New Resolver Policy Proposed to Improve Internet DNS Privacy

A new industry initiative – the ‘European DNS Resolver Policy‘ – has been established that aims to foster better standards for privacy and transparency across resolver services for the internet’s Domain Name System (DNS), such as those run by UK or European broadband ISPs and third-party services (e.g. Google Public DNS).

The existing Domain Name System (DNS) works to convert Internet Protocol (IP) addresses into a human-readable form (e.g. 123.56.32.1 to examplezfakedomain.co.uk) and back again. Most of the time your ISP runs the DNS servers, but advanced end-users can also tweak their own devices (e.g. routers) and software to use third-party DNS solutions like OpenDNS or Google’s Public DNS (i.e. taking some control away from your ISP).

The problem is that a lot of DNS resolvers do not recognise key privacy legislation, such as GDPR (this was adopted into UK law a few years ago) and ePrivacy. Part of the reason for that is because some of the most common DNS resolvers are more designed for the non-European markets, where their authors often reside.

Many of the tasks on our computers make use of the DNS, albeit potentially allowing the companies that operate such systems to track the activities of users without their knowledge and block or manipulate requests in unwanted ways (e.g. inserting adverts and custom search results). Attempts have been made to improve the security of the regular DNS process before, such as by adopting encryption via DNS-over-HTTPS (DoH), but there’s still room for improvement.

The new European DNS Resolver Policy, which has been written – with industry support – by public consultancy firm 419 Consulting, seeks to tackle this by laying out clear standards for the operators’ of such systems, and setting expectations regarding the collection, use and retention of personal data (i.e. this will also be made transparent to end-users). It also outlines how companies can state whether they protect users from malicious content and provide parents with tools to manage the activities of their children.

Andrew Campling, Policy Author and Director of 419 Consulting, said:

We’ve worked with a wide range of organisations across Europe and North America to develop this new policy document. It sets out clear expectations of behaviour for companies as well as specifying what information should be made available to users.

The European Resolver Policy encourages the operators of a critical part of the Internet infrastructure to commit to higher levels of privacy and security. The adoption of the resolver policy by operators will give reassurance to users that their privacy is protected and their personal data is not being monetised without their knowledge.”

A key distinction, we’re told, of the new policy is that it makes direct reference to the European Union’s General Data Protection Regulation (GDPR) as well as to national legislation. The policy is designed to apply to both standard and encrypted DNS, including the recently introduced DoH protocol, plus DoT and even emerging protocols, such as DNS-over-QUIC (DoQ).

The announcement states that the new policy has been “formulated by experts from across the technology and telecoms sectors,” although sadly it doesn’t name any of those today (other than the author). On top of that no DNS resolvers have currently introduced support for the policy, but we’re told that details of the first adopters (some of which will be well known organisations) are expected to be announced toward the end of April 2021.

Finally, in terms of enforcement, if a company that has previously adopted the resolver policy is subsequently found to be non-compliant then it will be given an opportunity to address the shortcomings. If action is not taken promptly then the company will simply be removed from the list of compliant organisations, with a note added to indicate the reason for their removal.

At present, it’s still early days for the EDNSRP, but we look forward to seeing how it evolves and what organisations lend their support to it over the next few months.