The SWITCH Public DNS service (beta) is accessible using transport encryption protocols. Our servers are located in data centers in Zurich and Lausanne and provide low latency from within Switzerland.
In addition to an encrypted communication channel using DNS over TLS (DoT), the DNS resolver service provides the following security features:
- DNSSEC validation protects from forged or manipulated DNS data from upstream servers
- SWITCH DNS Firewall blocks access to infected or malicious websites
|Host name||IP address||Supported protocol|
|DoT on port 853/TCP|
More and more applications add support for DNS over TLS (DoT). For example Android 9 (Pie) has built-in support and automatically upgrades to DNS over TLS if a network's DNS server supports it. We want to provide our users the ability to use our DNS servers when located outside the SWITCH network. DNS over TLS adds encryption and provides privacy between the client system and the SWITCH DNS resolver. This eliminates opportunities for eavesdropping and on-path tampering with DNS queries. For a list of client software supporting DNS over TLS, see the list maintained by the DNS Privacy Project.
Android 9 (Pie) has built-in support for DNS over TLS. To always use the SWITCH Public DNS follow these steps:
- Go to Settings→ Network & internet→ Advanced→ Private DNS
- Select the Private DNS provider hostname option and enter:
- Click on SAVE
You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/
Stubby is a stub resolver that can be installed on Linux, Mac OS or Windows and supports DNS over TLS. Once installed, it can be configured to use various resolvers. Many known public resolvers that support DNS over TLS are already listed in the default configuration file.
As an example, the below config file shows how to set the SWITCH resolvers (See section
upstream_recursive_servers). Depending on the mode that is used not all of the fields are necessary. In the recommended strict mode
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED is required as well as at least one authentication method of either
tls_pubkey_pinset. In opportunistic mode, stubby may fall back to clear text transports. See Stubby documentation for further details.
resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 10000 listen_addresses: - 127.0.0.1 - 0::1 round_robin_upstreams: 1 upstream_recursive_servers: # SWITCH DNS resolver 1 - address_data: 2001:620:0:ff::2 tls_auth_name: "dns.switch.ch" tls_pubkey_pinset: - digest: "sha256" value: F3/9haKeYdE7BlG69kj25H/dJT4yw7TgN6lxKwmliWw= # SWITCH DNS resolver 2 - address_data: 2001:620:0:ff::3 tls_auth_name: "dns.switch.ch" tls_pubkey_pinset: - digest: "sha256" value: F3/9haKeYdE7BlG69kj25H/dJT4yw7TgN6lxKwmliWw=
These terms of service only applies to users using the SWITCH Public DNS service which are not already customers of SWITCH.
Who May Use the Service
SWITCH Public DNS is a free (beta) service for any user but must not be used in managed environments by business organisations. Business organisations interested in using the service please contact us first.
Ending These Terms
You may end your legal agreement with SWITCH at any time by discontinuing your use of the service.
SWITCH may block your access to the service if your usage disrupts or damages the service or other systems as a result of your usage.
SWITCH reserves the right to end this beta service at any time.
Version: 17th August 2018
Information Collection and Use
SWITCH does not collect any DNS query data that is sent to the SWITCH Public DNS from clients. However, we may temporarily collect such data during operational service investigations. If so, this data will be deleted within 24 hours.
SWITCH stores resolver upstream responses from authoritative name servers for 24 hours. The following aggregated response data is indefinitely stored:
- Query Name, e.g. www.example.com
- Query Type, e.g. AAAA
- Query Answer Data, e.g. 2001:DB8::1
- First Seen Timestamp
- Last Seen Timestamp
- Number of Hits
SWITCH stores some performance related metrics (statistics) indefinitely in order to assist in enhancing the overall performance of the service.
SWITCH DNS Firewall
DNS query names which are blocked by the SWITCH DNS Firewall are logged as part of the SWITCH DNS Firewall service with the following information:
- Source IP Address
- Source Port
- Query Name
This information is used to notify the security contacts of our customers in case of known infections (e.g. communication to command and control servers).
The SWITCH Public DNS service generates aggregated data from authoritative name server responses (See Information Collection and Use). We may allow partners or academic researchers to access this data.
Version: 17th August 2018