How Blockchain Domains Work: ENS, Unstoppable Domains, and Web3 Naming

Every domain you type into a browser is resolved through the Domain Name System (DNS) — a hierarchical, centralized infrastructure governed by ICANN and rooted in 13 root server clusters. But a parallel naming system has emerged on public blockchains. Blockchain domains like vitalik.eth and names ending in .crypto, .nft, or .wallet replace the entire DNS hierarchy with smart contracts on Ethereum and Polygon. They are not entries in any registrar's database — they are NFTs (non-fungible tokens) owned by cryptographic private keys, resolvable by anyone who can read the blockchain.

This article explains how blockchain domains work from first principles: the smart contract architecture behind ENS and Unstoppable Domains, how resolution differs from traditional DNS, how browsers handle them, and the tradeoffs they introduce in security, censorship resistance, and interoperability with the existing internet.

Traditional DNS vs. Blockchain Domains

To understand blockchain domains, you first need to understand what they are replacing. In traditional DNS, resolving a name like google.com involves a chain of queries through a strict hierarchy: a recursive resolver asks a root server, which delegates to the .com TLD server, which delegates to Google's authoritative nameservers, which finally return an IP address. Each level is controlled by a different organization, and the entire system is coordinated by ICANN. Registrars like Namecheap or GoDaddy sell you the right to use a name for a period — but they can also suspend it, transfer it, or comply with court orders to seize it.

Blockchain domains discard this hierarchy entirely. There are no root servers, no TLD operators, no registrars in the ICANN sense. Instead, a smart contract on a public blockchain maintains a mapping from names to records. Ownership is determined by which Ethereum address holds the NFT representing that name. Resolution is performed by calling a function on the smart contract — anyone running an Ethereum node, or querying a public RPC endpoint, can resolve any blockchain domain without asking permission from any authority.

The two major blockchain domain systems are the Ethereum Name Service (ENS) and Unstoppable Domains. They share the same basic idea — names as NFTs resolved via smart contracts — but differ significantly in architecture, pricing, and TLD support.

ENS: Ethereum Name Service

ENS is the older and more widely adopted system, launched in May 2017. It provides .eth domains and, through its DNS integration features, can also work with traditional DNS names. ENS is a set of smart contracts deployed on the Ethereum mainnet, governed by the ENS DAO (Decentralized Autonomous Organization).

The ENS Contract Architecture

ENS consists of two core contract types:

• The Registry — A single contract that stores every registered ENS name. For each name, it records three things: the owner (an Ethereum address that can modify the name's settings), the resolver (the address of another contract that holds the name's records), and a TTL (time-to-live, a caching hint). The registry is the root of the ENS system — it is the equivalent of the DNS root zone, except it is a smart contract anyone can read.
• Resolvers — Separate contracts that store the actual records for a name: Ethereum addresses, other cryptocurrency addresses, IPFS content hashes, text records (email, URL, avatar, description), and ABI definitions. The owner of a name can point it to any resolver contract. ENS provides a default "public resolver" that most names use, but custom resolvers can implement arbitrary logic — including off-chain lookups via CCIP-Read (EIP-3668), which allows a resolver to redirect the client to an off-chain data source and verify the response on-chain.

The Namehash Algorithm

ENS does not store names as plain strings. Instead, it uses namehash, a recursive hashing algorithm that converts any domain name into a fixed-length 32-byte identifier (a bytes32 node). Namehash is defined in EIP-137 and works as follows:

1. The name is split into labels. For vitalik.eth, the labels are ["vitalik", "eth"].
2. Each label is normalized (lowercased, Unicode NFC) and hashed with keccak256 (Ethereum's hash function) to produce a labelhash.
3. Starting from a zeroed 32-byte value (the hash of the empty name, representing the ENS root), the algorithm iteratively computes: node = keccak256(parentNode + labelhash).

For vitalik.eth, the computation is:

namehash("") = 0x0000...0000  (32 zero bytes)
namehash("eth") = keccak256(namehash("") + keccak256("eth"))
namehash("vitalik.eth") = keccak256(namehash("eth") + keccak256("vitalik"))

This design has an important property: namehash is one-way. Given a namehash, you cannot recover the original name. This means the ENS registry does not store or reveal all registered names — you can only look up a name if you already know it. This provides a degree of privacy (the full set of registered names is not enumerable from the contract alone, although registration events on the blockchain do reveal them).

Registration: Commit-Reveal

Registering a .eth name uses a two-step commit-reveal process designed to prevent front-running. Front-running is a problem specific to public blockchains: when you submit a transaction to register a name, miners and bots can see your pending transaction in the mempool and submit their own registration first (paying a higher gas fee to get priority). The commit-reveal scheme defeats this:

1. Commit — You submit a hash of your desired name combined with a secret salt. This transaction is recorded on-chain but reveals nothing about which name you want to register. You must wait at least one minute after the commit is confirmed.
2. Reveal — You submit a second transaction that reveals the name and the salt. The contract verifies that this matches your earlier commit and that the name is available. If so, the name is registered to your address.

Registration requires paying a fee denominated in ETH (priced in USD via Chainlink oracle). Shorter names cost more: five-character-and-longer names are $5/year, four-character names are $160/year, and three-character names are $640/year. Names must be renewed annually — if you do not renew, the name enters a grace period and eventually becomes available for re-registration. This is a key difference from Unstoppable Domains, which charges a one-time fee with no renewals.

Subdomains and Wildcard Resolution

Any ENS name owner can create subdomains — for example, the owner of example.eth can create pay.example.eth or blog.example.eth. Subdomains are separate entries in the registry, and the parent name owner can assign them to different Ethereum addresses.

ENS also supports wildcard resolution (ENSIP-10), where a resolver can handle queries for any subdomain of a name dynamically. This enables use cases like issuing subdomains to all members of a DAO without creating individual registry entries — the resolver contract computes the response on-the-fly.

Text Records and Content Hashes

ENS names can store far more than an Ethereum address. The public resolver supports:

• Cryptocurrency addresses — Ethereum, Bitcoin, Litecoin, Dogecoin, and any coin type defined in SLIP-0044
• Content hashes — IPFS CIDs, Swarm hashes, or Arweave transaction IDs pointing to decentralized web content
• Text records — arbitrary key-value pairs: email, url, com.twitter, com.github, avatar, description, and any custom key
• ABI definitions — for smart contracts, the ABI (Application Binary Interface) can be stored on the name

You can see these records in action: look up vitalik.eth to see the Ethereum address, avatar, and other records associated with Ethereum's co-founder.

Unstoppable Domains

Unstoppable Domains (UD) is a competing blockchain domain system launched in 2018. While ENS focuses on the single .eth TLD, Unstoppable Domains sells names across many TLDs: .crypto, .nft, .wallet, .x, .blockchain, .bitcoin, .dao, .888, and .zil.

Key Differences from ENS

• No renewal fees — Unstoppable Domains charges a one-time registration fee. Once you buy a name, you own it permanently with no annual renewals. This is their primary marketing differentiator from ENS.
• Polygon-based — While Unstoppable Domains originally minted on Ethereum, new registrations are now on Polygon (a Layer 2 chain), which has much lower gas fees. Existing Ethereum-based domains can be bridged to Polygon.
• Centralized registration — Unlike ENS, where registration happens directly via smart contracts and any frontend can interact with them, Unstoppable Domains uses a centralized website for purchases. The domains are still NFTs on-chain once minted, but the initial registration is mediated by the company.
• Resolution architecture — UD uses its own smart contract registry (UNSRegistry on Polygon and Ethereum) with a different resolution mechanism. Instead of the namehash + registry + resolver pattern, UD stores records directly on the NFT token, identified by a tokenId derived from a namehash-like algorithm.

UD Resolution

Resolving an Unstoppable Domain involves:

1. Computing the tokenId by namehashing the domain (similar to ENS's namehash but with a different implementation that includes the TLD in the computation)
2. Calling the UNSRegistry contract to check if the token exists and who owns it
3. Reading records directly from the registry contract's storage — there is no separate resolver contract

UD supports similar record types to ENS: cryptocurrency addresses (keyed by coin type, e.g., crypto.ETH.address, crypto.BTC.address), IPFS content hashes, and DNS-compatible records.

How Blockchain Domain Resolution Works

Understanding the resolution process requires contrasting it with how traditional DNS works. In DNS, a recursive resolver performs a series of network queries against remote servers that are reachable via BGP-routed IP addresses. Each step in the hierarchy is a separate UDP or TCP query over the network.

Blockchain domain resolution is fundamentally different. The entire namespace — every registered name, every record — exists as state on a public blockchain. Resolution is a read-only smart contract call (an eth_call in Ethereum's JSON-RPC API) that does not require a transaction, does not cost gas, and returns instantly from any Ethereum node or RPC provider.

The resolution steps for an ENS name like vitalik.eth are:

1. Normalize and hash — The client normalizes the name (lowercasing, Unicode normalization via UTS-46) and computes the namehash.
2. Query the registry — The client calls resolver(bytes32 node) on the ENS Registry contract (deployed at 0x00000000000C2E074eC69A0dFb2997BA6C7d2e1e on Ethereum mainnet). This returns the address of the resolver contract assigned to that name.
3. Query the resolver — The client calls the appropriate function on the resolver: addr(bytes32 node) for the Ethereum address, text(bytes32 node, string key) for text records, contenthash(bytes32 node) for content hashes, etc.
4. Return the result — The resolver returns the record data. The client can make multiple calls to retrieve different record types.

Because these are read-only calls, they cost no gas. Any Ethereum node — whether you run your own or use a public RPC provider like Infura or Alchemy — can answer them. There is no need to run special "ENS server" software. The blockchain itself is the server.

Browser Integration and the Gateway Problem

Here is the fundamental challenge with blockchain domains: browsers do not resolve them natively. When you type vitalik.eth into Chrome, Firefox, or Safari, the browser sends a DNS query for vitalik.eth to your configured DNS resolver. That resolver asks the root servers, which have no record of .eth because ICANN has never delegated the .eth TLD in the DNS root zone. The query fails with NXDOMAIN — domain not found.

This is not a technical limitation of DNS; it is a governance one. ICANN controls which TLDs exist in the root zone. .eth is not in that zone, so no DNS resolver on the planet will resolve it through the standard DNS hierarchy. The same applies to .crypto, .nft, .wallet, and all other Unstoppable Domains TLDs.

Several workarounds exist:

• Brave Browser — Brave has built-in support for both ENS and Unstoppable Domains. When you type a .eth or .crypto name, Brave resolves it via an integrated Ethereum client (or configured RPC endpoint) and, if a content hash is found, loads the content via an IPFS gateway.
• Opera Browser — Opera supports Unstoppable Domains natively, resolving them and loading associated IPFS or traditional web content.
• MetaMask Extension — The MetaMask browser extension intercepts .eth URLs and resolves them, though support varies by browser.
• DNS Gateways — Services like eth.limo act as bridges between the DNS and ENS worlds. Appending .limo to any .eth name (e.g., vitalik.eth.limo) routes the request through a gateway that performs the ENS resolution, fetches the IPFS content, and serves it over standard HTTPS. Your browser resolves eth.limo through normal DNS — it has valid TLD delegation, TLS certificates, and everything a standard website needs.
• DoH Gateways — Some services provide DNS-over-HTTPS resolvers that handle ENS names. When configured as your DoH resolver, they intercept queries for .eth domains, resolve them on-chain, and return the result as if it were a standard DNS response.

The gateway approach introduces a tradeoff: it makes blockchain domains accessible from any browser, but it reintroduces centralized intermediaries. If eth.limo goes down, or is blocked, or decides to censor certain names, users relying on that gateway lose access. The decentralization of the blockchain domain itself is preserved — anyone can run their own gateway — but most users rely on a handful of third-party gateways in practice.

DNSSEC vs. Blockchain: Two Models of Trust

Traditional DNS has its own answer to the question "how do I know this DNS response is authentic?" — DNSSEC. DNSSEC adds cryptographic signatures to DNS records, creating a chain of trust from the DNS root key (managed by ICANN and Verisign) through the TLD to the individual domain. Each level signs the public keys of the level below it. A resolver validating DNSSEC checks this chain all the way up to the root to confirm that an answer has not been tampered with.

Blockchain domains use an entirely different trust model. There is no chain of signatures from a root authority. Instead, the Ethereum consensus mechanism itself is the trust anchor. When you resolve an ENS name by calling the registry contract, the answer you get is as trustworthy as the Ethereum blockchain is — which is to say, it is secured by the combined stake of all Ethereum validators (currently over 30 million ETH, worth tens of billions of dollars). Altering a name's records would require either the owner's private key or a successful attack on Ethereum consensus — a 51% attack requiring control of the majority of staked ETH.

This is a fundamentally different security model:

• DNSSEC relies on a hierarchy of certificate authorities and zone operators, each of which is a potential point of compromise. If a TLD operator's signing key is compromised, all domains under that TLD are at risk.
• Blockchain domains rely on cryptographic ownership (private keys) and network consensus. There is no hierarchy to compromise. But if you lose your private key, you lose your domain permanently — there is no "registrar support" to call.

Censorship Resistance and Its Tradeoffs

One of the most cited properties of blockchain domains is censorship resistance. In the traditional domain system, domains can be seized, suspended, or transferred by authorities:

• ICANN can revoke a registrar's accreditation
• Registrars can suspend domains under their terms of service
• Courts can order domain seizures (the US government has seized hundreds of domains through ICE and the DOJ)
• The UDRP (Uniform Domain-Name Dispute Resolution Policy) allows trademark holders to take domains through arbitration
• Country-code TLD operators can delist domains under national law

Blockchain domains are immune to all of these mechanisms. A .eth domain is controlled solely by the private key that owns the NFT. No registrar can revoke it. No court can order its transfer (they can order the owner to transfer it, but enforcement requires the owner's compliance or their private key). The ENS contracts are immutable — even the ENS DAO cannot seize individual names.

This cuts both ways. The same property that protects legitimate speech also protects phishing sites, trademark infringement, and illegal content. There is no WHOIS lookup for blockchain domains (ownership is pseudonymous — an Ethereum address, not a verified identity). There is no abuse contact, no UDRP, no takedown mechanism. Trademark holders have no administrative recourse against someone squatting on their brand name as a .eth domain.

Content Addressing with IPFS

Blockchain domains are frequently paired with IPFS (InterPlanetary File System), a decentralized storage network that uses content addressing instead of location addressing. This combination represents a fully decentralized alternative to the traditional web stack.

In the traditional web, you access content by its location: a URL like https://example.com/page.html tells your browser to connect to the server at example.com (resolved via DNS, routed via BGP) and request the file at /page.html. If that server goes down, the content is gone.

IPFS uses content identifiers (CIDs) — cryptographic hashes of the content itself. A CID like bafybeiemxf5abjwj... uniquely identifies a piece of content regardless of where it is stored. Anyone who has a copy of that content can serve it, and the hash guarantees integrity — if someone alters the content, the CID changes. Content does not live at a location; it exists wherever someone has pinned (stored and is serving) a copy of it.

When an ENS name has a content hash record pointing to an IPFS CID, the workflow for loading a decentralized website is:

1. Resolve the ENS name to get the content hash (an IPFS CID stored on-chain)
2. Fetch the content from the IPFS network using that CID
3. The content is verified by its hash — any node serving it can be trusted because the CID guarantees integrity

This creates a web page that has no traditional server, no IP address, no DNS records, and no TLS certificate. The name is on Ethereum, the content is on IPFS, and the trust comes from cryptography rather than certificate authorities. The tradeoff is performance and availability — IPFS content must be pinned by at least one node, and IPFS retrieval is typically slower than fetching from a CDN.

Blockchain Domains and the Traditional Internet

It is important to understand that blockchain domains exist entirely outside the ICANN/DNS hierarchy. They do not have NS records in any DNS zone. They do not have A or AAAA records in the root zone. No root server knows about them. No registrar in the ICANN-accredited sense manages them. They are not part of the infrastructure that BGP routes traffic for — they are application-layer constructs on the Ethereum network, which itself rides on conventional internet infrastructure.

This is a subtle but critical point: blockchain domains depend on the traditional internet to function. Ethereum nodes communicate over TCP/IP. They need IP addresses, BGP routing, and physical network connectivity. Ethereum nodes connect to each other using the same infrastructure you can observe in a BGP looking glass. If the internet's routing layer fails — if BGP hijacks prevent you from reaching Ethereum nodes — you cannot resolve blockchain domains either.

Blockchain domains also interact with traditional infrastructure in several ways:

• ENS DNS integration — ENS supports importing DNS names. If you own example.com in traditional DNS and can set a specific TXT record, you can claim it in ENS and use the ENS resolver for blockchain-related records while keeping normal DNS resolution for traditional records.
• Traditional hosting — A blockchain domain can store a traditional IP address or URL in its records. Not all blockchain domain websites use IPFS — some point to conventional servers.
• Email — Some ENS users set up email forwarding through their domain, though this requires bridging to traditional SMTP infrastructure.

Limitations and Risks

Blockchain domains offer genuine properties that traditional domains cannot — censorship resistance, cryptographic ownership, permissionless registration. But they come with significant limitations that are worth understanding clearly:

• Not in the ICANN root zone — No mainstream browser resolves them without extensions, gateways, or special configurations. This is the single biggest barrier to adoption. For the vast majority of internet users, a .eth domain simply does not work.
• TLD collisions — Some Unstoppable Domains TLDs like .wallet and .x could potentially be delegated by ICANN in the future as regular gTLDs (in fact, .x is in the process of being delegated). If this happens, there would be two competing resolution systems for the same TLD — DNS would resolve it one way, blockchain another. This creates confusion and potential security issues.
• Gas fees — Registering or updating ENS records on Ethereum mainnet requires paying gas fees, which can range from a few dollars to hundreds of dollars during network congestion. Unstoppable Domains mitigates this by using Polygon, where gas costs are negligible.
• Phishing and abuse — Without WHOIS, abuse contacts, or administrative takedown mechanisms, blockchain domains are attractive for phishing. A domain like paypa1.eth or go0gle.crypto cannot be removed through the usual channels. Browser vendors and wallet developers must implement their own phishing protection.
• Key management — If you lose the private key that controls your blockchain domain, you lose the domain permanently. There is no "forgot password" flow, no identity verification process, no registrar support line. This is the flip side of trustless ownership — you are your own registrar, with all the responsibility that entails.
• Smart contract risk — The ENS contracts have been audited extensively, but smart contracts can have bugs. A critical vulnerability in the ENS registry could potentially affect all .eth names. The ENS DAO has upgrade mechanisms, but exercising them requires governance votes and introduces its own trust assumptions.
• No WHOIS or transparency — Traditional domains have WHOIS records that, even with privacy protection, provide a point of contact for abuse reports and legal processes. Blockchain domains are owned by pseudonymous Ethereum addresses. While the blockchain is transparent (all transactions are public), linking an Ethereum address to a real-world identity is not straightforward.
• Resolution speed — Traditional DNS resolution typically completes in under 100 milliseconds, with aggressive caching at multiple levels. Blockchain domain resolution requires an RPC call to an Ethereum node, which adds latency — typically 200-500ms for a well-connected RPC provider, more if the provider is overloaded. Caching helps, but the source-of-truth lookup is inherently slower than DNS.

The Bigger Picture: Naming on the Internet

Blockchain domains represent a genuinely different philosophy of internet naming. Traditional DNS is a delegated trust system — you trust ICANN to manage the root, Verisign to operate .com, your registrar to manage your domain, and DNS resolvers to give you honest answers. At each level, there is an authority with the power to intervene, for better or worse.

Blockchain domains are a trustless ownership system — you trust mathematics (cryptographic signatures) and consensus (the Ethereum network) instead of organizations. No single authority can intervene. The tradeoff is that no single authority can help, either.

Neither system is strictly superior. Traditional DNS has nearly universal support, established dispute resolution, mature tooling, and decades of operational experience. Blockchain domains have censorship resistance, cryptographic ownership proofs, and programmability via smart contracts. They serve different needs, and understanding both systems — along with the BGP routing layer that underlies all internet communication — gives you a complete picture of how names and addresses work on the internet.

See It in Action

The god.ad looking glass supports blockchain domain lookups. You can enter any .eth name to see its on-chain records — Ethereum address, avatar, text records, and content hashes — resolved directly from the Ethereum blockchain. Try it:

• vitalik.eth — Ethereum co-founder Vitalik Buterin's ENS name
• nick.eth — ENS lead developer Nick Johnson
• 1.1.1.1 — Compare with a traditional DNS lookup: Cloudflare (AS13335) serves this via conventional BGP routing

Blockchain domains and traditional DNS represent two fundamentally different approaches to the same problem — mapping human-readable names to machine-usable addresses. Exploring both through the looking glass shows you how they connect to, and diverge from, the routing infrastructure that holds the internet together.