SWITCH Public DNS

Public DNS resolver (beta) for the Swiss Internet community

The SWITCH Public DNS service is accessible using transport encryption protocols. Our servers are located in data centers in Zurich and Lausanne and provide low latency from within Switzerland.

In addition to an encrypted communication channel, the DNS resolver service provides, by default, the following security features:

  • DNSSEC validation protects from forged or manipulated DNS data from upstream servers
  • DNS Query Name Minimisation to improve privacy
  • SWITCH DNS Firewall blocks access to infected or malicious websites and redirects users to a landing page

The DNS resolver service blocks domain names listed in the block list by the Swiss gaming law "Geldspielgesetz (BGS)".

Servers

Host name (DoT):

  • dns.switch.ch

URL (DoH):

  • https://dns.switch.ch/dns-query

IP addresses:

  • 130.59.31.248
  • 130.59.31.251
  • 2001:620:0:ff::2
  • 2001:620:0:ff::3

Supported protocols:

  • DNS over TLS (DoT) as defined in RFC 7858 on port 853/TCP
  • DNS over HTTPS (DoH) as defined in RFC 8484 on port 443/TCP

Motivation

More and more client applications add support for encrypted DNS protocols. For example Android has built-in support and automatically upgrades to DoT if a network's DNS server supports it. Web browsers such as Mozilla Firefox or Chrome have added DoH support. We want to provide our users the ability to use our DNS servers when located outside the SWITCH network. Encrypted DNS protocols such as DoT or DoH provide privacy between the client application and the SWITCH DNS resolver. This eliminates opportunities for eavesdropping and on-path tampering with DNS queries. For a list of supporting client software, see the list maintained by the DNS Privacy Project.

 

Android 9 (Pie) or newer has built-in support for DNS over TLS. To always use the SWITCH Public DNS follow these steps:

  1. Go to SettingsNetwork & internetAdvancedPrivate DNS
  2. Select the Private DNS provider hostname option and enter:
    dns.switch.ch
  3. Click on SAVE

android9-dot

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Chrome version 83 or newer has a DoH settings page (called "secure DNS" in Chrome). Chrome has enabled "secure DNS" (DoH) by default and tries to use DoH with your current service provider if supported. To use DoH with SWITCH Public DNS follow these steps:

  1. Go to Preferences... Privacy and security Security
  2. Enable Use secure DNS and select the check box to use a "Customised" provider URL and enter: https://dns.switch.ch/dns-query

 Chrome DoH settings

 

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Firefox version 62 or newer has DoH support. Firefox does not yet use DoH by default in Switzerland. To enable DoH support with SWITCH Public DNS follow these steps:

  1. Go to Preferences... General Networking Settings Settings...
  2. Enable the Enable DNS over HTTPS check box and enter the custom provider URL:
    https://dns.switch.ch/dns-query
  3. Click on OK to save the settings

Firefox DoH setting

 

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Stubby is a stub resolver that can be installed on Linux, Mac OS or Windows and supports DNS over TLS. Once installed, it can be configured to use various resolvers. Many known public resolvers that support DNS over TLS are already listed in the default configuration file.

As an example, the below config file shows how to set the SWITCH resolvers (See section upstream_recursive_servers). Depending on the mode that is used not all of the fields are necessary. In the recommended strict mode tls_authentication: GETDNS_AUTHENTICATION_REQUIRED is required as well as at least one authentication method of either tls_auth_name or tls_pubkey_pinset. In opportunistic mode, stubby may fall back to clear text transports. See Stubby documentation for further details.

 

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  -  0::1
round_robin_upstreams: 1
upstream_recursive_servers:
# SWITCH DNS resolver 1
 - address_data: 2001:620:0:ff::2
   tls_auth_name: "dns.switch.ch"
   # SPKI pinset is subject to change. Uncomment below section at your own risk.
   #tls_pubkey_pinset:
   #  - digest: "sha256"
   #    value: R37EKqw/OVP4EnjG3LaJlG3TBzT6WGAVPqq0Agj+6sQ=
# SWITCH DNS resolver 2
 - address_data: 2001:620:0:ff::3
   tls_auth_name: "dns.switch.ch"
   # SPKI pinset is subject to change. Uncomment below section at your own risk.
   #tls_pubkey_pinset:
   #  - digest: "sha256"
   #    value: R37EKqw/OVP4EnjG3LaJlG3TBzT6WGAVPqq0Agj+6sQ=

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

These terms of service only applies to users using the SWITCH Public DNS service which are not SWITCH network users.

Who May Use the Service

SWITCH Public DNS is a free (beta) service for any user. Business organisations interested in using the service please contact us first.

Ending These Terms

You may end your legal agreement with SWITCH at any time by discontinuing your use of the service.

SWITCH may block your access to the service if your usage disrupts or damages the service or other systems as a result of your usage.

SWITCH reserves the right to end this public service for non-SWITCH network users at any time.

Jurisdiction

The legal venue for all disputes arising in connection with these is Zurich.

 

Version: 6th April 2020

This privacy policy describes the policies and procedures for the SWITCH Public DNS service which provides DNS resolution service for stub resolvers (often called clients), when used by non-SWITCH network users. SWITCH Public DNS utilizes SWITCH DNS Firewall service where we temporarily block DNS resolution to malicious websites (e.g. websites distributing malicious code or phishing websites).

Information Collection and Use

SWITCH does not collect any DNS query data that is sent to the SWITCH Public DNS from clients. However, we may temporarily collect such data during operational service investigations. If so, this data will be deleted within 24 hours.

SWITCH stores resolver upstream responses from authoritative name servers for 24 hours. The following aggregated response data is indefinitely stored:

  • Query Name, e.g. www.example.com
  • Query Type, e.g. AAAA
  • Query Answer Data, e.g. 2001:DB8::1
  • First Seen Timestamp
  • Last Seen Timestamp
  • Number of Hits

SWITCH stores some performance related metrics (statistics) indefinitely in order to assist in enhancing the overall performance of the service.

SWITCH DNS Firewall

For non-SWITCH network users, SWITCH does not collect nor share any DNS query data pertaining to domain names that were blocked on that basis.

Swiss gambling law "BGS (Geldspielgesetz)"

SWITCH is required to block domain names listed in the block list by the Swiss gambling law. For non-SWITCH network users, SWITCH does not collect nor share any DNS query data pertaining to domain names that were blocked on that basis.

Data Sharing

The SWITCH Public DNS service generates aggregated data from authoritative name server responses (See Information Collection and Use). We may allow partners or academic researchers to access this data.

 

Version: 22nd April 2020