SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


SWITCH Public DNS Resolver

SWITCH operates recursive name servers for its constituency, the Swiss research and education network. Over the last year we have continually added support for transport encryption protocols on our recursive name servers such as DNS over TLS (DoT) and more recently DNS over HTTPS (DoH).

In contrast to default unencrypted DNS which runs over UDP/TCP Port 53 , both of these standards (DoT, DoH) use encrypted protocols which provide privacy for DNS queries between the client (application) and the recursive name server. This eliminates opportunities for eavesdropping and on-path tampering with DNS queries on the network.

Our motivation for enabling encrypted DNS protocols on our recursive name servers have been that some client applications (mostly Android 9) probe for DoT support and use it if available by default. Over the last year, other widely used applications have added support for encrypted DNS protocols. Most notably the web browser Mozilla Firefox which supports DoH but has not turned it on by default.

Opportunistic encryption of DNS queries and responses as it is used by Android 9 by default is one use case of DoT. However, some users want to pin a specific recursive name server regardless in which network they are or also to authenticate the name server. To support this use case, we have opened our recursive name servers over encrypted transport protocols to the Internet. You will find more information about the SWITCH Public DNS service and how to use it on this website:

https://www.switch.ch/security/info/public-dns/

Continue reading