EU wants own DNS resolver with network blocksJanuary 20, 2022
The countries and citizens of the EU are to get their own DNS resolver service, which will also implement DNS filters and network blocking.
With its own European recursive DNS resolver, the EU wants to overcome precisely this problem and is launching the DNS4EU project for this purpose. The goal is a service that offers “very high reliability and protection against global and EU-specific cybersecurity threats (e.g. phishing in EU languages)”.
The project is thus also part of the EU’s “cybersecurity strategy.” DNS4EU is located at the European Health and Digital Executive Agency (HaDEA).
Many users to be reachedI
n a call for proposals, the HaDEA has published a more detailed description of what the service is ultimately intended to do. Institutions, organizations, companies and private users are named as possible users, and a high usage rate is planned.
To ensure that this really succeeds, simple help materials and explanations are to be provided on how the DNS service can be set up in routers and operating systems, for example. On the other hand, discussions are to be held with browser manufacturers or ISPs so that the service can be discovered more easily by potential users.
Modern security, but also filtering techniquesThe planned service is to offer all the possibilities and capabilities that commercial providers have also delivered up to now. This includes security techniques such as DoH and DoT or DNSSEC. The service will be designed to be redundant and as fail-safe as possible. In addition, the service should of course be fully compliant with the GDPR and not collect any user data.The offerings apparently also include preventing phishing and malware attacks at the DNS level, for example, based on information from individual CERTs.
Ultimately, however, this also requires filtering techniques in the resolver itself.These filtering techniques, which can be quite useful, should also enable a filtering service for parents via user opt-in, for example, in order to implement child and youth protection. In addition to this, however, there should also be “legally compliant filtering” within the framework of the legal requirements.
As a requirement for potential operators, it says: “Filtering of URLs leading to illegal content, based on legal requirements applicable in the EU or in national jurisdictions (e.g. based on court decisions), in full compliance with EU regulations.”The technical implementation of these network blocks, which can be easily circumvented, and thus their rather poor effectiveness have been the subject of criticism for years. However, this criticism is also of a substantive nature, since it is intended to prevent copyright infringements, for example, for which the means of DNS blocking is described as too harsh.No large DNS providers in the EUSo far, there are hardly any really large and public DNS resolvers that would be able to handle the queries of the approximately 450 million EU citizens.
The only public DNS resolvers often mentioned here are those of the U.S. corporations Google and Cloudflare or the IBM-backed Quad9, which is now based in Switzerland.The initiative of the EU Commission should now change this. However, the cooperation with the European ISPs or registries is still completely unclear. It seems possible that large registries, such as those for the top-level domain .eu, or the country code registries will support the project with their infrastructure. A similar program already exists in Canada.