Module 6 · Lesson 3
Blockchain and Decentralized DNS
⏱ 28 min
Handshake, ENS, and Unstoppable Domains. The real problem they're solving, the real problems they introduce, and an honest look at current adoption.
Blockchain and Decentralized DNS
I want to be straight with you about this lesson. Blockchain-based DNS has been promised as a revolutionary alternative to the existing system for the better part of a decade. The pitch is coherent. The problem it identifies is real. The implementations have not delivered on the scale the proponents claimed, and some of the problems they introduce are worse than the ones they solve.
That doesn't make the technology irrelevant. It means you should understand it on its actual merits, not through vendor or evangelist framing.
The genuine problem: censorship resistance
The existing DNS system is hierarchical and centralized at the top. ICANN controls the root zone. ICANN's policies, which are influenced heavily by the US government and major commercial interests, determine what TLDs exist and under what conditions domains can be registered, transferred, or seized.
Domain seizures happen. Law enforcement agencies have seized domains through coordination with registrars and registries. This is legal and sometimes appropriate (fraud, CSAM, sanctions violations). But the same mechanism can be and has been used to take down legitimate sites: political opposition in some jurisdictions, whistleblowing infrastructure, journalists' sites.
If you're building infrastructure that needs to be resistant to that kind of takedown, the traditional DNS system offers you no technical protection. The name can be seized. The zone can be deleted.
That's the real problem blockchain DNS is trying to solve. It's a narrow but genuine use case.
The main projects
Handshake (HNS) takes the most radical approach. It replaces ICANN's root zone entirely. Instead of a centralized root managed by ICANN, Handshake uses a proof-of-work blockchain to manage ownership of top-level names. You bid for TLDs using HNS tokens. Once you own a TLD on the Handshake chain, you control it. No registrar can take it.
The tradeoff: to resolve Handshake names, you need a Handshake-capable resolver. Standard recursive resolvers have no idea how to look up .badass or .satoshi or whatever Handshake TLD you've acquired. There's no path to ICANN delegating those names, because the whole point is that ICANN is bypassed.
Ethereum Name Service (ENS) takes a different approach. It operates on the Ethereum blockchain and maps .eth names to Ethereum addresses (and optionally to content hashes, IP addresses, and other records). It's primarily designed for the crypto ecosystem: alice.eth resolves to Alice's Ethereum wallet address.
ENS isn't really a DNS replacement. It's an identity layer for Ethereum that borrowed DNS naming conventions. Using it to serve a website requires additional tooling (IPFS content hosting, a browser with ENS support or the MetaMask extension, etc.).
Unstoppable Domains sells blockchain domain names on multiple chains (Polygon, Ethereum). Their pitch is censorship-resistant websites. Like ENS, resolution requires either a browser extension or a compatible resolver. They've added some DNS record support so that their domains can resolve to regular IP addresses in supporting contexts.
The problems introduced
Resolver adoption. This is the fundamental issue. DNS works because every device connected to the internet uses compatible resolvers. Handshake names don't resolve in standard resolvers. To reach a Handshake site, you need to configure your system to use a Handshake-aware recursive resolver (like HDNS.io or NextDNS with Handshake support), or run your own.
For the censorship-resistance use case, "the user has to install a browser extension or change their resolver settings" is a real barrier. The people most at risk from censorship, specifically users in authoritarian environments, are often the least able to modify their system settings without attracting attention.
Key management. Blockchain ownership is secured by private keys. Lose the private key, lose the domain. No recovery path. No "forgot my password" flow. No UDRP dispute resolution if someone else gets the key through fraud or theft. The decentralization that makes seizure-resistance possible is the same property that makes legitimate recovery impossible.
Traditional domain registrars, for all their flaws, do have identity verification and recovery processes. Those processes can be abused, but they also protect legitimate owners.
Performance. Resolving a blockchain domain requires querying the chain (or a chain-querying service). The initial resolution is slower than traditional DNS. Caching helps, but TTLs on blockchain domains don't work the same way; you're querying a state in a blockchain, not a zone file with defined TTLs.
Namespace conflicts. Handshake acquired all the names that weren't yet ICANN TLDs at launch. But ICANN keeps adding TLDs. The Handshake blockchain and the ICANN root zone have overlapping namespaces with no coordination mechanism. If ICANN were to delegate .mail as a TLD, and someone already owns .mail on Handshake, you have a collision with no resolution mechanism.
The adoption numbers. As of early 2026, the daily resolution volume for Handshake and ENS domains through public infrastructure is orders of magnitude smaller than traditional DNS. ENS has significant transaction volume on Ethereum, but most of it is speculation and identity use, not actually serving web traffic. Handshake has passionate advocates and some genuine use cases, but it hasn't broken through to general internet use.
When does this actually make sense?
Decentralized DNS makes sense when all of the following are true:
- You have a genuine need for censorship resistance that outweighs the usability tradeoffs
- Your audience is willing and able to configure non-standard resolvers or use supporting tools
- You're operating in an environment where traditional registrar/ICANN protection mechanisms actively work against you (not just theoretically)
- You accept that key management is your problem and there's no safety net
That's a narrow set of conditions. For a dissident blog, a whistleblowing platform, or infrastructure for a community operating under a repressive regime, those conditions might all be met. For a regular business, a developer's personal site, or any application where you want broad public access, they aren't.
The technology isn't snake oil. The problem is real. But "blockchain will replace DNS" has been wrong for eight years, and the adoption curve suggests it's likely to remain wrong. What you might see instead is a gradual, narrow deployment for specific high-stakes use cases, alongside continued dominance of traditional DNS for everything else.
Key takeaways
- The core problem blockchain DNS addresses (censorship resistance at the naming layer) is real
- None of the current implementations are accessible to general users without extra setup
- Key management in blockchain DNS has no recovery path; that's a feature and a bug
- Namespace conflicts between Handshake and ICANN are unresolved by design
- Current adoption is a fraction of what advocates projected; the use case remains narrow
Further reading
- Handshake whitepaper
- ENS documentation
- ICANN on alternative roots: SSAC Advisory on Private-Use TLDs
- Geoff Huston (APNIC): Blockchain and DNS, several posts worth reading
Up next
Lesson 04: AI and ML in DNS Management: What machine learning actually does in DNS today, where it works, and where it fails.