Equipping backbone networks with high-performance and secure DNS resolution infrastructures - Works

This topic will support the deployment of a recursive European DNS resolver service infrastructure (hereafter DNS4EU) serving socio-economic drivers, public, corporate and residential internet end-users in the EU, and offering very high reliability and protection against global cybersecurity threats and those specific to the EU (e.g. phishing in EU languages). This is a key policy action announced in the 2020 “Joint Communication: The EU’s Cybersecurity Strategy for the Digital Decade”. Such a critical service infrastructure is currently not available at European level with the level of performance, resilience, security and privacy envisaged, and the market will not invest in it alone given the lack of a business case (DNS resolution is normally provided for free). As stated the EU’s Cybersecurity Strategy, citizens and organisations in the EU increasingly rely on a few public DNS resolvers operated by non-EU entities. The deployment of DNS4EU aims to address such consolidation of DNS resolution in the hands of few companies, which renders the resolution process itself vulnerable in case of significant events affecting one major provider. Moreover the lack of significant EU investment in the field hampers the development of infrastructures that favour the detection and filtering of local cyber-threats that nonetheless could have significant socio-economic impacts. In addition, the processing of DNS data can have an impact on privacy and data protection rights.

DNS4EU shall offer a high level of resilience, global and EU-specific cybersecurity protection, data protection and privacy according to EU rules, ensure that DNS resolution data are processed in Europe and personal data are not monetised. It shall adhere to the latest internet security and privacy standards. It shall be widely discoverable and easy to configure by end-users on their equipment and software.

The service infrastructure shall offer additional optional services such as free parental control, as well as paid premium services for enhanced performance or security for corporate users.

The proposal for this topic shall meet the following requirements at the level of users and services:

1. Customer base: Support the deployment of a recursive European DNS resolver service infrastructure serving EU-based internet users in need of privacy-respecting and secure DNS resolution to access resources on the internet. These users encompass socio-economic drivers, actors operating data and cloud infrastructures across the EU, public and private corporate users, and residential internet end-users in the EU. The proposal shall aim at a high adoption rate by addressing multiple customer bases (e.g. residential, education, governments, and vertical sectors).

2. Availability and service level: Provide wide geographic coverage in the EU, and ensure high reliability and uptime, as well as low latency of DNS resolution through among others a large distributed footprint (Points of Presence) and redundancy.

3. Accessibility: Ensure broad accessibility from user equipment, such as home routers and user devices, as well as from user software, such as major operating systems and browsers. DNS4EU shall be easy to configure by non-experts thanks to clear user guides and other support material available, including in audio-visual format, via a dedicated website under a clearly branded URL. The website shall contain all the relevant technical, legal and transparency-related information (e.g. protection of privacy, technical use of data) of the service.

4. Discoverability: The service shall be widely discoverable by major browsers, operating systems or user equipment. To this end it will be important to engage with industry groups (e.g. web browsers, ISPs), with the DNS standardisation community (e.g. DNS over HTTPS (DoH)) and other stakeholders.

5. Premium and wholesale services: Provide opt-in paid premium services for enhanced security (e.g. ad hoc filtering, monitoring, 24x7 support), tailored to specific sectorial needs (e.g. cloud, finance, health, transport), as well as wholesale resolution services for other digital service providers, including ISPs and cloud service providers.

6. Residential services: Offer to residential internet end-users strictly opt-in and fully transparent parental control filtering services. Other possible URL filtering services could also be offered in a strictly opt-in and fully transparent way. Such optional filtering shall be fully in line with national and EU rules (see below).

The proposal for the service infrastructure shall comply with the following security and privacy requirements and standards:

7. Security: State-of-the-art protection against cybersecurity threats by blocking malware, phishing and other threats based on reliable and up to date global threat feeds and own threat feeds developed on the basis of own threat detection and analysis as well as information exchange with trusted partners (e.g. CERTs), addressing in particular local threats (e.g. based on EU-languages). The corresponding threat detection and analysis infrastructure should be an integral part of the DNS4EU service infrastructure and provide a very high level of protection in the EU.

8. Data processing: Data processing shall be established through transparent and published policy and rules, in full compliance with EU rules (see below). DNS resolution data and meta-data shall be processed in the EU. There shall be no monetisation of personal data. Potential use of aggregated data (e.g. for cybersecurity analysis) shall be specified and made transparent.

9. Internet Standards: The service infrastructure shall conform to the latest security and privacy-enhancing standards (e.g. HTTPS, DNSSEC), including DNS encryption (e.g. DNS over TLS (DoT) and DoH) and be fully IPv6 compliant.

10. Best practices: Notwithstanding other requirements of this call or applicable law, the service infrastructure should be designed in line with industry best practices and guidelines for the provision of secure and privacy-preserving DNS resolution

The proposal for the service infrastructure shall comply with EU regulation and applicable national regulations of its Member States, in particular:

11. Data protection and privacy: Compliant with GDPR and national rules, where applicable.

12. Lawful filtering: Filtering of URLs leading to illegal content based on legal requirements applicable in the EU or in national jurisdictions (e.g. based on court orders), in full compliance with EU rules.

The proposal for the service infrastructure shall ensure a forward looking approach regarding technological innovation:

13. Technology/Innovation: The selected consortium will be expected to test and deploy innovative technologies, including the latest DNS security and privacy-enhancing technologies and technologies for the development and improvement of cybersecurity threat feeds, in collaboration with third-party innovators.

Priority will be given to proposals addressing the following aspects:

14. Governance/Federated structure: A federated and expandable service infrastructure with a diverse membership is preferred in order to maximise the footprint and customer base of DNS4EU across the EU, reduce costs through shared resources and ensure the long-term sustainability of DNS4EU.

The applicants may apply for grants for works, including studies. The grants are for:

• project costs (e.g. studies, works and equipment) related to the development, construction and deployment of cross-border and national DNS resolution infrastructure at physical and functional levels for the foreseen system lifetime;
• other equipment, goods, works and services necessary to support the infrastructure services.

Costs for operating the infrastructure during its lifetime will be excluded under the call.

Proposals funded under this topic may include synergetic (ancillary) elements relating to another sector of the CEF programme, i.e. energy and transport, if these synergetic elements allow to significantly improve the socio-economic, climate or environmental benefits of the action. CEF co-funding may be provided as long as the cost of these synergetic elements does not exceed 20% of the total eligible costs of the action.

Please consult the Call document for more information on the scope, including digital security requirements.

The deployment and wide use of DNS4EU will have the following key benefits:

1. Offer a high-end alternative to existing dominant non-EU public resolvers, leading to a more resilient, more secure and diversified DNS resolution offering for EU internet users.
2. Autonomy of DNS resolving, diminishing the dependency on major public resolvers established outside the EU, and reducing vulnerability to outages of these resolvers.
3. Complete safeguards for EU internet users that their data and privacy are protected and handled according to EU rules.
4. Increased protection against malicious activities based on both global and local (EU) threat feeds and intelligence.
5. Testing and deploying innovative technologies to enhance internet access security and privacy.