Home / Blogs

Namecoin Decentralized DNS Research

Chris Baker

The holidays open up a block of time to catch up on "I meant to read that" bookmarks, RSS feeds, and all the favorited and forgotten tweets. I made it through 50 before a NormanShark blog post kicked off a research project.

The analysts found a malware sample which was using .bit domains in their communications infrastructure, but .bit ... what is that? .bit is a TLD operating outside of ICANN. Some would say they are TLD squatting, but I leave that opinion up to the reader.

To catch up on .bit and TLDs being used outside of ICANN's approval, the "Special-Use Domain Names of Peer-to-Peer Systems" memo is a good reference. The memo covers "six peer-to-peer domains that (given their decentralized design) do not require a central authority to register names ".gnu", ".zkey", ".onion", ".exit", ".i2p", and ".bit."" One could say they are sticking it to the man, where in this case the man is ICANN.

The .bit TLD is the decentralized peer to peer namespace for Namecoin. To access domains in this space you need to provide your OS configuration details so they can find a DNS Server which is hosting the .bit zone. You can also pass your requests through a proxy, etc.

Having read a bit about what Namecoin is and .bit, I started to wonder, how can I create the .bit zone file? What interfaces are available for querying the state of domains in the name space? The only way to know is to get your hands dirty so I spun up an Ubuntu 13.10 small instance in Amazon US East.

I would have gone for something a bit more beefy, but it being on my personal credit card, I wanted to keep a spot price below $0.04 / hr. #Scrooge. I've read many an article about the cost efficiency of mining currencies in AWS, the amount of work a small instance can do isn't going to be generating Namecoin anytime soon (CPU mining is so out).

For now we will hold off on delving into the details of the proof of work computation and focus solely on the Namecoin DNS data.

So here's how it all went down:

  1. Install dependencies
  2. Git clone https://github.com/namecoin/namecoin.git
  3. Populate the config file
  4. Start the Namecoin daemon

Once the daemon is started it will make a local copy/update an existing local copy of the block chain. The daemon also has an interface for querying the Namecoin block chain.

But what is a block chain? "A block chain is a transaction database shared by all nodes participating in a system based on the Bitcoin protocol. A full copy of a currency's block chain contains every transaction ever executed."

In the case of Namecoin, it includes all the domain registrations, record additions, modifications, etc. Therefore, the Namecoin block chain provides a transactional history for the Namecoin namespace! You can use this block chain explorer site to take a look. Each block has an ID and is made up of transactions and name operations (adding domains, records, etc.). The block chain is the history of blocks.

As my local copy of the block chain updated, I went back to thinking about the easiest way to explore the .bit zone. I started looking into scripting an interaction with the namecoind block chain (BerkleyDB currently, but a migration to LevelDB is in the works to keep in pace with Bitcoin), but then stumbled across a project on GitHub where someone had already done most of the work.

It was a collection of PHP scripts which interface with a local instance of namecoind and generate a BIND zone file. To remove the hard part and get right to some data I used these scripts to generate the zone file. One thing to keep in mind is I haven't taken a look through the NamecoinToBind code so the high level analysis is based on a sample generated by the NamecoinToBind scripts.

Based on the IPs used in A records, what is the geographic distribution of the .bit name space?

  • 260 Distinct Autonomous Systems are represented
  • 427 Netblocks
  • 532 IP addresses
  • 14317 DNS Records of Interest ( A / AAAA records )

Are there certain IPs or Netblocks which have a dominating presence? You betcha!

  • Count IP Address used in the A Record
  • 1008
  • 4570
  • 4980

When looking at the records related to and, they both appear to have registered a large collection of popular words and digits, as well as two and three letter combinations.

Another pattern they have in common is the wildcard is registered for each zone as well. If I had to guess, these represent some of the early adopters of the system who are taking advantage of the namespace gold rush. Another interesting pattern that pops up is a number of domains have been registered which match the pattern below.

xn--IN A

What is this weird pattern you might ask? PUNYCode! PUNYCode converts the utf-8 charset to ascii since domain names can only be ascii characters. So it looks like both of these groups have the same strategy to also buy up popular PUNYCode domains names… very clever. (RFC for PUNYCode) falls into a the same bucket in the sense that the domains registered fit a similar pattern of domains from 2–12 characters.

Another interesting insight might be a breakdown of the countries by distinct AS involved in the namespace.

What would be interesting to know from a DNS Operations perspective? Count of record types?

  • 23 AAAA
  • 49 CNAME
  • 188 DNAME
  • 10889 NS
  • 14290 A

This leads to an interesting comparison of A vs. AAAA record usage ( v4 vs. v6 ).

Only 23 AAAA records… 5 of them are associated to the same FQDN so really ... 18 distinct IPv6 addresses

Number of Wildcard records?

  • Count WildCard Record Type
  • 6412 A
  • 7 CNAME
  • 4 AAAA

Then (selfishly), are there any relationships between Dyn and the current Namecoin domains? Of course!

  • erix IN NS erix.dyndns.org.
  • vvoid IN NS vvoid.dyndns.org.
  • beeemm IN NS beeemm.dyndns-home.com.
  • sentuny IN NS
  • fstopflash IN NS fstopflash.dyndns.org.
  • jeremychan IN NS jeremychan.dyndns.info.
  • jeremychan IN NS jeremychan1.dyndns.info.

By Chris Baker, System Guru at Dyn

Related topics: Cybersecurity, DNS, ICANN, Malware, Top-Level Domains


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast