SWITCH Public DNS

Public DNS resolver (beta) for the Swiss Internet community

The SWITCH Public DNS service (beta) is accessible using transport encryption protocols. Our servers are located in data centers in Zurich and Lausanne and provide low latency from within Switzerland.

In addition to an encrypted communication channel, the DNS resolver service provides the following security features:

  • DNSSEC validation protects from forged or manipulated DNS data from upstream servers
  • SWITCH DNS Firewall blocks access to infected or malicious websites

Servers

Host name:

  • dns.switch.ch

IP addresses:

  • 130.59.31.248
  • 130.59.31.251
  • 2001:620:0:ff::2
  • 2001:620:0:ff::3

Supported protocols:

  • DNS over TLS (DoT) on port 853/TCP
  • DNS over HTTPS (DoH) on port 443/TCP

Motivation

More and more client applications add support for encrypted DNS protocols. For example Android 9 (Pie) has built-in support and automatically upgrades to DoT if a network's DNS server supports it. Web browsers such as Mozilla Firefox have added DoH support although not enabled by default. We want to provide our users the ability to use our DNS servers when located outside the SWITCH network. Encrypted DNS protocols such as DoT or DoH provide privacy between the client application and the SWITCH DNS resolver. This eliminates opportunities for eavesdropping and on-path tampering with DNS queries. For a list of supporting client software, see the list maintained by the DNS Privacy Project.

 

Android 9 (Pie) has built-in support for DNS over TLS. To always use the SWITCH Public DNS follow these steps:

  1. Go to SettingsNetwork & internetAdvancedPrivate DNS
  2. Select the Private DNS provider hostname option and enter:
    dns.switch.ch
  3. Click on SAVE

android9-dot

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Firefox version 62 or newer have DoH support. Firefox does not yet use DoH by default. To enable DoH support with SWITCH Public DNS follow these steps:

  1. Go to Preferences... General Networking Settings Settings...
  2. Enable the Enable DNS over HTTPS check box and enter the custom provider URL:
    https://dns.switch.ch/dns-query
  3. Click on OK to save the settings

Firefox DoH setting

 

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Stubby is a stub resolver that can be installed on Linux, Mac OS or Windows and supports DNS over TLS. Once installed, it can be configured to use various resolvers. Many known public resolvers that support DNS over TLS are already listed in the default configuration file.

As an example, the below config file shows how to set the SWITCH resolvers (See section upstream_recursive_servers). Depending on the mode that is used not all of the fields are necessary. In the recommended strict mode tls_authentication: GETDNS_AUTHENTICATION_REQUIRED is required as well as at least one authentication method of either tls_auth_name or tls_pubkey_pinset. In opportunistic mode, stubby may fall back to clear text transports. See Stubby documentation for further details.

 

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  -  0::1
round_robin_upstreams: 1
upstream_recursive_servers:
# SWITCH DNS resolver 1
 - address_data: 2001:620:0:ff::2
   tls_auth_name: "dns.switch.ch"
   tls_pubkey_pinset:
     - digest: "sha256"
       value: F3/9haKeYdE7BlG69kj25H/dJT4yw7TgN6lxKwmliWw=
# SWITCH DNS resolver 2
 - address_data: 2001:620:0:ff::3
   tls_auth_name: "dns.switch.ch"
   tls_pubkey_pinset:
     - digest: "sha256"
       value: F3/9haKeYdE7BlG69kj25H/dJT4yw7TgN6lxKwmliWw=

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

These terms of service only applies to users using the SWITCH Public DNS service which are not already customers of SWITCH.

Who May Use the Service

SWITCH Public DNS is a free (beta) service for any user but must not be used in managed environments by business organisations. Business organisations interested in using the service please contact us first.

Ending These Terms

You may end your legal agreement with SWITCH at any time by discontinuing your use of the service.

SWITCH may block your access to the service if your usage disrupts or damages the service or other systems as a result of your usage.

SWITCH reserves the right to end this beta service at any time.

 

Version: 17th August 2018

This privacy policy describes the policies and procedures for the SWITCH Public DNS service which provides DNS resolution service for stub resolvers (often called clients). SWITCH Public DNS utilizes SWITCH DNS Firewall service where we temporarily block DNS resolution to malicious websites (e.g. websites distributing malicious code or phishing websites).

Information Collection and Use

SWITCH does not collect any DNS query data that is sent to the SWITCH Public DNS from clients. However, we may temporarily collect such data during operational service investigations. If so, this data will be deleted within 24 hours.

SWITCH stores resolver upstream responses from authoritative name servers for 24 hours. The following aggregated response data is indefinitely stored:

  • Query Name, e.g. www.example.com
  • Query Type, e.g. AAAA
  • Query Answer Data, e.g. 2001:DB8::1
  • First Seen Timestamp
  • Last Seen Timestamp
  • Number of Hits

SWITCH stores some performance related metrics (statistics) indefinitely in order to assist in enhancing the overall performance of the service.

SWITCH DNS Firewall

DNS query names which are blocked by the SWITCH DNS Firewall are logged as part of the SWITCH DNS Firewall service with the following information:

  • Timestamp
  • Source IP Address
  • Source Port
  • Query Name

This information is used to notify the security contacts of our customers in case of known infections (e.g. communication to command and control servers).

Data Sharing

The SWITCH Public DNS service generates aggregated data from authoritative name server responses (See Information Collection and Use). We may allow partners or academic researchers to access this data.

 

Version: 17th August 2018