SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

SWITCH Public DNS Resolver


SWITCH operates recursive name servers for its constituency, the Swiss research and education network. Over the last year we have continually added support for transport encryption protocols on our recursive name servers such as DNS over TLS (DoT) and more recently DNS over HTTPS (DoH).

In contrast to default unencrypted DNS which runs over UDP/TCP Port 53 , both of these standards (DoT, DoH) use encrypted protocols which provide privacy for DNS queries between the client (application) and the recursive name server. This eliminates opportunities for eavesdropping and on-path tampering with DNS queries on the network.

Our motivation for enabling encrypted DNS protocols on our recursive name servers have been that some client applications (mostly Android 9) probe for DoT support and use it if available by default. Over the last year, other widely used applications have added support for encrypted DNS protocols. Most notably the web browser Mozilla Firefox which supports DoH but has not turned it on by default.

Opportunistic encryption of DNS queries and responses as it is used by Android 9 by default is one use case of DoT. However, some users want to pin a specific recursive name server regardless in which network they are or also to authenticate the name server. To support this use case, we have opened our recursive name servers over encrypted transport protocols to the Internet. You will find more information about the SWITCH Public DNS service and how to use it on this website:

https://www.switch.ch/security/info/public-dns/

Resolver capabilities

SWITCH Public DNS is currently beta. It’s called beta because we have not made any plans for the future. Our recursive name servers support:

  • DNSSEC validation which protects from forged or manipulated DNS data
  • SWITCH DNS Firewall which blocks access to infected or malicious websites

On a more technical side, our recursive name servers also increase privacy through the use of the following DNS standards:

  • Aggressive Use of DNSSEC-Validated Cache (RFC 8198)
    This allows resolvers to use NSEC/NSEC3 resource records to synthesize negative answers from the information they have in the cache. Thus, less DNS queries are sent to authoritative name servers for domain names which do not exist.
  • DNS Query Name Minimisation to Improve Privacy (RFC 7816)
    A DNS resolver no longer sends the full original query name to non-authoritative name servers above the hierarchy of the delegated zone.

Our recursive name servers are currently located in data centers in Zurich and Lausanne and provide low latency from within Switzerland. The recursive name servers also don’t support “Client Subnet in DNS Queries (RFC 7871)” on purpose which has privacy shortcomings but may improve performance for users far away from our recursive name servers. In short, we recommend to use SWITCH Public DNS to Swiss users.

Finally, we would like to point out that we believe running your own recursive name server closest to your clients is the recommended choice. For example, most clients within our network repeatedly ask the same questions. Low latency from within your LAN combined with a high cache hit rate means that application performance is superior. DNS is also commonly used as a control plane to the Internet. Using a technology called RPZ (DNS Firewall) you can effectively protect your clients before a connection is established to a malicious host. However, sometimes you cannot run your own resolver and for this purpose , we offer a local alternative to the popular US-based cloud DNS resolvers.

Comments are closed.