Digital sovereignty: EU launches its own DNS service with practical functions

The EU now offers its own DNS resolution service (Resolver) and wants to help its citizens to become less dependent on offers from large US companies such as Cloudflare and Google. The service is called DNS4EU and pre-filters internet addresses at the user's request: In addition to phishing and fraud sites, it blocks websites and advertising that are harmful to minors.

A DNS resolver is one of the almost invisible basic services for stable Internet access: it works in the background, usually at the provider, and ensures that Internet addresses such as www.heise.de are translated into IP addresses such as 2a02:2e0:3fe:1001:7777:772e:2:85. However, in many countries – including Germany –, blocking orders by lobby associations or youth protection authorities are often implemented at DNS level. For this reason and for reasons of speed, users often make do with alternative providers such as Google, which not only uses one of the most beautiful IP addresses with the resolver 8.8.8.8, but also answers over a trillion queries a day. Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) also operate open resolvers. The problem is that many of these servers are located in the USA, which is why the Quad9 consortium has already moved its headquarters to Zurich.

With DNS4EU, the EU now wants to create its own alternative to providers outside the EU and is launching an offer for citizens. They can select a DNS resolver (and enter it as a DNS server in the router, for example) that meets their needs. There are four different variants to start with, which can also be combined:

1. Unfiltered DNS responses for users who, for example, maintain their own filter lists or do not wish to do so,
2. a block list for fraudulent and dangerous websites such as malware and phishing,
3. filtering optimized for the protection of minors, which blocks out content that is harmful to minors, glorifies violence and other undesirable content, and
4. an ad blocker at DNS level

The service is available with resolver addresses in IPv4 and IPv6 as well as via DoH (DNS over HTTPS) or DoT (DNS over TLS). The addresses can be found on the project website (which ironically uses CloudFlare as a proxy and dDoS protection) sorted by filter purpose. To improve reliability, DNS4EU provides a second IP address for DNS queries in both IPv4 and IPv6.

According to its own information, DNS4EU uses public lists such as the Bon-Apetit list of pornographic domains and the Goodbyeads advertising blocklist for the filter lists. If a domain is blocked by mistake or is missing from a list, the provider provides a reporting form.

The operators emphasize that the DNS4U resolvers do not carry out "legal filtering" and are not intended as a censorship vehicle. In fact, a random sample of some of the domains on the "CUII list" showed that none of the listed addresses are censored by the resolvers – the addresses are resolved in the same way as with the Google name server, for example. DNS4EU also resolves domains blocked by some providers, such as the porn portal YouPorn, to IP addresses – unless the user has activated a parental control filter.

The project is backed by various domain registrars and DNS companies, including deSEC from Berlin. When the EU funding expires at the end of 2025, DNS4EU is to be "commercialized", i.e. transferred to operation by a profit-oriented company. However, this commercialization has already begun: The spin-off "Whalebone" is intended to help companies and government institutions to detect threats and prevent attacks using DNS.

(cku)