Replying to Avatar ⚡️🌱🌙

One of the biggest weaknesses of nostr is its reliance on local DNS servers typically residing at 8.8.8.8 or 8.8.4.4 as setup by ISP’s.

Essentially this gives every governments a single point failure within their jurisdiction with which to take nostr offline relays offline. If they desired.

However, the Authoritative DNS servers that serve the DNS root zone are visible on the network and their addresses are in the public domain. They are configured in the DNS root zone as 13 named authorities, as follows.

a.root-servers.net

198.41.0.4, 2001:503:ba3e::2:30

Verisign, Inc.

b.root-servers.net

199.9.14.201, 2001:500:200::b

University of Southern California,

Information Sciences Institute

c.root-servers.net

192.33.4.12, 2001:500:2::c

Cogent Communications

d.root-servers.net

199.7.91.13, 2001:500:2d::d

University of Maryland

e.root-servers.net

192.203.230.10, 2001:500:a8::e

NASA (Ames Research Center)

f.root-servers.net

192.5.5.241, 2001:500:2f::f

Internet Systems Consortium, Inc.

g.root-servers.net

192.112.36.4, 2001:500:12::d0d

US Department of Defense (NIC)

h.root-servers.net

198.97.190.53, 2001:500:1::53

US Army (Research Lab)

i.root-servers.net

192.36.148.17, 2001:7fe::53

Netnod

j.root-servers.net

192.58.128.30, 2001:503:c27::2:30

Verisign, Inc.

k.root-servers.net

193.0.14.129, 2001:7fd::1

RIPE NCC

l.root-servers.net

199.7.83.42, 2001:500:9f::42

ICANN

m.root-servers.net

202.12.27.33, 2001:dc3::35

WIDE Project

It is possible to bypass the local dns server / recurser and go straight to DNS root in order to get the IP addresses for relays. This would make nostr even more censorship resistant, but would slow things down. Maybe this could be an anti-censor mode that clients could attempt if clients detect all relays are unreachable or if some kind of DNS error is returned?

Also… Anycast should be implemented for reads instead of unicasting. This could massively improve performance by reducing network traffic and relay load when it comes to reads. Relay proxies as proposed by Cameri would allow anycast reads and would vastly reduce the bandwidth requirements of nostr and dramatically reduce the load on each relay.

Unicasting and data duplication should be maintained for writes, with anycast proxies serving reads.

Anycast proxy relays could potentially allow a client to access a vastly greater number of relays and also improve the access surface making nostr more resilient to DDOS.
Avatar
phil 2y ago

8.8.8.8 and 8.8.4.4 are Google’s public DNS servers although some ISPs now hand those out rather than running there own DNS. People can run their own DNS server that will do recursive lookups against the root DNS servers, or if they are using a VPN then use their VPN providers servers.

Anycast relays would be great but to do this completely independently with out being tied to a specific hosting provider gets very costly as you need your own IP address space, routers, IP transit services supporting BGP etc. The issue is going to be how to make that viable to operate.

Reply to this note

Please Login to reply.

Discussion

Avatar
⚡️🌱🌙 2y ago

Yes I know they are the Google servers. Google are subpoenaed for those logs so often it’s easier for them to just co-locate government assets.

I think it’s OK to use normal DNS service, except in certain countries during times of information clamp down. This is obviously when free information might be most valuable so it makes sense to have resilience against the kinds of oppression that we all have seen before.

For me the big challenge with the Anycast isn’t the technical aspects, it’s how to do it without single entity ownership?

Avatar
phil 2y ago

I think we would need multiple sets of anycast relays, run by different organisations or groups based in different jurisdictions. Then if one gets shut down or is forced to remove content, the others can continue to operate.

Avatar
phil 2y ago

Also, I’m not sure if you’ve seen this already but I’ve been experimenting with a geographically diverse relay using geo DNS to redirect to the closest server with failover if a server fails. It provides some of the benefits of anycast but not all. I’m considering how this could be made less reliant on a single GeoDNS provider. Details of what I have set up are here:

https://www.austrich.net/austrich-relay/

Avatar
⚡️🌱🌙 2y ago

Haven’t seen that yet. Amazing.

Some reading for me.

Avatar
captjack 🏴‍☠️✨💜 2y ago

exactly - ISP n BGP can tear down by law enforcement in anywhere - that dependent tech solution wont work

88
ringo 2y ago

jumping in here becuase i agree what what i'm seeing, it's highly intelligent and succinct, and yeah.

i've been toying on and off for a number of years with getting my own ripe designation, but the whole process seems just like way too much spotlight , all things considered.

:)

a part of me wonders if something like

servers off the web, can somehow play with servers on the web, but only communicate with the servers off the web in an encrypted thing with a wholly new protocol and translate it to standard syn ack ack ack stuff, but while only partly inventing the wheel, and maintaining a robust functionality.

not a hardware programmer, but the rough idea is the actual infra servers for content would be somehow blind to things ( i just realized how silly this all sounds but i;m in deep with my tired comment so just running with it...)

but those protected servers would still interact with tcp / ip /udp, but perhaps encrypt the packets till they got to the hardware level, and somehow not needed to be brought into ram or swap, and were just transmitted...

that way the only actual traceable or hackable bits would technically not exist for most users, and i'll stop there because i shouldn't be trying to think about topology before bed while already quite knackered..

cheers :D

Avatar
⚡️🌱🌙 2y ago

Basically abstract Anycast and bury it in VPN?