EU is building its own DNS service. What’s in it for the everyday user?
The EU has long been at the forefront of protecting people’s privacy and security online. The bloc’s General Data Protection Regulation (GDPR) is widely regarded as the gold standard for data protection. Since it came into force in 2018, the law has been repeatedly and successfully used to punish persistent privacy violators in Big Tech. Among those who’ve felt the burn are Meta, Apple, Microsoft, and Google, tech giants that largely enjoy a free ride in other parts of the world.
As for online security, the EU has been pushing for the development of a public European DNS resolver with built-in filtering capabilities. The stated aim of the project is to strenghten the EU’s “digital sovereignty,” but also to protect public institutions, companies, and individual users based in the EU from phishing attacks and malware.
The project, called DNS4EU, was first outlined by the European Commission in December 2021. Now, a year later, it is finally taking shape. In December, a consortium of 13 public and private companies from ten European countries won the grant to build a public DNS resolution service tailored for the EU. The consortium is led by the Chezh software company Whalebone. According to Whalebone CEO Richard Malovič, the project will be implemented in phases, but the public and network operators will get early access to “a limited first version” of the service already this year. The roll-out will take a total of three years, during which the consortium plans to get 100 million people on board — an ambitious target set by the EU.
Before we get into the details of the plan and what it will mean for the average user, let us refresh your memory on what DNS and DNS resolution is all about.
DNS resolution — part and parcel of Internet infrastructure
DNS stands for “Domain Name System” and is often referred to as the “address book of the Internet.” Just like your phone’s address book, which saves you from having to learn your contacts’ numbers by heart, DNS spares you the trouble of memorizing IP addresses of each and every single website you want to visit.
The thing is, computers have no clue what you mean by wikipedia.org or google.com because they speak exclusively in numbers. This is where DNS resolvers come to the rescue. They translate or, well, ‘resolve’ the names of the websites into something that browsers can understand, i.e. IP addresses. So, when you type ‘google.com’ into the address bar, your browser sends a DNS query to a DNS resolver, which for most people is their Internet Service Provider’s (ISP’s) DNS server. This server returns the IP address of the requested domain to the browser: for ‘google.com’ this is 22.214.171.124.
This is how DNS makes online browsing user-friendly. The vast majority of people never change the default DNS server provided to them by their ISP. However, this may not be the best course of action.
There are several reasons why you might want to change your DNS settings: if you want a faster internet connection; if you’re worried that your ISP is tracking you through DNS and is selling your data; if you want extra protection against phishing and malware sites; if you want to take advantage of features such as parental controls and adblock that your ISP’s DNS server might not offer.
As more people become concerned about their online privacy and security, the demand for free and easy-to-configure tools to protect against bad actors is growing. This, in turn, is driving the growth of public DNS resolvers. And it is a trend that EU policymakers hope to capitalize on with their support for a public DNS4EU.
What is the reason behind DNS4EU?
One of the stated goals behind the creation of the new DNS service is to make the EU’s digital infrastructure less dependent on foreign service providers, namely US-based tech companies, and thus more diversified.
The “consolidation of DNS resolutions in the hands of few resolvers” is a security risk because it makes the resolution process vulnerable “in case of significant events affecting one major provider,” the EU Commission argues.
Indeed, while the vast majority of users (including EU users) don’t change the DNS servers provided by their ISPs, those who do switch to alternatives tend to favor those run by US companies. As of January 2022, about 12.2% of EU residents used public resolvers managed by California-headquartered companies: these include Google Public DNS (9.4%), Cloudflare (1.9%), and Cisco OpenDNS (0.8%). Queries to non-public resolvers within the EU accounted for merely 0.2% of total queries, while those sent to non-public resolvers outside the EU made up 0.9%.
The question of digital sovereignty and whether it’s achievable in today’s interdependent world is complex and may not be of much interest to the individual user. But there is another reason why the EU wants its own DNS — to enforce its strong data protection and privacy rules. And this can have a positive impact on the lives of ordinary people.
Thus, in order to qualify for the grant, a would-be provider of DNS for the EU had to meet a number of privacy and security requirements:
- Guarantee that DNS resolution data and meta-data are processed in Europe in full compliance with EU rules
- Ensure that personal data is not monetized
- Provide premium services for enhanced security, such as ad-hoc filtering
- Offer opt-in parental control filtering services
- Offer state-of-the-art protection against cybersecurity threats by blocking malware, phishing, and other threats
- Support the latest security standards such as HTTPS, DNSSEC, DoH, DoT, and IPv6.
Whalebone’s CTO Robert Šefr also said that DNS4EU would support DNS-over-QUIC (DOQ), a proposed and very promising standard for processing DNS queries, in the future.
Meanwhile, many AdGuard products, including AdGuard DNS, has already been fully supporting the DoQ standard
So, what will DNS4EU look like?
According to Whalebone CEO Richard Malovič, the project will consist of four main components.
The first, and most important, is a publicly accessible cloud resolver with multiple IP addresses and in-built content filtering. DNS resolvers and nodes will be “very strongly distributed” throughout Europe to achieve low latency. Malovič: “You can be sure your data won’t be passed to the other countries out of the European Union and that somebody will be able to profile you and start serving you advertisements.”
The second component is an on-premise resolver, which will be provided to mobile network operators and internet service providers. This on-premise resolver will have the same IP addresses as the public cloud resolver.
The third component will be a platform for sharing intelligence about local threats within the EU. According to Whalebone, the DNS data that could be used for security research would be anonymized and not used for any other purpose.
The fourth component of DNS4EU will be a premium service built on top of open public resolvers. It should make the project profitable in the long run.
As far as content-filtering goes, DNS4EU will be bound by local laws which some may see as a disadvantage. So, if a court in a certain EU country blocks a certain website, then users in that country won’t be able to access it.
Since DNS4EU is presently funded by the EU (according to the EU Commission, it decided to step in due to the “lack of business case”), what begs the question is wheather the EU attaches any strings to its implementation.
Will DNS4EU be mandatory to use and who will control it?
Those who have doubts about using a government-backed service can breathe a sigh of relief. For now, at least, the EU has no plans to impose DNS4EU on regular people, although it may recommend it to public and governmental organizations for better Internet security.
Moreover, the Whalebone-led consortium says that the EU won’t have a say in how the service is run. “Any user of DNS for the EU uses the resolver freely, so there’s no enforcement. No governmental body, no EU body has any control over what is configured on the DNS for the EU, it’s solely under the consortium’s responsibility,” Whalebone CTO Robert Šefr said.
Asked whether local law enforcement would be able to lay its hands on an individual person’s DNS queries i.e., see their browsing history, Šefr assured that would not be the case.“No logs linking to particular persons’ IP addresses will be stored, so even if we got such a request we won’t be able to fulfill it,” he stated.
On the beaten track
But the solution itself is not revolutionary in the sense that users of privacy-minded public resolvers have long been reaping its benefits. While DNS4EU is only in its early stages and has yet to materialize, there are non-US-based resolvers that are available already, and AdGuard DNS is one of them. We have walked down the road that DNS4EU is only embarking on, accumulating experience and expertise along the way. We first launched AdGuard DNS as a public beta in 2016, and officially released it in 2018. Our public DNS service is absolutely free, supports all modern DNS encryption protocols, blocks ads and malicious websites, and has no restrictions on the number of devices.