Review: DNS for agents
What If AI Agents Had a Phonebook? Introducing ANS.
Before you want to dive deep into this article, check out our previous posts to get the overview of Agent, Agentic AI, Threat Modeling.
What If AI Agents Had a Phonebook?
Imagine there are tons of AI agents
— little digital workers —
and they want to talk to each other.
But there's a problem...
They don’t know who’s real, who’s fake, or where to find each other! 😵
So how do we fix this?
🤖 The Problem: Lost and Confused AI Agents
We’re entering a world where AI agents (think bots, tools, smart assistants) need to:
Talk to each other.
Work together.
Handle sensitive data.
But here's the big problem:
They don’t know who to trust.
They can’t tell fake from real.
And bad things happen when trust is broken…
🧨 A Real Attack: How AI Got Tricked on GitHub
Let’s start with a real story uncovered by Invariant Labs:
🎭 A fake GitHub account created a public project.
📝 It added instructions that looked like a helpful issue.
🤖 GitHub’s AI agent read the issue... and followed the instructions.
🔓 The AI accessed private data from other projects.
📤 Then it shared that private data publicly.
No malware.
No viruses.
No hacking tool.
No breaking system.
Just an AI agent blindly trusting another agent.
That's terrifying.
🧠 What Is MCP?
MCP stands for Model Context Protocol. It’s a way for AI tools to plug into each other — especially agents like:
Chatbots.
Model APIs.
External tools like GitHub Copilot.
MCP helps AI agents know what other tools do — what inputs they take, what outputs they return, and how to call them.
But... MCP on its own doesn’t check if the agent is real, secure, or malicious.
That’s where ANS comes in.
🚀 Enter ANS: The Agent Name Service
ANS = DNS for AI agents — but smarter and more secure.
Example agent name:
mcp://sentimentBot.textAnalysis.ExampleCorp.v1.0.secureFrom this one name, you know:
🧠 What the agent does (
textAnalysis)🏢 Who made it (
ExampleCorp)🔢 What version it is (
v1.0)✅ Whether it's real (certified!)
And ANS does the trust check for you. It verifies:
Has this agent been approved?
Is its certificate valid?
Is it who it claims to be?
🔌 Protocol Adapter Layer: The Secret Sauce
Different AI ecosystems speak different languages:
Google uses A2A
Anthropic uses MCP
IBM uses ACP
Adapters:
🧾 Read protocol-specific agent info (like capabilities, endpoints)
🔄 Convert it to a shared format
✅ Validate it before it goes in the registry
Adapters are plug-ins, so new protocols can be added easily.
And they must be:
Written in secure languages (Rust, Go)
Fully tested
Aligned with each protocol’s security rules
🧱 From Registration to Resolution
1. Agent signs up
"Hi! I’m a sentiment analyzer made by ExampleCorp."
✔️ Gets checked and certified
2. Other agent wants help
"Who does sentiment analysis?"
🔍 ANS searches and finds the right, verified agent
3. They connect securely
🔐 Certificates, protocols, and security checks kick in
Done! Secure, trusted agent-to-agent interaction.
🔐 Security Architecture: Built-In Defense
ANS uses strong tools from internet security:
PKI (Public Key Infrastructure): Every agent has a digital ID and certificate.
RA/CA: Only trusted agents get registered.
Signed messages: Every message is verifiable.
Revocation: If an agent is hacked, it's kicked out.
Just like HTTPS keeps websites secure, ANS keeps AI agents honest.
🧨 Threat Modeling: What Could Go Wrong (and How ANS Stops It)
🌍 Why ANS Is a Big Deal
🔒 Stops AI mistakes like the GitHub incident.
🧠 Helps agents verify each other’s skills and identity.
🌐 Works across all major AI protocols.
📦 Supports future app stores, agent marketplaces, and autonomous ecosystems.
Think of it as DNS + digital ID + trust network — for AI.
Citations
Agent Name Service (ANS) for Secure AI Agent Discovery
Ken Huang, Idan Habler, Vineeth Sai Narajala, Akram Sheriff.
OWASP GenAI Security Project, Version 1.0 (May 2025).
View full document (PDF)MCP GitHub Vulnerability: Exploiting AI Trust
Invariant Labs. (2025, May)
Retrieved from https://invariantlabs.ai/blog/mcp-github-vulnerability