ENS Domains: Your Decentralized Digital Identity Explained

A comprehensive technical guide to the Ethereum Name Service (ENS). How ENS works, the resolver architecture, .eth domains as identity primitives, adoption metrics, and the implications for decentralized identity.

The DNS system that routes every web request on the planet is controlled by a single nonprofit in Los Angeles. ICANN, the Internet Corporation for Assigned Names and Numbers, operates under a contract with the United States Department of Commerce. Every domain name, every TLD, every resolution chain ultimately traces back to thirteen root server clusters managed by organizations predominantly based in NATO countries. The Ethereum Name Service exists because this architecture is incompatible with a decentralized internet.

ENS is not merely a blockchain-based domain registrar. It is a programmable identity layer that maps human-readable names to cryptographic addresses, content hashes, metadata records, and arbitrary key-value pairs. With over 2.8 million .eth registrations and a resolver architecture that can point to any data type, ENS has become the de facto identity primitive of the decentralized web.

How ENS Works: Architecture From the Ground Up

ENS operates on three layers: the registry, resolvers, and registrar controllers. Understanding each layer is essential to grasping why ENS is architecturally distinct from DNS.

The ENS Registry

The ENS registry is a single smart contract on Ethereum mainnet that stores three pieces of information for every registered name: the owner address, the resolver address, and the TTL (time-to-live) for caching. The registry itself holds no resolution data. It only knows who owns a name and which resolver contract should be queried for records.

This separation is deliberate. By decoupling ownership from resolution, ENS allows any name to point to any resolver implementation. A .eth domain can resolve to an Ethereum address today and be reconfigured to resolve to a decentralized website, a Zcash address, or a zero-knowledge proof verification endpoint tomorrow, all without changing the registry entry.

Resolvers

Resolvers are smart contracts that respond to queries about a name. The standard public resolver supports multiple record types:

Ethereum address (addr): The primary address associated with the name
Content hash: An IPFS, Swarm, or Arweave hash pointing to decentralized web content
Text records: Arbitrary key-value pairs (email, URL, avatar, description, social handles)
ABI: The contract ABI for smart contract addresses
Multi-chain addresses: Addresses on other blockchains (Bitcoin, Litecoin, Solana)

Text records are where ENS becomes an identity system rather than merely a naming system. A .eth name with populated text records functions as a decentralized profile: no server, no database, no company controlling the data. The records live on-chain (or on L2 with CCIP-Read for gas efficiency) and are readable by any application.

Registrar Controllers

The .eth registrar is a smart contract that manages name registration and renewal. Names of five characters or longer cost approximately $5/year in ETH. Three and four-character names carry premium pricing. The registrar implements a commit-reveal scheme to prevent frontrunning: a user first submits a hash of their desired name and a secret, waits at least one minute, then reveals the name and completes registration.

This anti-frontrunning mechanism is noteworthy because it solves a real problem that traditional domain registrars never bothered to address. In the DNS world, domain registrars have been caught registering domains that users searched for, a practice called domain tasting. ENS makes this mathematically impossible.

ENS as an Identity Layer

The transformation of ENS from a naming system to an identity layer happened organically. As applications integrated ENS, they began reading not just the address record but the full profile: avatar, social links, description, and custom records. The result is a portable, self-sovereign identity that works across thousands of applications without any centralized profile service.

Consider the data architecture. A traditional social identity (Twitter, LinkedIn, Facebook) stores your profile in a proprietary database, controls who can read it, controls what fields exist, and can modify or delete it unilaterally. An ENS identity stores your profile in smart contract state on a public blockchain. You control it with your private key. Any application can read it. No application can modify it without your signature. No company can delete it.

This has direct implications for self-sovereign identity systems. ENS provides the human-readable layer that SSI frameworks have struggled to deliver. A decentralized identifier like did:ethr:0x1234...abcd is cryptographically precise but unusable for human communication. alice.eth is both human-readable and cryptographically resolvable, bridging the gap between DID infrastructure and practical identity.

The CCIP-Read Revolution

Gas costs on Ethereum mainnet made on-chain ENS records expensive to update. A single text record update could cost $10-50 during high-gas periods. CCIP-Read (Cross-Chain Interoperability Protocol, EIP-3668) solved this by enabling off-chain resolution with on-chain verification.

With CCIP-Read, a resolver can store records on Layer 2 networks, off-chain databases, or any external data source. When queried, the resolver returns a callback URL. The client fetches the data from the off-chain source, then verifies its authenticity against an on-chain proof. The user experience is identical to on-chain resolution, but the cost of updating records drops to near zero.

This is architecturally significant for privacy. CCIP-Read enables ENS names to resolve through privacy-preserving infrastructure. Records could be stored on encrypted off-chain systems, resolved through zero-persistence architecture, or served from edge workers that leave no access logs. The resolution data is verified cryptographically, not trusted implicitly.

ENS Labs reports that CCIP-Read adoption has reduced average gas costs for ENS operations by over 90% since its introduction, enabling sub-$0.50 profile updates through L2 resolvers on Optimism and Base.

ENS Subdomains and Organizational Identity

ENS supports unlimited subdomains (e.g., team.company.eth, alice.company.eth). Subdomain control can be delegated, allowing organizations to issue identity credentials under their namespace without centralized infrastructure.

The pattern is powerful: a DAO registers project.eth, then issues subdomains to contributors. Each subdomain is a verifiable credential that proves membership without revealing personal information. The subdomain holder controls their own records, but the parent domain owner can revoke the subdomain if membership is terminated. This creates a decentralized credentialing system with hierarchical authority, a pattern that mirrors the X.509 certificate authority system but without the certificate authorities.

For Stealth Cloud, ENS subdomains present both opportunity and caution. They enable verifiable organizational identity, but they also create a public association between a subdomain holder and a parent organization. Privacy-conscious implementations must consider whether this association is acceptable for their threat model.

Adoption Numbers

ENS growth metrics reflect genuine infrastructure adoption rather than speculative activity:

2.8 million+ .eth names registered as of Q1 2026, with approximately 640,000 unique owners.
Over 850 applications integrate ENS resolution, including major wallets (MetaMask, Rainbow, Coinbase Wallet), DeFi protocols (Uniswap, Aave), and social platforms (Farcaster, Lens Protocol).
ENS name resolution averages 3.2 million queries per day across integrated applications, demonstrating active usage rather than dormant registrations.
CCIP-Read enabled names have grown to represent approximately 35% of actively resolved names, indicating rapid adoption of gas-efficient resolution.

The owner-to-registration ratio is telling. With 640,000 unique owners for 2.8 million names, the average owner holds approximately 4.4 names. This suggests a mix of personal identity use (single names) and speculative or organizational use (multiple names), a distribution pattern consistent with the early DNS era.

ENS and Privacy: The Tension

ENS creates an inherent tension with privacy. By design, ENS records are public. When you set alice.eth to resolve to 0x1234...abcd, anyone can query this mapping. If that Ethereum address has on-chain transaction history, the link between the human-readable name and the financial history is public and permanent.

This is the opposite of what privacy infrastructure demands. Zero-KYC authentication requires that identity assertions reveal the minimum necessary information. An ENS name linked to an active Ethereum address reveals a maximum amount of information.

Several approaches address this tension:

Dedicated authentication addresses. Use a freshly generated address with no on-chain history solely for ENS identity and SIWE authentication. Keep financial activity on separate, unlinked addresses.

Privacy-preserving text records. Populate ENS text records with information you intend to be public (avatar, social links) while keeping sensitive data off-chain and encrypted.

Wildcard resolution with CCIP-Read. Instead of registering individual subdomains on-chain, use wildcard resolution to generate names dynamically. This reduces on-chain fingerprinting and enables more granular access control.

No ENS at all. For maximum privacy, authenticate with a raw Ethereum address that has no ENS resolution, no on-chain history, and no public metadata. This is the approach recommended for GhostPass authentication: the wallet address is used solely as a cryptographic identity, not as a public profile.

ENS Governance and the DAO

ENS is governed by the ENS DAO, which controls the treasury (approximately $1.4 billion at peak valuation) and sets protocol parameters. The $ENS token grants voting rights on proposals affecting the protocol.

The governance model is relevant to identity infrastructure because it determines who controls the rules of the naming system. In DNS, ICANN’s board makes unilateral decisions about TLD policies, dispute resolution, and pricing. In ENS, these decisions are made through on-chain governance votes. The difference is not that DAO governance is superior (it has its own pathologies, including voter apathy and whale dominance), but that it is transparent and auditable.

One governance decision with direct privacy implications: the ENS DAO voted to implement a name wrapper contract that enables permissioned subdomains with expiry dates and access restrictions. This capability enables time-limited, revocable credentials issued under ENS names, a building block for soulbound tokens and verifiable credential systems.

ENS Beyond Ethereum

ENS is expanding beyond the Ethereum ecosystem. ENSv2, currently in development, introduces a cross-chain architecture where the registry and resolver infrastructure can operate on multiple chains simultaneously. This addresses both scalability (lower gas costs) and interoperability (names resolvable from any chain).

The cross-chain expansion also opens ENS to privacy chains. A .eth name could theoretically resolve to a shielded address on Zcash or Secret Network, enabling private transactions behind a human-readable identity. The privacy implications are nuanced: the name itself is public, but the assets and transactions behind it could be shielded.

DNS integration is already live. ENS supports DNSSEC-verified .com, .org, .xyz, and other DNS TLDs, meaning you can import your existing DNS domain into ENS and manage both Web2 and Web3 resolution from a single system. This bridging function positions ENS not as a replacement for DNS but as a superset: everything DNS can do, plus programmable resolution, multi-chain addressing, and self-sovereign record management.

The Naming Problem in Decentralized Identity

Names are the unsolved problem of decentralized identity. Every identity system needs human-readable identifiers, but human-readable names inherently require a namespace, and namespaces require governance. This is Zooko’s Triangle: a naming system can be secure, decentralized, and human-readable, but achieving all three simultaneously is extraordinarily difficult.

ENS solves Zooko’s Triangle through economic mechanism design rather than pure cryptography. Names are human-readable by definition (.eth names). They are secure through Ethereum’s consensus mechanism. They are decentralized through smart contract governance and on-chain ownership. The compromise is cost: registering and maintaining a name requires paying gas fees and annual renewal costs, which filters the namespace through an economic rather than cryptographic mechanism.

For Stealth Cloud’s architecture, this represents a pragmatic tradeoff. ENS provides a discoverable identity layer for users who want public profiles and verifiable credentials. For users who prioritize anonymity over discoverability, raw wallet authentication via SIWE bypasses the naming layer entirely. Both approaches coexist within the same authentication framework.

The Stealth Cloud Perspective

ENS is the most mature decentralized identity primitive available today, and we integrate it where it serves the user. But identity and privacy exist in tension: a name is useful precisely because it is public, and privacy requires that some things remain hidden. At Stealth Cloud, we let users choose their position on that spectrum, from fully public ENS profiles to fully anonymous wallet addresses with zero-persistence sessions.