DNS TAPIR

A privacy-preserving operational platform for DNS threat detection and shared situational awareness

DNS query telemetry is increasingly collected into isolated commercial or governmental analysis ecosystems where sensitive operational and privacy-related information may be exposed outside the control of Internet service providers and DNS resolver operators. DNS TAPIR explores an alternative approach: collaborative DNS threat analysis without unnecessary centralisation of sensitive DNS telemetry.

The platform combines:

local privacy-preserving DNS telemetry processing,
shared analytical capability,
operational intelligence exchange,
and continuously evolving analytical methods.

The DNS TAPIR (DNS Threat and Privacy Internet Research) team consists of leading DNS experts and developers, with many years of combined experience of operating DNS resolvers and threat analysis.

Cooperation

DNS TAPIR is built around cooperation between Internet service providers, DNS resolver operators, analysts, researchers and operational security communities. Shared situational awareness enables broader visibility into threats that cannot easily be detected from isolated network perspectives alone.

Trust

Operational cooperation requires trust. Trust that privacy-sensitive information is protected. Trust that participants remain in control of their operational environments. Trust that analysis and governance are transparent and designed for the common benefit of the Internet ecosystem.

Transparency

DNS TAPIR is developed as open source software with transparent architecture and operational principles. Transparency enables independent review of analytical methods, privacy-preserving mechanisms and federation models.

Why DNS matters

DNS is one of the earliest observable indicators of malicious activity on the Internet. Threat actors frequently rely on DNS infrastructure for:

malware command-and-control,
phishing infrastructure,
ransomware operations,
botnet coordination,
and rapidly changing attack infrastructure.

At the same time, many organisations struggle to independently maintain advanced DNS-analysis capability due to limited staffing, fragmented operational visibility, and increasing analytical complexity.

DNS TAPIR enables participating organisations to benefit from shared analytical capability, continuous analytical research, broader situational awareness, and privacy-preserving operational collaboration.

Privacy and operational resilience

DNS telemetry may contain both privacy-sensitive and operationally sensitive information. DNS TAPIR is therefore designed around:

local analysis
minimisation before sharing
controlled federation
and participant-controlled governance.

This aligns with increasing operational resilience expectations emerging through frameworks such as GDPR and NIS2.

Current status

DNS TAPIR has:

completed proof-of-concept development
entered operational test environments
established collaboration with Swedish Internet service providers
and is transitioning toward sustained operational capability.

Documentation

Onboarding for Internet Service Providers

DNS TAPIR Onboarding for Internet Service Providers This document describes how Internet service providers and other DNS resolver operators can participate in DNS TAPIR during the test phase. The purpose of the onboarding process is to establish: operational trust, technical integration, privacy-preserving telemetry exchange, and long-term operational collaboration. DNS TAPIR is designed to support incremental onboarding with...

Getting Started

DNS TAPIR platform is in an early phase of enrollment. Contact us if you're interested in setting up or use the platform. Tech docs and installation guide Visit our Github repo to find out more...

Informationshantering

DNS TAPIR Informationshantering Sammanfattning Utmaningen med att analysera DNS-data är i första hand att överhuvudtaget få tillgång till det. Ur integritetsperspektiv är inte individuella frågor särskilt oroväckande, men sammantaget är de frågor en individ eller enhet (hädanefter frågeställare) ställer över tid en detaljerad beskrivning över deras aktiviteter på nätet. Detta gör att...

DNS TAPIR Architecture

The software consists of two major parts: DNS TAPIR Edge – A service that runs close to a DNS resolver that aggregates logs and forwards data to the cloud service. DNS TAPIR Core – The cloud service that aggregates, analyses and annotates data, and produces observations. ...

DNS TAPIR Security Brief

Credentials Each TAPIR Edge node has: a unique X.509 client certificate used for mTLS a unique keypair used for signing events ...

Information management

Summary The challenge in analyzing DNS data is mainly that of gaining access to it. From a privacy perspective, singular queries are largely unproblematic, but an individual’s query stream taken over time will give a detailed description of their Internet activities....

DNS TAPIR Core

TAPIR Core is an ISP (carrier) independent data analysis system which receives aggregated, minimised and de-personified DNS data from TAPIR Edge devices. Core analyse this data and indicates possible anomalies as “observations". Individual ISPs can freely choose how to act upon the observations, if at all....

Videos

Making Recursive DNS More Robust Through Cooperation (Johan Stenstam)

October 22, 2024

Varför? (Mikael Kullberg),(SWEDISH)

November 26, 2024

What is DNS TAPIR (Lars-Johan Liman)

October 23, 2023

DNS TAPIR - Introduktion (Olle E Johansson), (SWEDISH)

November 26, 2024

DNS TAPIR Säkerhetsarkiktetur (Jakob Schlyter), (SWEDISH)

December 6, 2024