The SWITCH DNS Firewall service reduces IT operating risks by preventing infections and identifying systems that are already infected, all with a minimum of effort. This service protects all company devices, such as laptops, servers and mobile phones, that use the company's DNS service.

Added value through using SWITCH DNS Firewall

Domain Name Service Response Policy Zones (DNS RPZ) makes it possible to overwrite specific DNS information in order to generate alternative responses to DNS queries. This prevents users from calling up malicious domains and reroutes them to a secure site. The three main features of the DNS Firewall are:


Internal computer infections are prevented by blocking access to infected sites.


SWITCH detects computers that are already infected, and customers are rapidly informed about suspicious and infected computers via security reports that are emailed to them.


Malicious queries are redirected to a safe landing page that informs the users of the potential risk.


The following graphics show the functionality of DNS RPZ and the SWITCH DNS Firewall.

Your benefits: SWITCH-CERT threat intelligence

Thanks to a unique combination of up to date and relevant data compiled by SWITCH-CERT from its national and international work, you receive an unparalleled, Swiss-focused threat list.
This draws upon the broad-based security know-how SWITCH-CERT has built up over many years, specifically in the following areas:

  • Analysis of current malware;
  • Analysis of malicious domains through operation of the registry for the .ch and .li TLDs; and
  • Analysis and qualification of national and international data feeds.


Service levels

SWITCH DNS Firewall is available in three different service levels:

  • RPZ zone transfer: The malicious domain names are bundled together and sent to the organisation’s DNS system in RPZ format.
  • RPZ zone transfer with notification of potentially infected computers: The organisation’s security contacts receive email reports containing the details of infected computers. These reports are based on DNS Firewall log data supplied by the organisation.
  • RPZ zone transfer, notification and landing pages: Malicious queries are redirected to a safe landing page that informs the users of the potential risk. This landing page is customisable by the organisation.


Technical requirements

Integrating the SWITCH DNS Firewall service into a company's infrastructure is simple and quick. All that is required is DNS server software that supports RPZ, or a DNS appliance on which DNS RPZ can be activated.

DNS Server software

  • BIND
  • PowerDNS Recursor
  • Knot Resolver

 DNS applicances

  • Infoblox
  • BlueCat
  • EfficientIP
  • Nokia VitalQIP


User Experience Testimonials

«CERN is using SWITCH's DNS Firewall since Q4 2015 for pro-actively preventing our user community accessing malicious domains and phishing web-sites. Using the SWITCH DNS Firewall, unfortunate users are redirected to an internal webpage informing them about the risks of browsing the WWW. So far, we have made great experience with it, also thanks to the quick response of SWITCH to our queries and input, and observed no false positives nor mayor issues.»
– Stefan Lüders, Head of Computer Security, CERN

«We have been using SWITCH DNS Firewall at HSR since the start of July 2015. We use the Response Policy Zones managed by SWITCH, with hits analysed by SWITCH as well. This has led to a significant improvement in malware prevention and detection with a relatively small amount of effort. Even though we are logging quite a lot of hits, the level of acceptance among our users is very high. Generally speaking, DNS Firewall has become an efficient cornerstone of IT security at HSR.»
– Roman Rüegg, IT Security Officer, Hochschule für Technik Rapperswil


Contact the SWITCH Security Experts for a free evaluation of the DNS Firewall service