One of the biggest weaknesses of nostr is its reliance on local DNS servers typically residing at 8.8.8.8 or 8.8.4.4 as setup by ISP’s.
Essentially this gives every governments a single point failure within their jurisdiction with which to take nostr offline relays offline. If they desired.
However, the Authoritative DNS servers that serve the DNS root zone are visible on the network and their addresses are in the public domain. They are configured in the DNS root zone as 13 named authorities, as follows.
a.root-servers.net
198.41.0.4, 2001:503:ba3e::2:30
Verisign, Inc.
b.root-servers.net
199.9.14.201, 2001:500:200::b
University of Southern California,
Information Sciences Institute
c.root-servers.net
192.33.4.12, 2001:500:2::c
Cogent Communications
d.root-servers.net
199.7.91.13, 2001:500:2d::d
University of Maryland
e.root-servers.net
192.203.230.10, 2001:500:a8::e
NASA (Ames Research Center)
f.root-servers.net
192.5.5.241, 2001:500:2f::f
Internet Systems Consortium, Inc.
g.root-servers.net
192.112.36.4, 2001:500:12::d0d
US Department of Defense (NIC)
h.root-servers.net
198.97.190.53, 2001:500:1::53
US Army (Research Lab)
i.root-servers.net
192.36.148.17, 2001:7fe::53
Netnod
j.root-servers.net
192.58.128.30, 2001:503:c27::2:30
Verisign, Inc.
k.root-servers.net
193.0.14.129, 2001:7fd::1
RIPE NCC
l.root-servers.net
199.7.83.42, 2001:500:9f::42
ICANN
m.root-servers.net
202.12.27.33, 2001:dc3::35
WIDE Project
It is possible to bypass the local dns server / recurser and go straight to DNS root in order to get the IP addresses for relays. This would make nostr even more censorship resistant, but would slow things down. Maybe this could be an anti-censor mode that clients could attempt if clients detect all relays are unreachable or if some kind of DNS error is returned?
Also… Anycast should be implemented for reads instead of unicasting. This could massively improve performance by reducing network traffic and relay load when it comes to reads. Relay proxies as proposed by Cameri would allow anycast reads and would vastly reduce the bandwidth requirements of nostr and dramatically reduce the load on each relay.
Unicasting and data duplication should be maintained for writes, with anycast proxies serving reads.
Anycast proxy relays could potentially allow a client to access a vastly greater number of relays and also improve the access surface making nostr more resilient to DDOS.
Stu / ⚡️🌱🌙
npub1w4…zprhz
2023-02-16 05:23:52
Author Public Key
npub1w4swqedal6gcw23ndd93tkkdy3zj2l6zjdjvzrhu8rnw0k8lc8lswzprhzPublished at
2023-02-16 05:23:52Event JSON
{
"id": "904da955d828290825a8397054d6fd8844117b8d4bb0f75e2e59210a7beba7b1",
"pubkey": "7560e065bdfe91872a336b4b15dacd2445257f429364c10efc38e6e7d8ffc1ff",
"created_at": 1676525032,
"kind": 1,
"tags": [],
"content": "One of the biggest weaknesses of nostr is its reliance on local DNS servers typically residing at 8.8.8.8 or 8.8.4.4 as setup by ISP’s.\n\nEssentially this gives every governments a single point failure within their jurisdiction with which to take nostr offline relays offline. If they desired.\n\nHowever, the Authoritative DNS servers that serve the DNS root zone are visible on the network and their addresses are in the public domain. They are configured in the DNS root zone as 13 named authorities, as follows.\n\na.root-servers.net\n198.41.0.4, 2001:503:ba3e::2:30\nVerisign, Inc.\n\nb.root-servers.net\n199.9.14.201, 2001:500:200::b\nUniversity of Southern California,\nInformation Sciences Institute\n\nc.root-servers.net\n192.33.4.12, 2001:500:2::c\nCogent Communications\n\nd.root-servers.net\n199.7.91.13, 2001:500:2d::d\nUniversity of Maryland\n\ne.root-servers.net\n192.203.230.10, 2001:500:a8::e\nNASA (Ames Research Center)\n\nf.root-servers.net\n192.5.5.241, 2001:500:2f::f\nInternet Systems Consortium, Inc.\n\ng.root-servers.net\n192.112.36.4, 2001:500:12::d0d\nUS Department of Defense (NIC)\n\nh.root-servers.net\n198.97.190.53, 2001:500:1::53\nUS Army (Research Lab)\n\ni.root-servers.net\n192.36.148.17, 2001:7fe::53\nNetnod\n\nj.root-servers.net\n192.58.128.30, 2001:503:c27::2:30\nVerisign, Inc.\n\nk.root-servers.net\n193.0.14.129, 2001:7fd::1\nRIPE NCC\n\nl.root-servers.net\n199.7.83.42, 2001:500:9f::42\nICANN\n\nm.root-servers.net\n202.12.27.33, 2001:dc3::35\nWIDE Project\n\nIt is possible to bypass the local dns server / recurser and go straight to DNS root in order to get the IP addresses for relays. This would make nostr even more censorship resistant, but would slow things down. Maybe this could be an anti-censor mode that clients could attempt if clients detect all relays are unreachable or if some kind of DNS error is returned?\n\nAlso… Anycast should be implemented for reads instead of unicasting. This could massively improve performance by reducing network traffic and relay load when it comes to reads. Relay proxies as proposed by Cameri would allow anycast reads and would vastly reduce the bandwidth requirements of nostr and dramatically reduce the load on each relay. \n\nUnicasting and data duplication should be maintained for writes, with anycast proxies serving reads.\n\nAnycast proxy relays could potentially allow a client to access a vastly greater number of relays and also improve the access surface making nostr more resilient to DDOS.",
"sig": "a6dc371d11badb81aee74e2e818f03afe1e669ae30aced010d43c1f4b54e99b95f275203665302808ff53c6e213e2739f32a88cae7c8e0a244fcfda53dfa2acd"
}