Switch DNS Firewall

The Switch DNS Firewall provides you with an easy to implement first layer of protection. The service is based on the established and widely used DNS RPZ technology and can be deployed on most modern DNS resolvers. Switch offers you a combination of threat protection: Our own DNS RPZ zones with relevant and up-to-date threat data focused on Europe and the SURBL DNS RPZ zones for additional protection. With more than 9 years of experience as an RPZ provider / integrator and several million protected end-users, Switch is your competent partner in all DNS firewall matters.


Blocking access to infected sites can prevent further infections.


Systems that have already been infected can be detected by Switch. Customers are promptly notified of any such infections via security notifications.


When accessing a malicious domain name, users are redirected to a secure landing page. This not only improves IT security – it also makes users more aware of hazards lurking on the internet.


The following graphics show the functionality of DNS RPZ and the Switch DNS Firewall:

Specialised in threat intelligence, detection and incident response

We analyse and classify relevant data to provide customers with an exceptional list of current threats. Thus, they are benefiting from the wide-ranging experience and expertise of Switch, gained through its many years of work in the area of security. Services include, in particular:

  • identifying threats specific to Switzerland and Europe based on our own monitoring and malware analysis
  • analysing malicious domain names through operation of the registry for .ch and .li TLDs
  • correlating and supplementing our own threat intelligence with information from a variety of national and international threat data feeds
  • close collaboration with well-known national and international partners

Switch DNS Firewall modules

The following modules can be freely combined:

  • RPZ Feed: The malicious domain names are collected and sent to the organisation’s DNS system. In addition to the Switch RPZ zones, zones from other reputable third-party providers can be obtained via Switch. 
  • Switch landing page: A system to which malicious requests are redirected and that notifies the end user of a blocked access attempt.
  • Notification of infected systems: Customers are promptly informed of possibly infected systems via security notifications. The notifications are based on the DNS RPZ log data sent by the organisation to Switch.

All systems have a redundant configuration distributed between several locations. Using an anycast implementation, the nearest advertised location is chosen to maximize access speed.

Technical requirements

Integrating the DNS Firewall service is easy: DNS RPZ must be enabled on the resolver which allows you to subscribe to the desired DNS RPZ feeds. This requires DNS service software that supports RPZ or a DNS appliance on which DNS RPZ can be activated.

Switch offers its customers wide-ranging expertise in the connection and integration of RPZ technology.

DNS Server software that support DNS RPZ:

  • BIND
  • PowerDNS Recursor
  • Knot Resolver

DNS applicances that support DNS RPZ:

  • Infoblox
  • BlueCat
  • EfficientIP
  • Nokia VitalQIP


«The Switch DNS Firewall is a smart and straightforward solution that provides an effective complement to security solutions already in place at our organisation. The landing page clearly explains the reason for a blocked access to the user, which alleviates confusion. We’ve used it since July 2017 here at EPFL and are completely satisfied with it.» 

Patrick Saladino
Head of Operational IT Security, École polytechnique fédérale de Lausanne, 16,000 users

« CERN is using the Switch DNS Firewall since Q4 2015 for pro-actively preventing our user community accessing malicious domain names and phishing websites. Using the Switch DNS Firewall, unfortunate users are redirected to an internal webpage informing them about the risks of browsing the WWW. So far, we have made great experience with it, also thanks to the quick response of Switch to our queries and input, and observed no false positives nor mayor issues.» 

Stefan Lüders
Computer Security Officer, CERN, The European Organisation for Nuclear Research, 3,000 users

«The University of Bern has been using the Switch DNS Firewall from Switch since 2015. It is very easy to integrate into an existing environment. It is low-maintenance and very effective at preventing phishing and malware. As soon as a university user tries to access a malicious website, the Switch DNS Firewall returns an alternative response in the form of a secure landing page with an explanation of the potential threat posed by the page the user was trying to access. Switch's DNS RPZ feed is extremely helpful and focuses on threats to Swiss organisations. »

Thushjandan Ponnudurai
Network Security Engineer, University of Bern, 21,000 users
Universität Bern Logo

«Jisc has worked and collaborated closely with Switch for over 5 years, helping shape and support Jisc’s Janet Network Resolver Service, a protective DNS service which supports over 300 Higher and Further Education organisations in the UK, representing over 2.7 million users. Switch's DNS Firewall data feeds have proved an effective tool in trying to prevent common attack vectors such as phishing and ransomware aimed at the UK education community. We look forward to continuing our close partnership with Switch in tackling a common threat.» 

Andrew Davis
Jisc, Infrastructure and Critical Services Manager (Cyber security)
Logo Jisc


Michael Fuchs

Senior Information & Cyber Security Consultant


Matthias Seitz

Product Manager