Scaleway’s Role in the DNS4EU Initiative: An Infrastructure Perspective
While not officially a member or associate of the DNS4EU project, Scaleway contributes significantly by providing hosting services for its back-end infrastructure. This involvement underscores the company’s role as a key infrastructure provider within the broader European initiative.
The DNS4EU project is funded by the European Union with an approximate budget of 3 million euros. Officially launched on January 1, 2023, the project is scheduled to conclude on December 31, 2025, with the goal of becoming self-sustaining beyond this period.
DNS4EU aligns with the European Union’s cyber strategy for the digital decade, specifically incorporating directives from NIS2 which mandate “the development and use of a secure and European public DNS resolution service.”
The anticipated public launch of this service is scheduled for this week. The resolver infrastructure will rely on dedicated hardware provided by the UK-based hosting provider Datapacket and will be deployed across 14 countries: France, Germany, Bulgaria, Croatia, Spain, Greece, Hungary, Ireland, Italy, the Netherlands, Poland, the Czech Republic, Romania, and Sweden.
Beyond the performance promises for European citizens, DNS4EU emphasizes strict compliance guarantees: all data remains within the European Union, ensuring data sovereignty and privacy.
DNS4EU
The process of address anonymization uses a modulo operation based on the volume of traffic handled in the past 24 hours. HMAC keys are regenerated daily.
| Option | IPv4 | IPv6 |
| Without filtering | 86.54.11.100 | 2a13:1001::86:54:11:100 |
| Malicious site blocking | 86.54.11.1 | 2a13:1001::86:54:11:1 |
| Malicious site and ad blocking | 86.54.11.13 | 2a13:1001::86:54:11:13 |
| Malicious site blocking and minors’ protection | 86.54.11.12 | 2a13:1001::86:54:11:12 |
| Malicious site and ad blocking with minors’ protection | 86.54.11.111 | 2a13:1001::86:54:11:111 |
The ad-blocking feature relies on various curated lists, such as Goodbyeads and Ads-Tracking. The minors’ protection is based on a set of around ten public data feeds, including sources like Bon-Apetit, combined with detection tools like Webshrinker.
Open Source Technology Underpinning DNS4EU, Also Used by Cloudflare
The core resolver technology in DNS4EU is based on Knot Resolver, an open-source DNS resolver licensed under GPLv3. This software has been under development for over a decade by the Czech National Cyber Security Agency (NSA CZ). Written in C and LuaJIT, Knot Resolver also serves as the foundation for Cloudflare’s 1.1.1.1 DNS service.
However, the DNS4EU project does not use Knot Resolver directly. Instead, it leverages its implementation via Whalebone, a Czech cyber solutions provider. Whalebone is also the project coordinator, bringing together a consortium of eight members:
- CZ.NIC — Czech domain registry and ISP association managing the .cz domain
- The Czech Technical University in Prague
- SZTAKI — The Institute of Computer Science, Hungarian Public Research Institution
- NASK — The Polish Research and Development organization and registry operator for .pl
- Timelex — A Belgian legal consultancy specializing in digital law
- ABI Lab — Italy’s banking and financial sector innovation lab, affiliated with CERTFin
- deSEC — A German NGO advocating for internet security
- The Romanian National Cyber Security Agency (ROCERT)
Additionally, there are three associated members: the Portuguese CERT (ANSSI Portugal), F-Secure from Finland, and CESNET, a Czech academic research network.
The deployment of DNS4EU for general public use is capped at 1,000 queries per second per IP address. With built-in DoS protections, it’s not designed for large-scale traffic management. Consequently, commercial entities are directed towards Whalebone’s paid solutions.
The public sector is also encouraged to contact the Czech provider, even though there is an official connection via the DNS4GOV branding. This initiative aligns with other national DNS efforts seen in Australia, Canada, and the UK, offering deployment options in both cloud and on-premises environments. Telecom operators are also targeted as potential clients and partners, given their dual role as service resellers and customers competing in the DNS services market.
DNS4EU as a Platform for Threat Intelligence Sharing
One of the key objectives of DNS4EU is the collection and dissemination of threat intelligence. The project involves coordination with CERT teams from Hungary, Italy, Luxembourg, Poland, Romania, and the Czech Republic. The technical exchange among these entities is facilitated via the open-source Malware Information Sharing Platform (MISP).
Whalebone oversees the back-end infrastructure, hosted on Scaleway’s Kubernetes environment. The Polish NASK is working on machine learning models to identify newly registered malicious domains. The Prague-based Stratosphere laboratory at the Czech Technical University is developing traffic analysis models targeting malware and command-and-control (C2) communications. CZ.NIC is focused on improving support for Express Data Path (XDP), enhancing performance and security.
*DNS4EU is part of a broader set of initiatives launched in 2022 aimed at reinforcing digital sovereignty infrastructure. An example project involves interconnecting network backbones for cloud federation, illustrating the EU’s strategic focus on resilient, autonomous digital infrastructure.
