No-DNS

A decentralized Addressing system built on the Nostr protocol, enabling censorship-resistant domain resolution and automated SSL certificate distribution.

Overview

No-DNS allows anyone with a Nostr key pair to publish Addressing (DNS) records and SSL certificates directly to the Nostr network, creating a decentralized alternative to traditional DNS infrastructure. The system consists of three main components:

1. Protocol Specification - Nostr event formats for DNS records and certificates

2. nodns-cli - Command-line tool for managing records and certificates

3. nodns-server - DNS server that resolves .nostr domains and manages certificates

🚀 Quick Start

1. Build and Install

# Build CLI
cd nodns-cli && make build
cd ..

# Build Server  
cd nodns-server && make build
cd ..

# Run CLI interactively
./nodns-cli/build/nodns

# Add DNS records (within CLI)
auth generate
records add A @ 192.168.1.1
records publish

# Run DNS server
sudo ./nodns-server/build/nodns-server

2. Test Resolution

dig @localhost npub1abc...123.nostr

Protocol Specification

The No-DNS protocol defines two main event types for decentralized DNS:

Addressing (DNS) Record Events (Kind 11111)

• Purpose: Publish DNS records (A, AAAA, CNAME, TXT, MX, etc.)

• Format: Fixed-position tags with strict formatting requirements

• Addressing: One event per npub contains all DNS records for that domain

• Verification: Events include signature and timestamp for authenticity

Example Event:

{
  "kind": 11111,
  "content": "",
  "tags": [
    ["record", "A", "@", "", "", "192.168.1.1", "", "", "", "", "3600"]
  ],
  "created_at": 1705123456,
  "pubkey": "...",
  "sig": "..."
}

Certificate Events (Kind 30003)

• Purpose: Distribute SSL/TLS certificates for domains

• Format: PEM-encoded certificates in content field

• Addressing: Addressable events per TLD (e.g., "nostr", "net")

• Validation: Automatic certificate validation and expiry tracking

Example Event:

{
  "kind": 30003,
  "content": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
  "tags": [
    ["d", "nostr"],
    ["expiry", "1735689600"]
  ],
  "created_at": 1705123456,
  "pubkey": "...",
  "sig": "..."
}

Domain Format

Domains use the npub format: npub1abc...123..nostr

Spec Documentation: spec/

nodns-cli

Command-line tool for managing Nostr-based DNS records and SSL certificates.

Features

🔐 Authentication

• Generate new Nostr key pairs

• Import existing keys (hex or bech32 nsec)

• Future: Amber and NIP-46 Bunker support

📋 Addressing Records Management

• Easy helpers for common record types (A, CNAME, TXT)

• Full support for all DNS record types (MX, SRV, SOA, CAA, DNSKEY)

• Local editing with publish-when-ready workflow

• Automatic validation of record data

🔐 Certificate Management

• Import certificates from files or paste PEM data

• Generate self-signed certificates for any TLD

• Multi-TLD support (.nostr, .net, .com, etc.)

• Certificate validation and expiry tracking

• Automatic publishing with addressable events

Interactive CLI

Simply run the CLI without arguments for an interactive experience:

./nodns-cli/build/nodns

The CLI will guide you through:

• Authentication setup

• Adding and managing DNS records

• Certificate management

• Publishing to Nostr relays

Quick Commands

# Authentication
nodns auth generate              # Generate new key pair
nodns auth login <nsec>          # Login with existing key

# DNS Records
nodns records add A @ 1.2.3.4           # Add A record
nodns records add CNAME www example.com # Add CNAME record
nodns records list                       # List all records
nodns records publish                    # Publish to Nostr

# Certificates  
nodns certs import cert.pem              # Import certificate
nodns certs generate nostr               # Generate self-signed cert
nodns certs publish nostr                # Publish certificate

Full Documentation: nodns-cli/README.md

nodns-server

DNS server implementation that resolves .nostr domains by fetching DNS records from Nostr relays.

Features

🌐 DNS Resolution

• Resolves .nostr domains using Nostr events

• Supports all standard DNS record types

• Returns signature verification in TXT records

• Forwards non-.nostr queries to upstream DNS

🔐 Certificate Management

• Automatically fetches SSL certificates from Nostr events

• Installs certificates to system trust store (macOS, Linux, Windows)

• Signature verification before certificate installation

• Configurable certificate policies and security controls

✅ Cryptographic Verification

• Verifies Nostr event signatures before processing

• Includes signature and timestamp in DNS responses

• Rejects invalid or tampered events

• Provides cryptographic proof of DNS record authenticity

Build and Run

cd nodns-server
make build
sudo ./build/nodns-server

Configuration

# config.yaml
port: 53
relays:
  - "wss://relay.damus.io"
  - "wss://nos.lol"
forward_dns:
  - "1.1.1.1"
  - "8.8.8.8"

certificates:
  auto_install: false        # SECURITY: Never enable without understanding risks
  prompt_user: true          # Always prompt before certificate installation  
  required_tlds: ["nostr"]   # Only install certs for specific TLDs
  disable_dangerous: true    # Disable certificate features entirely (recommended)

⚠️ Security Warning

CRITICAL: The certificate auto-installation feature can modify your system's certificate trust store. This is extremely dangerous and can compromise system security. Only use in isolated testing environments.

Recommended for production: Set disable_dangerous: true to disable all certificate features.

Full Documentation: nodns-server/README.md

Architecture

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   nodns-cli     │    │  Nostr Network  │    │  nodns-server   │
│                 │    │                 │    │                 │
│ • Manage DNS    │◄──►│ • DNS Records   │◄──►│ • Resolve .nostr│
│ • Manage Certs  │    │   (Kind 11111)  │    │ • Install Certs │
│ • Publish       │    │ • Certificates  │    │ • Verify Sigs   │
│                 │    │   (Kind 30003)  │    │                 │
└─────────────────┘    └─────────────────┘    └─────────────────┘
         │                       │                       │
         └───────────────────────┼───────────────────────┘
                                 │
                    ┌─────────────────┐
                    │   DNS Client    │
                    │                 │
                    │ • dig *.nostr   │
                    │ • Browser       │
                    │ • Applications  │
                    └─────────────────┘

Use Cases

🌍 Decentralized Websites

Host websites on .nostr domains without traditional DNS infrastructure:

# Publish your website
nodns records add A @ 192.168.1.100
nodns certs import mysite.pem  
nodns publish

🚀 Censorship Resistance

DNS records stored on Nostr are distributed across multiple relays, making censorship difficult:

• No single point of failure

• Multiple relay redundancy

• Cryptographic verification prevents tampering

🔐 Self-Sovereign Identity

Your Nostr key pair controls your domain - no registrars or authorities:

• Own your domain forever

• Transfer domains by sharing keys

• No renewal fees or expiration

🧪 Development & Testing

Perfect for local development and testing:

# Local development setup
nodns records add A api 127.0.0.1
nodns records add A web 127.0.0.1  
nodns-server &
curl http://api.nostr/

Example Workflow

Here's a complete example of setting up a .nostr domain:

# 1. Build the tools
cd nodns-cli && make build && cd ..
cd nodns-server && make build && cd ..

# 2. Generate identity
./nodns-cli/build/nodns auth generate
# Outputs: npub1abc...123

# 3. Add DNS records
./nodns-cli/build/nodns records add A @ 192.168.1.100      # Root domain
./nodns-cli/build/nodns records add A www 192.168.1.100    # www subdomain  
./nodns-cli/build/nodns records add TXT @ "v=spf1 -all"    # SPF record
./nodns-cli/build/nodns records list                        # Review records

# 4. Generate and add SSL certificate
./nodns-cli/build/nodns certs generate nostr                # Self-signed cert
# OR
./nodns-cli/build/nodns certs import mycert.pem             # Import existing cert

# 5. Publish everything to Nostr
./nodns-cli/build/nodns records publish                     # Publish DNS records
./nodns-cli/build/nodns certs publish nostr                 # Publish certificate

# 6. Start DNS server and test
sudo ./nodns-server/build/nodns-server &
dig @localhost npub1abc...123.nostr                     # Direct resolution
curl https://npub1abc...123.nostr/                      # HTTPS with certificate

Security Considerations

DNS Security

• Signature Verification: All DNS events are cryptographically verified

• Timestamp Validation: Fresh timestamps prevent replay attacks

• Relay Redundancy: Multiple relays prevent single points of failure

Certificate Security

• ⚠️ HIGH RISK: Auto-certificate installation can compromise system security

• Recommendation: Use disable_dangerous: true in production

• Best Practice: Manual certificate verification and installation

• Audit Trail: All certificate operations are logged

General Security

• Private Key Management: Keep your nsec secure - it controls your domain

• Relay Trust: Choose reputable relays for publishing records

• Regular Updates: Keep No-DNS software updated for security patches

License

GPL v2 License - see LICENSE for details.

Support

• Documentation: docs/

• Discussions: GitWorkshop

• Nostr: Follow project updates at npub1... (coming soon)

⚡ Powered by Nostr - Building the decentralized internet, one domain at a time.