DNS4EU is a European Union initiative launched on June 9, 2025, offering a public, free, and GDPR-compliant DNS resolver. The project aims to strengthen Europe’s digital sovereignty by providing an alternative to global DNS services operated outside the EU. The service is co-financed by the EU and supported by the European Union Agency for Cybersecurity (ENISA), and it is operated by a consortium of ten organizations from various Member States. DNS4EU’s goal is not only to create an alternative to the market-dominant, often non-European resolvers (e.g., Google Public DNS or Cloudflare), but also to implement “privacy by design” and “privacy by default” principles and to enhance the resilience of critical infrastructure within the EU.

Project Context and Objectives

In recent years, the dominance of a few global DNS operators (e.g., Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1) has been viewed as a concentration and strategic dependency risk. The global DNS outages in 2019 and 2020 demonstrated how major disruptions can affect all of Europe when central resolvers go offline. DNS4EU seeks to mitigate these risks by building a distributed infrastructure entirely within EU territory, in line with the EU Cybersecurity Strategy and the NIS2 Directive. Additionally, it has long been observed that a significant portion of European users’ DNS traffic is processed outside the EU, raising GDPR compliance concerns and vulnerability to political interference and cyber threats. The EU’s digital and new cybersecurity strategies emphasize the need for indigenous, trustworthy infrastructure solutions. DNS4EU aligns with these goals by delivering a service fully hosted in data centers across Member States.

Consortium and Institutional Support

The DNS4EU consortium comprises national domain registries, research units, and technology providers:

• Whalebone (Consortium Lead, Czechia) – DNS security engine.
• CZ.NIC and CTU (Czechia) – infrastructure and research.
• Time.lex (Belgium) – legal aspects and GDPR compliance.
• deSEC (Germany) – open-source DNS solutions.
• HUN-REN (Hungary), ABILAB (Italy), NASK (Poland), DNSC (Romania) – national CERT centers and research laboratories.
• Strategic Partners: F-Secure (Finland) and CESNET (Czechia).

ENISA coordinates security matters and the exchange of additional threat intelligence, enabling rapid response to attacks at the European level. EU funding covers the period 2023–2025, after which the consortium plans to transition to an operationally self-sufficient model through a commercial offering.

Technical Architecture

DNS Engine and Anycast
At the core of the solution is the open-source Knot Resolver 6, widely used in cloud operator infrastructures. DNS4EU nodes are geographically distributed in at least 14 EU Member States and interconnected via anycast routing, ensuring minimal latency and redundancy. Operators leverage European cloud providers (Datapacket, Scaleway) to avoid intermediaries outside the EU.
Encrypted Protocol Support and DNSSEC
All DNS4EU configurations support:

• DNS-over-HTTPS (DoH).
• DNS-over-TLS (DoT).
• DNSSEC signature verification to protect against spoofing and cache poisoning.

The DoH and DoT endpoint addresses are publicly documented, e.g. protective.joindns4.eu/dns-query or unfiltered.joindns4.eu:853
Service Configurations and Addressing
The public DNS4EU resolver offers five variants, each with dedicated IPv4 and IPv6 addresses:

Source: DNS4EU documentation
The public query limit is 1,000 qps per IP; dedicated instances without limits are planned for commercial customers.
Threat Intelligence Pipeline
The security layer is based on the Whalebone engine, which analyzes DNS queries using:

• IOC databases – over 20 million malicious domains, updated ~150,000 times daily.
• ML and DGA detection – algorithmically generated domain detection (entropy models and language models).
• Behavioral analysis – modeling DNS traffic anomalies at the session level.
• Infrastructure correlation – WHOIS, TLS certificates, hosting relationships. When a CERT center reports a new threat, blocking rules are synchronized via a MISP instance, enabling real-time protection across the EU.

Privacy and Anonymization
DNS4EU implements a strict zero-log and IP anonymization policy:

• Client IPs are held in RAM only for the duration of the query (milliseconds).
• Identifiers are anonymized using HMAC-SHA256 with keys rotated every 24 hours at midnight UTC.
• No persistent storage, no user profiling. This approach meets GDPR requirements and “privacy by design” guidelines.

Corporate Integration and Deployment

Typical deployment scenarios include:

• Hybrid DNS: European traffic routed to DNS4EU, global traffic to 1.1.1.1 or 8.8.8.8.
• Critical System Protection: Isolated resolver instances with dedicated filtering.
• SIEM Integration: Anonymized logs forwarded to SIEM platforms (Splunk, Elastic).
• Telecom Operators: ISPs can offer DNS4EU to end customers.

Regulatory Compliance

• GDPR: All query data processed within the EU, no transfers outside the Community.
• Net Neutrality: No content interference, aside from optional anti-malware/adblock/child-protection filtering.
• No Censorship: The service is voluntary and does not impose content restrictions – filtering decisions remain with the user or organization.

The entire DNS4EU operational environment resides under EU jurisdiction, and query logs are deleted after a maximum of 24 hours. Use of data for profiling or third-party sales is prohibited. The service operates under “privacy by design,” as confirmed by a GDPR compliance audit conducted by Time.lex, one of the consortium’s legal partners.

Service Offerings

Individual Users:

• Public, free access to resolvers with filtering options.
• Easy configuration in OSs and browsers, including DoH/DoT URL lists.

Public Sector:

• DNS-as-a-Service solutions for ministries, local governments, healthcare, and educational institutions, with enhanced SLAs and reporting.

Telecom Operators and ISPs:

• White-label integration in operator infrastructure, resolver cluster management via API, delivering services to end customers at minimal operational cost.

Deployment and Operations

• Pilot (Q1 2023) – functional testing in selected countries.
• PoP Expansion (2023–2024) – launch of dozens of Anycast locations.
• Public Launch (June 9, 2025).

Cloud and hosting providers: Scaleway, Datapacket, Hetzner, and local operators.
Monitoring: Prometheus + Grafana systems within the consortium for real-time metric collection, alerting, and SLA analysis.
DNS4EU has been publicly available since June 9, 2025. Any user or organization can configure their clients using:

• Anycast IPv4: 185.24.16.0/24
• Anycast IPv6: 2a04:fe80::/32

Technical documentation and deployment guides are available on the project website: https://www.joindns4.eu.

Future Perspectives and Roadmap

• Knot Resolver 7+: planned support for DNS-over-QUIC (DoQ) per RFC 9000/9001, enabling stream multiplexing and lower latency.
• RPKI/ROA Integration: IP prefix origin validation at query time to reduce BGP hijack risks.
• IoT/5G Support: lightweight edge nodes in mobile operator networks, offering local caching and filtering for large device fleets.

Thus emerges a comprehensive, distributed, and highly secure DNS environment that not only meets EU requirements (NIS2, GDPR) but also offers advanced observability, automation, and threat resilience. DNS4EU is a milestone in Europe’s digital sovereignty strategy. With its Anycast network, advanced security protocols (DNSSEC, DoH, DoT), and grounding in EU privacy regulations, the project provides a robust alternative to global DNS providers. For organizations seeking a private, efficient, and independent DNS solution in Europe, DNS4EU opens new opportunities for protecting and controlling network traffic. Implementing DNS4EU not only reduces technological dependency risk but also strengthens the resilience of Europe’s infrastructure against cyber threats, aligning with the EU’s long-term digital autonomy goals.