Control in DNS

FistFull OfAss
6 min readApr 30, 2021


When you type in a URL to your address bar and hit enter it just works. Your site is pulled up on your screen in just a couple of seconds, usually with no problem at all. ICANN’s DNS resolution has been the tried and true method making this happen seamlessly for years. It works with your browser first asking a recursive resolver to find the IP address of the website typed in on its behalf. This recursive resolver will then ask a series of name servers in order to find the IP address assigned to the website typed in. It will ask the root name server, a TLD name server, and a SLD name server respectively in that order. Once all these queries are made and the recursive resolver has the IP address, it’ll be sent back to the browser where the IP address will be resolved on a web server (A more detailed explanation of DNS resolution can be found here Again, it works, but with the huge trade off of ICANN being the central authority that powers this process and has it’s fingers in every step along the way.

The only place where ICANN doesn’t have it’s fingers and you have some control is in the browser and the recursive resolver. Although the recursive resolver isn’t under ICANN authority it’s still controlled by your ISP. There are choices for other resolvers through companies like Google or Cloudflare, but these options still risk your privacy since all of these resolvers see every site that you visit and can log your data. They have been a source for data collection in the past and it wouldn’t be surprising if it was used for this again.

Where ICANN does have their power is in the name servers. The root zone name servers are operated by many companies and organizations which include ICANN, Verisign (Multi-billion dollar DNS and internet infrastructure company), US Department of Defense and the US Army. These organizations are able to run root zone name servers with the blessing of the DNS Root Server System Advisory Committee, which assigns authority over the operation of the root zone name servers and is controlled by ICANN. This gives ICANN direct control of the root name servers and how they are operated.

The way ICANN controls the other nameservers is more in the background. TLD name servers are managed by the ones that hold the TLD, but distribution is under the authority of ICANN. ICANN is the arbiter of what is a TLD and what’s not, if the TLD doesn’t fall under their umbrella of operation then it won’t be included in their system of DNS resolution. Acquiring a TLD with ICANN isn’t a walk in the park either, you have to be willing to drop a cool $185,000 just for the application fee. With there being only 1,514 TLDs in 35 years ICANN can be quite picky, not guaranteeing that any ol application will get through. The ones that do get through have large amounts of money and influence pushing it forward the whole way.

The SLD name servers are what people are usually used to working with. These are controlled by registrars like GoDaddy. All domain registrars must be accredited by ICANN to begin selling SLDs. This is the level where censorship hits the most with registrars being able to take away your domain for any reason that they see fit, since you’re just renting the SLD off of their platform.

There’s another layer of trust past ICANN through certificate authorities. They exist to verify that the website on screen is the correct site and that you have an encrypted connection to that site. In essence it’s a chain of trust between the registrars and other companies that are signing off on public keys from the website saying that it’s good to go. Very reliable, especially when just a couple of months ago we saw multiple DeFi front ends being subject to DNS hijacking. Users were being redirected to sites that were asking for their private keys and while still showing that this was the right site ( Using DNS right now is layer upon layer of trust with ICANN at the head controlling what’s allowed in their DNS system.

On the other side of this stack of trust there’s Handshake, a decentralized root zone, naming system, and certificate authority. Resolving names through Handshake goes through a similar system of queries as ICANN’s DNS system with a few key differences. Instead of having a recursive resolver you have a HSD node. When your browser makes a request to this HSD node, it will check to see if the TLD lives on the Handshake blockchain. If it does then the HSD node will query the subsequent TLD and SLD name server and the IP address will be sent back to the browser. The HSD node can do this because it has a built in recursive resolver. If the TLD doesn’t live on Handshake and instead is controlled by ICANN, the HSD node will fallback on ICANN’s root zone and finish resolving using their DNS system. The best thing about this HSD node is that running one is in the users hand; anybody can run one on their local network and configure it how they like. For the less tech savvy there are services like which is a privacy focused public resolver for Handshake.

The TLDs that live on the Handshake blockchain are accessible to anybody with an internet connection. It can be as simple as bidding on a Name in Bobwallet, buying on ShakeDex, or offering on Namebase. The TLDs are under the authority of the holder’s private key and they can decide how their TLD is used, whether it be for something like a personal project or renting out SLDs for passive income.

SLDs are rented out by TLD holders by any platform that accepts Handshake names. The most popular SLD rented out right now is the .c/ SLD and is available to rent out of registrars like EnCirca or If you’re renting a SLD from somebody, you’re under the authority of whoever holds that TLD. The beauty of this is that every TLD isn’t under the umbrella of some big organization, every TLD is in its own bubble. Say you’re renting out a SLD from someone and the TLD holder starts censoring sites it doesn’t like for whatever reason, you can easily rent out another SLD under a different TLD and as long as it’s not held by the same user you won’t be affected by their rules. If you’re tired of renting entirely you can just own your own TLD and make a bare TLD website (eg. hnssearch/) or create SLDs under your TLD.

Instead of using a trust centralized certificate authority like in ICANN’s DNS system, Handshake uses DANE proofs to make sure the website has an encrypted connection. In short the website will have a generated certificate, that certificate has a hash, the HSD node will find that hash from the website, and make sure that hash from the website is the same as the hash in the DNS record and then you’ve got your encrypted connection with the correct website.

We know that the current DNS system works fine right now and gets the job done, but why would we settle knowing that mass censorship, DNS hijacking, and attacks on our privacy are real and growing threats. In crypto there is the saying that decentralization doesn’t matter until it does, so why are we going to settle with a DNS system that just works when we have something that’s better now.

Take back control and join us anon🤝