Computer & Information Science & Engineering, University of Florida, Gainesville, FL, USA

    Nolen Scaife & Patrick Traynor

  2. Department of Computing Sciences, Villanova University, Philadelphia, PA, USA

    Henry Carter

  3. School of Law, University of Missouri, Columbia, MO, USA

    Lyrissa Lidsky

  4. School of Law, University of North Carolina at Chapel Hill, Chapel Hill, NC, USA

    Rachael L. Jones

Authors
  1. Nolen Scaife
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Henry Carter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lyrissa Lidsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rachael L. Jones
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Patrick Traynor
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nolen Scaife.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Scaife, N., Carter, H., Lidsky, L. et al. OnionDNS: a seizure-resistant top-level domain. Int. J. Inf. Secur. 17, 645–660 (2018). https://doi.org/10.1007/s10207-017-0391-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-017-0391-z

Keywords

Search

Navigation