No Internet without a DNS resolver – the importance of this critical infrastructure can be broken down to this rule of thumb. But usual resolvers are also hotspots from which the operator can in principle read which users are heading for which destinations on the Internet, and thus a hole in the user’s privacy.
Internet applications such as browsers do not use domain names such as ct.de to reach their destinations, but rather their IP addresses (e.g. 193.99.144.80). The references between domains and addresses are in the worldwide Domain Name System (DNS) and resolvers get the addresses from there and forward them to the user’s devices (DNS resolution). Because DNS resolution is largely unencrypted, DNS queries and responses are popular prey for spies, state security officials, and advertisers.
EU versus Google
Now the EU wants to offer users an alternative with built-in privacy protection and is launching a tender for companies or consortia that will set up and operate the infrastructure.
The technology of DNA resolution has been in a state of upheaval for several years. While computers sent their DNS queries almost exclusively to resolvers from Internet providers at the beginning of the Internet era, users can now choose from many resolver operators. US corporations such as Google and Cloudflare stand out with very fast global resolver infrastructures.
The EU now wants to counter this with its own resolvers. The infrastructure should DNS4EU hot and resolve DNS requests from users in accordance with EU data protection laws and EU filter rules. The EU Commission provided the funds for the financing on January 12th and thus started the call for tenders.
The interest in it is considerable. This became apparent in a discussion at the end of January organized by the European IP address management company RIPE. The illustrious group includes TLD registries and telecommunications companies, and perhaps organizations like RIPE itself will throw their hats into the ring.
ccTLD and Telco consortia
Among other things, ten members of the European umbrella organization of national domain registries CENTR (Council of European National Top Level Domain Registries) have formed a consortium to submit a bid for the construction and operation of the infrastructure. CENTR members include, for example, Denic (operator of the .de domain) and sister organizations such as nic.at and cznic.
Ex-British telecoms expert and consultant Andrew Campling reported some interest from network operators. He is in the process of bringing together a consortium, Campling said. “Telco attitudes towards DNS4EU are mixed,” he revealed. However, there are network operators who are “in principle” interested.
For all interested parties, it is time to get going, because the EU has set a tight deadline for offers. Potential buyers have less than two months. The time pressure is even greater in member states that require approval by the local regulator. A Swedish application, for example, must be reported to the telecom regulator by February 6, said Patrik Faltstrom, CEO of Netnod.
“We don’t do it”
For Fältström, there is also the question of where such an offer will lead. According to the Commission’s tender text, the DNS responses of such a resolver must be filtered on the basis of EU laws and court decisions of the member countries, i.e. they provide an excerpt from the worldwide Internet. For the Swede, that would be a step towards network fragmentation. Paradoxically, however, the EU in particular complains about the fragmentation. “We don’t do it, even if there is money for it now,” he said.
Michele Neylon, managing director of Irish registrar Blacknight, finds it worrying that the use of EU resolvers could be made mandatory in the future, for example against the background of stricter security requirements. Neylon warned that the temptation for such a mandate could grow if the DNS4EU resolvers were not popular enough.
Central or decentralized
Vittorio Bertola, Head of Policy & Innovation at Open-Xchange, called such a scenario unrealistic. After all, the EU is not an authoritarian regime. Bertola is among the group of professionals who welcome a European alternative to the US giants’ offerings. He called the reliability an advantage, analogous to the satellite navigation project Galileo. However, Bertola complained that due to the lack of data protection guarantees from US corporations, it was practically impossible to use US services in a manner compatible with data protection.
Afnic developer Stephane Bortzmeyer contradicted Bertola: “Unlike the GPS navigation service, there are alternatives,” he criticized the project. Bortzmeyer pointed out that many users still use the DNS resolvers of their internet providers or even their own resolvers. It is bitter irony that DNS4EU sees itself as a measure against increasing centralization, while at the same time becoming a new central service. More decentralized, local resolvers, including resolvers in your own home or company infrastructure, are much better and safer.
He also thinks it makes sense to support the DNS encryption methods that emerged a few years ago. The new methods include DNS-over-TLS (DoT), DNS-over-HTTPS (DoH) and Oblivious DoH (see the c’t article Anonymous information – How ODoH and DNSCrypt protect your privacy).
But because the DoH, which is favored by browser operators, puts the choice of resolver in the hands of applications (e.g. the Internet browsers Mozilla Firefox and Google Chrome), a central DNS4EU resolver service is necessary as a counterweight. This is the only way to slow down the flow of DNS data to Google or Cloudflare, said Ralf Weber, Principal Architect at Akamai.
Keep your hands off the tender
“There are many reasons not to bid,” said Hans Petter Holen, Managing Director of the RIPE NCC, “and there are a few reasons to participate.” The long list of concerns includes the fact that the EU Commission’s tender text requires DNS responses to be filtered based on URLs. According to experts, this is impossible in the context of a pure DNS service. Holen also believes that the RIPE NCC should consider supporting its own members in setting up and operating decentralized resolvers.
Some attendees of the RIPE event oppose the idea of the RIPE NCC applying itself to set up and operate the DNS4EU resolvers. Because then it would possibly go against its own members in the race. The umbrella organization CENTR is in a similar situation. He advises 10 members who are considering applications, revealed CENTR Managing Director Peter van Roste.
Tricky question
Each of the interested parties will have to answer an exciting question for themselves, namely how the operation of the EU resolver is to be financed after the start-up financing of 14 million has expired. After all, exploiting user data for advertising purposes is not possible. And should the EU or member states demand granular filter regimes, that could be expensive. While end users will not pay for DNS resolutions in the future either, only for child protection or malware filters.
(dz)