EU Launches Privacy-Focused Public DNS Resolver Named DNS4EU

The European Union has officially launched DNS4EU, a secure, privacy-compliant DNS resolution service aimed at citizens, governments, and telecom providers across the bloc.

Developed under the supervision of ENISA and managed by a pan-European consortium led by Czech cybersecurity firm Whalebone, DNS4EU is now operational after nearly three years of planning.

Initially announced in October 2022 as part of the EU's strategy to improve digital autonomy, DNS4EU addresses long-standing concerns over European dependency on foreign-operated DNS resolvers, such as those run by Google or Cloudflare. The initiative is designed to provide not only basic name resolution services but also advanced threat mitigation, ensuring DNS traffic is resolved within EU jurisdiction and in full compliance with GDPR.

The project is coordinated by a consortium comprising nine cybersecurity firms and academic partners from ten EU countries, including CZ.NIC, NASK, HUN-REN, and F-Secure. Whalebone, the operational lead, is a well-established DNS security company headquartered in the Czech Republic with a strong presence in telecom and ISP markets. Support and oversight are provided by national CERTs and the European Commission.

DNS4EU privacy and security

DNS4EU is more than just another recursive resolver. It integrates DNS filtering powered by real-time EU-centric threat intelligence, capable of blocking access to known malicious, phishing, or malware-linked domains. This threat intelligence is maintained by analysts within the EU and distributed across all DNS4EU endpoints without cost to end users or governments. The system includes regional insights, allowing threats discovered in one member state to be automatically blocked across the entire DNS4EU network.

For governments and telcos, DNS4EU offers enterprise-grade services that can relieve internal SOC (Security Operations Center) teams of some of the burden associated with DNS threat monitoring. The platform promises scalable infrastructure and optional integrations for incident response without requiring organizations to maintain their own DNS ecosystems.

On the public front, DNS4EU provides five DNS resolution variants, each tailored for specific needs:

• Protective resolution: Blocks known malicious and fraudulent websites.
• Protective + Child Protection: Adds filtering for explicit, violent, or drug-related content.
• Protective + Ad Blocking: Filters ads in addition to malicious content.
• Protective + Child Protection + Ad Blocking: Combines all three filtering layers.
• Unfiltered resolution: A fast, privacy-preserving resolver with no content filters.

All variants are available over IPv4 and IPv6 and support DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), aligning with modern secure DNS standards. The resolver endpoints are geographically distributed across the EU to optimize performance and resilience.

Despite its voluntary nature, DNS4EU has drawn criticism from digital rights groups concerned about the potential for future censorship. EU officials stress that participation is not mandatory and that the project is designed with transparency and accountability at its core. Legal filtering is explicitly excluded from DNS4EU's public service, and filtering lists for malicious domains and content are drawn from publicly documented threat feeds and third-party categorization engines like Webshrinker.

The service anonymizes IP addresses before any logging and does not collect or retain private user data. Domains mistakenly flagged as malicious can be reported and reviewed via a public submission form, ensuring some level of feedback control.

EU users interested in the service can configure DNS4EU manually by selecting the IP addresses or DoH/DoT URLs provided for their preferred filtering level. System administrators are encouraged to monitor for DNS resolution anomalies and verify fallback mechanisms when testing the filtering variants, especially those involving ad-blocking or child protection.