How does Dappy avoid DNS hacks
Dappy is a decentralized distribution network for files and web applications. Its goal is to be an open platform through which people or companies can distribute files or link a name to some private server. Dappy does not use the DNS system nor certificate authorities, it does the same job, but the service is performed by a decentralized network instead of centralized services. One of the problem the DNS has, and one of the reason we developed Dappy is to greatly reduce the risk and the exposition to DNS hacking and phishing any website today has. In this article we will focus on the nature of DNS hacks, and how the Dappy system avoids them.
DNS hacks are any kind of malicious operation whose goal is to prevent a DNS server from doing its work properly. A DNS server (let’s say the one responsible for *.fr* domain names) will be queried by all sort of agents (browsers, operating systems etc..), the most part of the requests are DNS lookup requests, the agents simply want to know the IP address that corresponds to a given domain name (like *pizza.fr*). A hacker might want to redirect the clients to his server instead of the server of the legitimate owner of *pizza.fr*. For serious businesses or organizations, this sort of hack results in enormous amounts of losses, and often some damages to brand image too.
We will not go into the technical principles of how DNS resolution work and how hackers do their tricks, the main point to have in mind is that an operating system, or a web browser points to a given DNS server (cloudflare’s is at 1.1.1.1 for example). This server is the entry point, the ultimate source of truth for the agents who rely on it, every DNS lookup may be addressed to this server, it will propagate the request to the right servers, and then reply to the client when the final IP is known.
In order to understand how the Dappy system makes it impossible (at least very much more difficult) for hackers to hack the name system, we must introduce the Dappy name system. Dappy includes a name system on the blockchain, all the company based work for domain name purchase, renewal, and reselling is handled by a decentralized smart contract platform. Of course a name, if available, might be booked by anyone, thus becoming a property guaranteed by cryptography.
In the domain name system, a given server (or service) is responsible for an extension. *.fr* domain names for example are handled by the AFNIC (see this IANA whois page). In Dappy there also is a network of agents which are independent one with another, but at the contrary, there is no split of the responsibility. And this is the key part, every member of the Dappy network is co-authoritarian for the name resolution, blockchain being a replicated database, each server should share the same state and so, respond the exact same thing for a same query. The clients, instead of relying on a given server for name resolution (remember our example above), will rely on many agents independent one with another.
The clients of the Dappy system don’t do single lookup requests but they do multi-requests, instead of asking a centralized server they ask a network of computers, this is what makes the Dappy paradigm decentralized and robust. A hacker if he wants to fool the clients, will have to make a network unable to perform his work, this is very much more complicated than taking down or fooling a single DNS server. The Dappy browser includes a consensus layer, allowing it not to trust any given service, and so, this name system does not to have a single point of failure.
Let’s say a client wants to access the resource pizza, the Dappy browser will send a lookup request to every single network members (let’s say 20 members), the ultimate configuration would be to consider the lookup operation as failed if any single response differs from the others (100% accuracy). But we do want a room for unusual behavior, so let’s say accuracy at 80% is a good setting. Every time a client will wand to load a website, all the Dappy network members will be queried, and 80% of them at least have to give the same answer for the lookup to be successful, and for the client to go on browsing the web. (is it still the web though ?)
The numbers don’t matter, it is an implementation/design issue. What matter is the general paradigm that differs very much from the DNS that articulates around a centralized and regulatory state of mind (which has in some case obvious advantages over a decentralized system by the way). Dappy integrates and forecasts the possibility of failure (could it be network issues, hacks, malicious behaviour etc…) of a portion of the network, this is why it has to be decentralized. Dappy clients will never ever query a single server on the internet to get some data from the blockchain (in our case it is name-IP relation) they will always query multiple servers, the Dappy system just relies on a decentralized network of computers being generally available and honest. The only work the members have is to be transparent about the state of the blockchain platform they do not even control.
Dappy mainly proposes two different kinds of applications, dapps (decentralized applications) and IP applications, this article and the name system we exposed just considered IP applications, dapps are some other kind of applications, they will be the topic of an article dedicated to them in the future.
This article is already too long, there will be of course some other articles to give details about questions that may arise.
Raphaël
Join us on Discord https://discord.gg/8Cu5UFV
