Have you ever experienced issues accessing a website due to a disruption in the internet’s core protocols? One cause of such disruptions is an attack on the Domain Name System (DNS), which translates domain names into numerical IP addresses.
In the European Union (EU), most businesses rely on public DNS resolvers operated by entities outside the EU. Unfortunately, this leaves them vulnerable to cyberattacks and geopolitical incidents. Recognizing this critical vulnerability, the European Commision has come up with the DNS4EU initiative – a public DNS resolver service established within the European Alliance for Industrial Data, Edge and Cloud. DNS4EU aims to provide a safer alternative for global internet access, ensuring the security and protection of Europe’s digital infrastructure. Aligned with the European cybersecurity strategy from 19 February 2020, this groundbreaking initiative adheres to the latest security, data protection and privacy standards.
DNS4EU is currently under development by a consortium of companies led by the Czech cybersecurity firm Whalebone. Today, a special guest is helping us shed light on this project: Robert Šefr, the co-founder and CTO of the company. As a cybersecurity visionary, he brings a wealth of IT and security experience from his previous work at McAfee VAD Comguard, where he climbed the ranks to become the Comguard CTO.
Robert will share his invaluable insights on the significance of DNS4EU and its pivotal role in shaping Europe’s digital infrastructure. This conversation promises to be both inspiring and eye-opening, giving us a glimpse into the future of European cybersecurity. Don’t miss out on an exciting opportunity to learn more about the innovative DNS4EU and join us as we explore this fascinating project with Robert.
1What are the reasons behind the EU’s project to create a European DNS resolver? What are the main issues that DNS4EU aims to address?
DNS4EU arises from the recognition that a significant number of public resolvers dominating the current market are operated by non-European entities. The European Commission now supports European companies and organizations in developing an alternative service.
A DNS resolver is a service that translates domain names into numerical IP addresses so that users can access websites on the internet.
DNS4EU demonstrates the EU’s dedication to enhancing digital security and privacy. It acts as a strong defense against external and internal risks, all while safeguarding the digital strength of the European Union. Creating a strong and privacy-conscious DNS resolution service in Europe allows European citizens, businesses and organizations to use the internet with trust. This ensures their information remains secure and their online activities stay resilient despite evolving cybersecurity risks.
DNS4EU will not be developed internally by the European Commission. Instead, the critical task has been delegated to a consortium of CERTs, academic institutions and the private sector. The commercialization of the service is encouraged by the European Commission since it is also expected that it remains sustainable without operational costs from the EU.
2What are the specific objectives and aims of DNS4EU?
The primary objective of DNS4EU is to safeguard the digital sovereignty of the EU by offering a private, safe and independent solution that empowers the region to maintain control over its online activities and protect its sensitive data from external influences.
DNS4EU has several objectives and aims that can be categorized into four distinct areas, which are as follows:
-> Create EU’s digital sovereignty
DNS4EU is committed to enhancing the EU’s digital sovereignty through multiple strategic approaches:
- A European consortium will manage the service that will be based on European technologies ensuring sovereignty at multiple levels.
- DNS4EU will be built on European technologies, reinforcing the EU’s independence and self-reliance in the digital realm. This emphasis on European technologies contributes to preserving sovereignty within multiple layers of the DNS infrastructure.
- DNS4EU guarantees that all user data remains securely stored within the EU space, preventing unauthorized access and safeguarding the EU’s data sovereignty.
-> Onboard 100 million users
The ambitious objective of onboarding 100 million users onto the internet underscores the need to go beyond relying solely on a public resolver. This goal is far beyond what public resolvers can achieve as it would require manual configuration by end-users, thus necessitating the delivery of DNS4EU via different methods. Fortunately, the project’s goal of commercial sustainability can be attained through collaboration with ISPs and telcos. These collaborations can provide customers with a safe and EU-compliant solution, expanding DNS4EU’s reach and propelling it toward its objective.
-> Enhance privacy
A key objective of DNS4EU is to prioritize and enhance the privacy of EU citizens by guaranteeing the utmost security and protection of their data. This commitment includes strict compliance with GDPR regulations and other privacy-related initiatives, ensuring that all data handling remains exclusively within the secure confines of the EU digital realm. By maintaining this level of privacy, DNS4EU aims to cultivate greater trust among EU citizens, empowering them to confidently engage in online activities while safeguarding their sensitive information.
-> Improve security
Traditional global services and security products often prove inadequate in identifying and mitigating local, state-specific online threats. In contrast, DNS4EU’s dedicated focus on member states within the EU will offer exceptional protection to its citizens. DNS4EU can better identify, prevent and respond to state-specific online threats to safeguard the EU digital environment by providing a comprehensive and localized approach to online security.
3What level of privacy and security can users expect from DNS4EU and what measures are in place to prevent any potential tracking or monitoring of users’ online behavior?
Ensuring the utmost security is our primary focus in the DNS4EU project. By implementing robust security measures, we aim to provide a DNS resolution service that proactively detects and thwarts potential threats like malware, phishing attacks and unauthorized access. Our aim is to develop a service that demonstrates resilience against DDoS attacks, ensuring the fulfillment of our commitments towards privacy and integrity. While DDoS attacks pose a unique challenge to DNS services, we are implementing a comprehensive approach that includes proper scaling, performance optimizations, service-level DoS countermeasures and data center protection. These measures work to maximize service availability, striving for uptime as close to 100% as possible.
At the backend level, our primary focus is to ensure a thorough understanding of the data flow while minimizing the exchange of information between individual services. We prioritize the utilization of encryption wherever feasible to enhance security. Our services also undergo regular assessments to identify and address known vulnerabilities or misconfigurations. In addition, we proactively investigate potential supply chain vulnerabilities and regularly conduct external penetration tests to fortify our security measures and assess the system’s resilience against possible attacks.
4What are the main functionalities of DNS4EU that benefit governments?
Besides offering protection for thousands of organizations on the DNS level, DNS4EU also includes a solution tailored for governments and public institutions such as hospitals, schools, municipalities, banks and justice institutions with no need for installation, maintenance or user knowledge. This is an entirely different use case from just a public resolver.
We have the perfect solution on a national level, which deals with security threats such as phishing, ransomware and other security risks. The government sector focuses on multi-tenancy, allowing a central government to easily access all the logs and incident details and populate central lists of blocked or allowed domains. The architectural approach that enables the government to achieve the following is also critical – smaller institutions may redirect their DNS traffic at the perimeter from the ISP to DNS4EU. Larger institutions may, however, run their own instance of resolver within their network to gain more control and visibility. Both options are available and can be combined.
5What is the role of telcos and ISPs in ensuring the success of the DNS4EU?
To ensure widespread access to the DNS4EU resolution across the EU, we consider telcos and ISPs essential partners.
DNS4EU for telcos
|On-premise DNS resolvers||Lower latency than public resolvers|
|DNS standards support and compliance||Optional protective features|
|Telco grade resolver incl. API, monitoring, logging, troubleshooting and integration features|
Regulatory requirements are applied on the DNS traffic throughout European member states at increasingly frequent intervals and the burden of fulfilling them lies on telcos. We help keep various blocklists up to date and adequately applied and explain to the end-user why access was blocked using appropriate language, branding and context. Besides simple blocklists, many countries are introducing or considering pushing telcos to offer optional filtering for adult content and we can take this burden on ourselves and support telcos in fulfilling the requirements.
Telcos also often hesitate to introduce encrypted DNS protocols. We are ready to help them with the standard support from various networks. Experts nowadays discuss DNS over QUIC, yet many telcos still need to introduce DNS over TLS or DNS over HTTPS. We can help also with the protocol registration into the applications or operating systems and managing the certificate lifecycle.
6Is DNS4EU going to filter some kind of content?
The public service will act following the preferences of end users. If they desire an unfiltered DNS, it will be available and the resolver will strictly follow the DNS standard without detours or blocklists. However, we want to primarily communicate the IP address with the security filtering included, as this security layer should be a part of everyone’s digital life. No regulatory blocklist will be implemented, as such lists do not impact DNS services; instead, they pertain to internet service providers. The offering for telcos and ISPs will indeed include support for regional blocklists. That is legislation that telcos cannot avoid and which they have to introduce through any DNS technology of their choice, whether DNS4EU or other. As far as we know, no blocklists would recall any political, religious or similar censorship across the EU.