SWITCH Public DNS

Public DNS resolver (beta) for the Swiss Internet community

The SWITCH Public DNS service is accessible using transport encryption protocols. Our servers are located in data centers in Zurich and Lausanne and provide low latency from within Switzerland.

In addition to an encrypted communication channel, the DNS resolver service provides, by default, the following security features:

  • DNSSEC validation protects from forged or manipulated DNS data from upstream servers
  • DNS Query Name Minimisation to improve privacy
  • SWITCH DNS Firewall blocks access to infected or malicious websites and redirects users to a landing page

The DNS resolver service blocks domain names listed in the block list by the Swiss gaming law "Geldspielgesetz (BGS)".

Servers

Host name (DoT):

  • dns.switch.ch

URL (DoH):

  • https://dns.switch.ch/dns-query

IP addresses:

  • 130.59.31.248
  • 130.59.31.251
  • 2001:620:0:ff::2
  • 2001:620:0:ff::3

Supported protocols:

  • DNS over TLS (DoT) as defined in RFC 7858 on port 853/TCP
  • DNS over HTTPS (DoH) as defined in RFC 8484 on port 443/TCP

Motivation

More and more client applications add support for encrypted DNS protocols. For example Android has built-in support and automatically upgrades to DoT if a network's DNS server supports it. Web browsers such as Mozilla Firefox or Chrome have added DoH support. We want to provide our users the ability to use our DNS servers when located outside the SWITCH network. Encrypted DNS protocols such as DoT or DoH provide privacy between the client application and the SWITCH DNS resolver. This eliminates opportunities for eavesdropping and on-path tampering with DNS queries. For a list of supporting client software, see the list maintained by the DNS Privacy Project.

 

Android 9 (Pie) or newer has built-in support for DNS over TLS. To always use the SWITCH Public DNS follow these steps:

  1. Go to SettingsNetwork & internetAdvancedPrivate DNS
  2. Select the Private DNS provider hostname option and enter:
    dns.switch.ch
  3. Click on SAVE

 
android9-dot

 

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Chrome version 83 or newer has a DoH settings page (called "secure DNS" in Chrome). Chrome has enabled "secure DNS" (DoH) by default and tries to use DoH with your current service provider if supported. To use DoH with SWITCH Public DNS follow these steps:

  1. Go to Preferences... → Privacy and security → Security
  2. Enable "Use secure DNS" and select the check box to use a "With Customised" provider URL and enter: https://dns.switch.ch/dns-query

chrome_doh_settings
 

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Firefox version 62 or newer has DoH support. Firefox does not yet use DoH by default in Switzerland. To enable DoH support with SWITCH Public DNS follow these steps:

  1. Go to Preferences... → General → Networking Settings → Settings...
  2. Enable the "Enable DNS over HTTPS" check box and enter the custom provider URL:
    https://dns.switch.ch/dns-query
  3. Click on OK to save the setting


firefox_doh_setting_80 

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

Microsoft Edge version 86 or newer has a DoH settings page (called "secure DNS" in Edge). Edge has enabled "secure DNS" (DoH) by default and tries to use DoH with your current service provider if supported. To use DoH with SWITCH Public DNS follow these steps:

  1. Go to Settings → Privacy, Search, and Services → Security
  2. Enable "Use secure DNS to specify how to lookup the network address for websites" and select the check box "Choose a service provider" and enter the URL:
    https://dns.switch.ch/dns-query

 

edge_doh_settings
 

You can verify that you use the SWITCH Public DNS if you can reach the DNS Firewall test landing page http://test.ph.rpz.switch.ch/

These terms of service only applies to users using the SWITCH Public DNS service which are not SWITCH network users.

Who May Use the Service

SWITCH Public DNS is a free (beta) service for any user. Business organisations interested in using the service please contact us first.

Ending These Terms

You may end your legal agreement with SWITCH at any time by discontinuing your use of the service.

SWITCH may block your access to the service if your usage disrupts or damages the service or other systems as a result of your usage.

SWITCH reserves the right to end this public service for non-SWITCH network users at any time.

Jurisdiction

The legal venue for all disputes arising in connection with these is Zurich.

 

Version: 6th April 2020

This privacy policy describes the policies and procedures for the SWITCH Public DNS service which provides DNS resolution service for stub resolvers (often called clients), when used by non-SWITCH network users. SWITCH Public DNS utilizes SWITCH DNS Firewall service where we temporarily block DNS resolution to malicious websites (e.g. websites distributing malicious code or phishing websites).

Information Collection and Use

SWITCH does not collect any DNS query data that is sent to the SWITCH Public DNS from clients. However, we may temporarily collect such data during operational service investigations. If so, this data will be deleted within 24 hours.

SWITCH stores resolver upstream responses from authoritative name servers for 24 hours. The following aggregated response data is indefinitely stored:

  • Query Name, e.g. www.example.com
  • Query Type, e.g. AAAA
  • Query Answer Data, e.g. 2001:DB8::1
  • First Seen Timestamp
  • Last Seen Timestamp
  • Number of Hits

SWITCH stores some performance related metrics (statistics) indefinitely in order to assist in enhancing the overall performance of the service.

SWITCH DNS Firewall

For non-SWITCH network users, SWITCH does not collect nor share any DNS query data pertaining to domain names that were blocked on that basis.

Swiss gambling law "BGS (Geldspielgesetz)"

SWITCH is required to block domain names listed in the block list by the Swiss gambling law. For non-SWITCH network users, SWITCH does not collect nor share any DNS query data pertaining to domain names that were blocked on that basis.

Data Sharing

The SWITCH Public DNS service generates aggregated data from authoritative name server responses (See Information Collection and Use). We may allow partners or academic researchers to access this data.

 

Version: 22nd April 2020