Committed to a secure DNS in Switzerland

The Domain Name System (DNS) is a fundamental part of the internet that allows users with domain names to address services on the internet. For this reason, .ch is a critical infrastructure in Switzerland, one that SWITCH protects with particular stringency.

Text: Michael Hausding, published on 05.07.2021

For internet users, it’s essential that web and email services be available at all times. Two vital DNS components are required for this: first, the authoritative DNS, in which the internet addresses belonging to a domain name are published; and second, the recursive resolver, which resolves all domain names on the internet and makes them usable for users. These two parts are not operated by a central authority, but organised in a hierarchical and distributed system.

Authoritative name server

Since 2002, SWITCH has been entrusted by OFCOM with the operation of the authoritative part for .ch top-level domain (TLDs). This part assigns an authoritative name server, usually operated by a hosting provider, to a .ch domain name. It’s estimated that over 10 million such servers exist worldwide, responsible for a total of 366 million domain names. Just over two million of these domain names can be reached under .ch.

SWITCH’s missions in the authoritative area of DNS include the secure and stable operation of the infrastructure for registering .ch domain names, the operation of the global recursive name servers for .ch, and combating cybercrime on .ch domain names.

DNS security extension (DNSSEC)

The DNS was designed 30 years ago with no particular focus on security. Only later were standards developed to ensure its integrity and confidentiality. One important standard that aims to ensure the correctness of DNS responses is DNSSEC. SWITCH introduced DNSSEC for .ch in 2010. However, as DNSSEC is still only used for 8% of all .ch domain names today, OFCOM has tasked SWITCH with implementing a DNS resilience programme that aims to protect 60% of all .ch domain names with DNSSEC by the end of 2026 and promote additional security standards.

Combating cybercrime

Cybercrime is a global phenomenon and a serious threat. Unfortunately, .ch domain names are not immune from the menace of cybercrime. SWITCH combats abuse of .ch websites on behalf of OFCOM. For more than a decade, SWITCH has been informing holders of .ch domain names when their websites are misused by hackers for phishing or malware, and helping them to remedy the damage. In recent years, it has also become apparent that a large number of .ch domain names are registered exclusively for abuse. Potential holders can still register a .ch domain name without undergoing identity verification. However, one new feature means that if a registry suspects fraudulent registration, it has the option of deferred delegation, meaning the domain name is only activated once the holder’s identity has been verified.

Recursive name servers

For the DNS to function reliably as a system requires not just authoritative name servers but also recursive resolvers. These perform the task of searching for information that is distributed worldwide on the authoritative name servers and providing users with the internet address for a domain name. In the past, these recursive resolvers were mostly operated by ISPs or within company networks.

The increasing demands placed on recursive resolvers, such as the security standards DNSSEC, DoH, DoT and QNAME minimisation, as well as filtering of phishing and malware attacks, make them more time-consuming and complex to operate. That’s why we are seeing a global trend of resolvers operated by large, globally active cloud providers, mostly based in the USA, rather than ISPs. As a result, SWITCH now also has the mission of promoting secure and reliable resolvers in Switzerland. It does so in part through the Quad9 Foundation, which relocated to Switzerland at the start of this year with the help of SWITCH. Quad9 is a data protection-compliant alternative to US-based cloud resolvers. In addition, SWITCH promotes the equally important distributed operation of resolvers at Swiss ISPs through the transfer of expertise regarding the free availability of the CH zone and through a DNSHeads meetup.

The worsening threat situation has increased demands on SWITCH as the guarantor of the security and stability of the internet in Switzerland. Over the past 25 years, the SWITCH Computer Emergency Response Team has grown into a leading independent centre of expertise for information security across the whole of Switzerland, a challenging task that it approaches with the highest level of expertise.

About the author
Michael   Hausding

Michael Hausding

Michael Hausding studied computer science at the Technische Universität Darmstadt and graduated in Management, Technology and Economics at ETH Zurich. He has worked as a security expert in the SWITCH-CERT team since 2008 and is a specialist in DNS and domain abuse.

Other articles