The European Union may soon have its own DNS (Domain Name System) resolver. The “DNS4EU” initiative aims to create a “European DNS resolution services infrastructure serving EU-based Internet users who need privacy-friendly and secure DNS resolution to access online resources. line”.
To select an operator for this future service, the European Commission published a call for proposals in January, the deadline for which has been extended to 20 April. The chosen provider will be revealed in the second half of 2022. The DNS4EU initiative was first mentioned by the EU in 2020, with the announcement of the European cybersecurity strategy. The acceleration of the project comes at a time when Europe is taking steps to increase its digital sovereignty and reduce its dependence on foreign players. France has again emphasized this objective within the framework of its European presidency, placing sovereignty and digital regulation among its main priorities.
Why a European public resolver?
Why does the European Commission want to build its own resolver, rather than just changing its policy or rules? Such a change in policy would probably be too complicated, since the Internet has no borders. Even if the EC aimed to apply rules to Europe, it would end up targeting all DNS services in the world. Furthermore, if it tried to apply the rules to every company based in the European Union, they would not apply to the world’s largest commercial players such as Google and Cloudflare, or even Quad9, based in Switzerland.
By requiring a list of security and privacy features, the EU aims to protect users of the future resolver. In this respect, DNS4EU distinguishes itself from commercial parties and Internet Service Providers. Take for example Google’s public DNS service, which claims to do little to protect users and claims to be a neutral channel. This is different from commercial DNS resolvers, which are often aimed at large enterprises.
They do a lot to protect users from malware and phishing sites. Public resolvers often steer clear of it. Internet service providers have the same attitude when it comes to DNS resolvers that they use or manage themselves. Although they are commercial companies, they also like to think of themselves as providing some kind of utility function that guarantees the neutral transmission of information. It’s a way to protect yourself against legal action.
Also, while people can choose to use Google’s DNS resolver, Google still has the ability to do what it wants with it. Google doesn’t offer it for free out of the goodness of its heart; it offers this service in order to obtain data. Internet service providers could therefore benefit from a new public DNS service that they could rely on.
What are the requirements for the new resolver, and who could meet them?
In the coming weeks, it should be known which companies are eligible to build the resolver. It is unlikely to be a small start-up with big ambitions. At the same time, the amount Europe is willing to set aside for the project is rather small. According to the call for proposals, only a single sum of 14 million euros is available to build the project.
The EC has drawn up a list of requirements for the project:
Sovereignty and privacy
Digital sovereignty, a well-known subject in the French technological landscape, is integrated into the EU plan. All DNS resolution data and metadata must be processed in the EU. However, the call for proposals makes no mention of the nationality of the potential supplier, which means that while the data centers involved in the processing of this data must be in Europe, the headquarters of the chosen company can be anywhere. in the world.
Of course, the DNS4EU resolver must comply with the GDPR. Where applicable, it must also comply with the national data protection and privacy rules of the various countries. In France, these include the Data Protection Act.
Infrastructure
To meet the requirements for wide geographical coverage, high reliability and low latency, the provider would need a significant number of servers, in order to compete with a service like Google or Cloudflare in terms of performance and capacity. Of course, the servers should only cover Europe. Nevertheless, the project will require servers for France, for Benelux, for Scandinavia, for Spain… This is mainly due to latency; a user in Norway using a server in Spain will quickly suffer from a slow connection. Stability and redundancy are also important. By securing them, it will be possible to take the servers offline for maintenance without causing a service interruption. Therefore, only a company that already has an extensive DNS infrastructure can meet this need.
A DNS resolver needs several other techniques that require a lot of maintenance. For example, the provider must have a good Anycast infrastructure, so that users can always use the same IP address. The ability to scale horizontally is also essential.
Cybersecurity
The EC emphasized the need for the chosen infrastructure to meet all the latest security and privacy standards. For example, it must comply with the latest security standards like HTTPS, DNSSEC and DNS encryption protocols like DNS over TLS (DoT) and DNS over HTTPS (DoH). The project must also be fully compliant with IPv6, the most recent version of the communication protocol.
The project must also provide industry-leading protection against malware, phishing, and other threats. To do this, the vendor will need to analyze its own threat intelligence as well as information from trusted partners such as computer emergency response teams (CERTs). These groups of experts analyze threats, alert the public to new threats, and coordinate responses to cyberattacks.
For example, the French government’s CERT, CERT-FR, regularly publishes alerts on vulnerabilities, threats, security incidents, indicators of compromise and protection recommendations. The future DNS4EU operator will collaborate with government and private CERTs, which will send it DNS records of malware command and control servers. This will allow the provider to block malware at the DNS level, a beneficial measure for users.
Content filters
One of the criteria of the EU call for proposals is the need to filter URLs that link to illegal content. But there is a big gray area around what content is considered “legal” or “illegal”. Of course, when it comes to command-and-control servers, it’s clear that everyone has a stake in having these sites blocked, with the exception of some security researchers. But beyond that, the subject quickly enters this ambiguous zone.
What if someone posts a manual on how to make a bomb online? What about inflammatory texts? Pornography? Gambling content? Because of this, it is important that the use of any resolver be voluntary, as currently foreseen in the plan. Also, strong definitions of what such a filter means are needed, so that the policy is clear in advance.
Indeed, the optional character of the resolver is the key to the initiative. But it remains to be seen how widely the future European resolver will be used. Stéphane Bortzmeyer, computer scientist at Afnic, wonders about the adoption by users of the future DNS4EU resolver in an interview with the German media Heise. He points out that many users still use their own DNS resolver or that of their ISP, and stresses the relative security of more decentralized and local resolvers. The long-standing reflections on digital subjects within the European institutions are in the process of materializing into initiatives.
While the legislation on digital markets (DMA) is evolving rapidly, it seems that the European Union seeks to assert, for its constituents, a vision of the digital economy and data privacy (GDPR) which differs from that which had prevailed until then. The DNS4EU initiative is part of this desire to provide those who want it with an essential service that corresponds to this vision, while providing the EU with a tool to strengthen its digital sovereignty and cybersecurity. .