No authority. Only Nostr.
NoDNS #soveng
https://cmbethpcg000e5el0ehhk5933-blossom.eggstr.com/b9da7c63b9b72d05accb764d49626cdbc329d31ed0a8bf63b238a4549e7007fc.mp4
Login to reply
Replies (73)
kind 11111 - love it
📺 Here's the long version of this!
https://blossom.primal.net/50dbafbf1aa6c6807de97fb140a2e4246f0878c7c51a48950144fe6e1981e130.mp4
This is amazing bro!
I don't want to be the jerk that looks at the magician and says "How did you do that?"
But like... How did you do that?
So if I understand correctly, the DNS record is served to clients outside of the LAN by a Nostr relay. Then are able to access your local DNS server securely and then not have to route Nostr traffic through the DNS racket?
The big thing here though is the initial request for the DNS a record is still using DNS initially, right?
In this scenario the webserver has an npub identity and self-announces it's IP address + self-signed cert.
My machine does indeed connect to public relays to get his record event.
Yes, the browser does indeed use DNS like it does normally, except it passes through my nostr-compatible local DNS first.
An open source dev always reveals his tricks ;)
I don't see an issue except if the DNS racket were not serving websocket server packets because they were afraid we were getting around their cabal. But then again, that would stop all Nostr notes, which seems...unlikely.
Great work, very clever work around.
Workarounds like this are nice because it integrates so well with existing system. Just the fact that this works system-wide opens up many doors.
Actually, I was thinking too small. Could this then in effect be used to serve the initial DNS A Record?
DNS bootstrap-> No-DNS cert validation
No-DNS bootstrap-> other No-DNS cert valid self hosted DNS servers?
Does that work? I might have confused myself.
👀
The power of nostr is NOT in social media.
nostr:nevent1qqspc3kxtdk8kh6f7auamcwl6ykfkq2dnjxrgtgqnpdm5hvrj00yu4cpz9mhxue69uhkummnw3ezuamfdejj7q3qhw6amg8p24ne08c9gdq8hhpqx0t0pwanpae9z25crn7m9uy7yarsxpqqqqqqz678wkd
Woah I was just talking about this today! Just a few hours ago ! Nostr moves fast
nostr:nevent1qqs2yvw75wng4wmfxtafm6xgpydscemce6zxsvfgglur23fkzyedmecpzemhxue69uhhwmm59ehx7um5wgh8qctjw3uj7q3qcgd35mxmy37vhkfcmjckk9dylguz6q8l67cj6h9m45tj5rx569cqxpqqqqqqztp3vxp
better already, but #NDN #NamedDataNetworking ditch all the servers, domains and crap. softwares and true self sovereign p2p stuff only. we all already have got internet access on all sides, why need corpo net datacentres clouds and shit? be the network be the datastore equal amongst equals
Great job man! Someone had to build this! Amazing
Neet
is this gonna help me build another webstore with out permission from anyone? i think i like this
i like where this is going
So cool! Miss you guys!
I don't have a lot of experience with nostr, but I see you do https:// VeryLongNPUBString dot nostr and I have a question (which may make no sense, but my nostr knowledge is limited): can the very long string that nobody will remember be replaced by a nip-05?
Also, I guess this could be combined with a redirect to serve an onion address, right?
I think you're missing 1 thing, zooko's triangle's solution
👀
This is absolutely awesome, great work. The automatic installation of certificates in the system's trust store is nice. So if you disable the automatic cert install (auto_install: false), nodns-server will be able to resolve the record (using the 111111 events) but the cert won't be trusted so the browser will complain and you'd have to manually trust it ?
DNS is really old protocol not built for security
Correct, but albeit inherrently a bit more quirky and will always, even in the best possible scenario, have issues in the margin, the same WoT paradigm we sort of lean on with everything in Nostr, could apply here as well.
Now obviously the seemingly straightforward no quirks no problems in the margin DNS, google dot is always google dot com, is the point of it all.
But....given that we are already in a world with a bazillion TLD's you could argue that its already.com quirky.lol as.net fuck.ai , and.eu i.nl am.uk not.org sure.int nobody.edu has.mil ever.jetzt fallen.nu for.luxe go0gle.com
So the question is, how likely is it that google.nostr will actually bring you to google, or the other way around, how likely is a well known name subverted.
Im not taking a position here, to be clear, but atleast it is interesting to ponder, dont you think bakeme, if you are in fact, THE REAL BAKEME!?🧐
The question indeed makes very little sense, but the the problem becomes how on earth i am going to explain that to you.
So lets say we have trains, and trains are cool for all kinds of reasons, but they are permissioned/centralized. So someone comes up with the idea of the car so its not permissioned/centralized. And your question would be:
I see your vehicle requires users to steer and navigate themselves, so can't you put the car on rails?
I.e. nip-05 is DNS, you suggest to use DNS to solve the drawback of the DNS-less system.
Hope this helps.
See, I had no idea how nip-05 worked. This answer was great, thank you!
Amazing!
Cool stuff! Love the npub.nostr URI design 👌
very cool
But does it fully solve this problem? RIP DK
https://www.youtube.com/watch?v=B-v_wJIJUI4
what are special settings need at linux or windows os level or in firefox browser for example?
i will dig more to test later
Probably, since you'll check on your machine the signature of the npub you wanna reach. It doesn't matter HOW the info got to you anymore.
Which is why the internet is so broken, all these kind of exploits exist by the grace of 'trust me bro' networking.
Great video btw, thanks for sharing!
Nice! Yes i think Nostr is the way to go on a lot of these networking challenges. We can clear out a lot of technical debt built up over the last 20 years.
The only permissioned part still existing within this system would be IP addresses themselves. But apart from that you can totally do it
Good comparison indeed.
Getting human-readable domains like you're suggesting is not the goal of this project. Something like that could live on top of this solution though.
Correct. In the current state of the code automatically inserting the certificate is still VERY risky because I haven't implemented certificate security checks yet.
If the checks are not in place. any [npub].nostr could publish a self-signed certificate with *.google.com and your system would trust it. Allowing a MITM attack.
Just be aware of this when testing. It's very experimental.
i'm stuck here
cd nodns-cli && make build
go build -ldflags "-X main.version=d06792e -s -w" -o build/nodns .
/bin/sh: 1: go: not found
make: *** [Makefile:53: build] Error 127
We can have our internet and we no more need permission 🚀
nostr:nevent1qvzqqqqqqypzpwa4mkswz4t8j70s2s6q00wzqv7k7zamxrmj2y4fs88aktcfuf68qy88wumn8ghj7mn0wvhxcmmv9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qqspc3kxtdk8kh6f7auamcwl6ykfkq2dnjxrgtgqnpdm5hvrj00yu4c8yj20m
Host your website and be found by everyone - no buying domains anymore!
One of the puzzle pieces in making our entire network stack permissionless being explored at #SEC-05 .
More to come, stay tuned and LFG 🚀
nostr:nevent1qvzqqqqqqypzpwa4mkswz4t8j70s2s6q00wzqv7k7zamxrmj2y4fs88aktcfuf68qy88wumn8ghj7mn0wvhxcmmv9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qpqr3rvvkmv0d05namemhsal5fvnvq5m8yvxskspxzmhfwc8y77fetsydy6ll nostr:nevent1qvzqqqqqqypzpwa4mkswz4t8j70s2s6q00wzqv7k7zamxrmj2y4fs88aktcfuf68qy88wumn8ghj7mn0wvhxcmmv9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qqspc3kxtdk8kh6f7auamcwl6ykfkq2dnjxrgtgqnpdm5hvrj00yu4c8yj20m
Can't wait to see more.
Genialidad subtitulado a Español
nostr:nevent1qqspc3kxtdk8kh6f7auamcwl6ykfkq2dnjxrgtgqnpdm5hvrj00yu4czyzamthdqu92k09ulq4p5q77uyqeadu9mkv8hy5f2nqw0mvhsncn5wqcyqqqqqqg8v774n
https://blossom.primal.net/ee18ea61b819f7ecc24d7e59f27ec0d4f2013fb9544304ef4a967aa34655a289.mp4
Can the dns server be run remotely on a raspi akin to pi-hole, or even be a part of pi-hole? So that all devices on a lan would resolve npub.nostr?
Can this tech bypass deep packet inspection by ISP?
Hey nostr:nprofile1qy88wumn8ghj7mn0wvhxcmmv9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qqsthdwa5rs42euhnuz5xsrmmssr84hshwes7uj392vpeldj7z0zw3cu38d6t, this is very cool. I don't understand something, when your local DNS connects to the nostr relay, it's using DNS to do it, no?
i'm an Idiot , ofc i had to install go doh
but i published my npub nostr:npub1ykal2phgzf6ljmql6l8khmf0ekf6ny0582r89m00j9vjt8qezhjqqpa3dl
with ip 192.168.201.174
dig {@localhost:5354}nostr:npub1ykal2phgzf6ljmql6l8khmf0ekf6ny0582r89m00j9vjt8qezhjqqpa3dl.nostr
no-dns server runs on port 5354
all well but the answer that came back
;; QUESTION SECTION:
;npub1ykal2phgzf6ljmql6l8khmf0ekf6ny0582r89m00j9vjt8qezhjqqpa3dl.nostr. IN A
;; Query time: 7 msec
;; SERVER: 192.168.201.70#53(192.168.201.70) (UDP)
;; WHEN: Fri Sep 26 14:32:33 CEST 2025
;; MSG SIZE rcvd: 87
came back with diff ip huh ?
ok i got it now and it works perfectly
dig @localhost -p 5354nostr:npub1ykal2phgzf6ljmql6l8khmf0ekf6ny0582r89m00j9vjt8qezhjqqpa3dl.nostr
nostr:npub1ykal2phgzf6ljmql6l8khmf0ekf6ny0582r89m00j9vjt8qezhjqqpa3dl.nostr. 3600 IN A 192.168.201.174
have some sites who use nostr domain name to test ?
or a standard browser with the option to enable nostr lookups
holy shit. this is great
This is amazing 🤯
nostr:nevent1qvzqqqqqqypzpwa4mkswz4t8j70s2s6q00wzqv7k7zamxrmj2y4fs88aktcfuf68qy88wumn8ghj7mn0wvhxcmmv9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qpqr3rvvkmv0d05namemhsal5fvnvq5m8yvxskspxzmhfwc8y77fetsydy6ll
I'm not so sure. Dan Kaminsky only stop gapped the problem, didn't resolve it. If you're still running DNS, are you sure ? is still in my head :p
challenge the folks at sov eng for me, cuz i can't be there will ya?
where to learn more?
5 hours really
can you post the npub23.nostr for testing aka a website which is only available thru no-dns
This is fantastic, but trying to wrap my head around this so I can use it.
Does the end user with the browser not have to make any changes at all?
Or do they have to change their DNS settings in order for this to work?
Hello, I love this initiative. I have been working in the shadows on something that might interest you, it perfectly complements DNS over NOSTR, but my time is [zero] right now.
Can I send you a DM after Oct 15?
Regards!
NODNS BIP353 BOLT12
#soveng
https://blossom.primal.net/0ccb1f31b9e46f15133b99a10797588faac5688ce79dd72742a0c54da2dbac24.mov
a Domain name without ICANN-DNS is way more valuable then sending sats around
This still needs updating though, the latest version is in the no-dns repo
hm nodns needs to sit on top of an conventional Resolver like Bind and handover nameresolution when it can't . a more human readable version for a Nostr domain would be handy
This solution can't solve the human readable part. It chooses security and decentralization over human-readable.
I believe the human readable names to be a social problem to solve. They could perfectly well resolve to an npub's no-dns records. Meaning bob.nostr might resolve to one npub for me and a different one for you based on our differing social graph.
hm that doesn't work , the name must be worldwide unique like a npub
I disagree
For uniqueness you either need to agree on a centralized authority like ICANN.
OR
Achieve global consensus by adding it to the Bitcoin blockchain. But to me, that seems expensive and unattainable for most people in the future.
I don't like either of the former solutions. I think accepting that no globally unique owner of [short name].nostr and building for that is more realistic. You can give a name weight by putting PoW towards it or by social consensus, which is how the world has operated since forever and it works quite wel... If I say 'London', you probably know what I'm talking about and which coordinates it belongs to, despite there being multiple London's out there
🤣
Cc: AWS & customers
nostr:nevent1qqspc3kxtdk8kh6f7auamcwl6ykfkq2dnjxrgtgqnpdm5hvrj00yu4czyzamthdqu92k09ulq4p5q77uyqeadu9mkv8hy5f2nqw0mvhsncn5wqcyqqqqqqg8v774n
Mints could use NoDNS to become unruggable. It requires very little config on the Mint's side and clients can choose wether they use NoDNS or legacy DNS.
nostr:nevent1qvzqqqqqqypzpwa4mkswz4t8j70s2s6q00wzqv7k7zamxrmj2y4fs88aktcfuf68qy88wumn8ghj7mn0wvhxcmmv9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qpqr3rvvkmv0d05namemhsal5fvnvq5m8yvxskspxzmhfwc8y77fetsydy6ll