DNS TAPIR Onboarding for Internet Service Providers

This document describes how Internet service providers and other DNS resolver operators can participate in DNS TAPIR during the test phase.

The purpose of the onboarding process is to establish:

• operational trust,
• technical integration,
• privacy-preserving telemetry exchange,
• and long-term operational collaboration.

DNS TAPIR is designed to support incremental onboarding with low operational risk and minimal disruption to existing DNS infrastructure.

Participation does normally not require immediate major changes to resolver architecture or replacement of existing DNS-security systems.

Overview

DNS TAPIR is a cooperative operational platform with continuous analytical research focused on DNS-based threat detection and shared situational awareness.

The platform enables participating Internet service providers and DNS resolver operators to contribute privacy-preserving DNS telemetry data and receive improved situational awareness and analytical support in return.

The onboarding model is intentionally designed to:

• minimise operational complexity,
• preserve participant control,
• support GDPR-oriented minimisation principles,
• and allow gradual operational adoption.

Typical Onboarding Process

A typical onboarding process consists of several phases.

Phase 1 — Initial Discussion and Planning

The onboarding process normally begins with technical and operational discussions between the DNS TAPIR team and the participating organisation.

Typical discussion topics include:

• resolver environment overview,
• operational requirements,
• privacy and governance considerations,
• telemetry handling,
• local operational policies,
• and deployment planning.

This phase also identifies relevant stakeholders inside the participating organisation, which may include:

• DNS operations,
• network operations,
• cybersecurity teams,
• privacy or legal functions,
• and operational management.

The DNS TAPIR project has community meetings every second week and a signal groupchat for discussions. Contact us to get invitations.

Phase 2 — Technical Evaluation

During the technical evaluation phase, the participating organisation evaluates how DNS TAPIR fits into its operational environment.

This typically includes:

• review of architecture,
• deployment models,
• data flows,
• telemetry minimisation,
• operational monitoring,
• and integration requirements.

The DNS TAPIR team may provide:

• demonstrations,
• technical workshops,
• architecture walkthroughs,
• and operational guidance.

Phase 3 — DNS TAPIR Edge Platform Deployment

The first technical deployment step is typically installation of the DNS TAPIR Edge platform inside the participating DNS resolver operator environment.

The DNS TAPIR Edge platform performs:

• DNS telemetry collection,
• aggregation of DNS query data,
• privacy-preserving minimisation,
• generation of analytical events,
• and forwarding of minimised telemetry streams and events.

The DNS TAPIR Edge platform is designed to operate independently from the resolver itself and normally does not require modification of existing recursive DNS infrastructure.

To deploy the DNS TAPIR Edge platform, the participating DNS resolver operator needs access to DNS telemetry through the DNSTAP interface supported by the resolver platform. Most deployments run the DNS TAPIR Edge platform in the same virtual machine as the recursive resolver. The platform may also run in a separate virtual machine receiving DNSTAP telemetry over a TCP connection.

Typical deployment environments include:

• virtual machines,
• existing resolver infrastructure environments,

Supported deployment models may vary depending on:

• resolver software,
• operational architecture,
• and local operational policies.

Registration and Enrollment

Participation in DNS TAPIR begins with an onboarding and enrollment process intended to establish:

• operational trust,
• verified organisational identity,
• secure communication channels,
• and controlled access to DNS TAPIR services.

The onboarding process is intentionally lightweight during the current operational test phase, while still ensuring trusted operational relationships between participants.

Registration

Organisations interested in participating in DNS TAPIR should contact: info@dnstapir.se

The initial registration should include:

• organisation name,
• operational contact person,
• contact information,
• resolver environment overview,
• and intended participation scope.

This allows the DNS TAPIR team to begin planning technical onboarding and operational coordination.

Trusted Communication Channels

Because DNS TAPIR involves operationally sensitive information and infrastructure, participating organisations are expected to establish at least one trusted out-of-band communication channel.

This may include:

• PGP/GPG keys,
• Signal handles,
• or other agreed secure communication mechanisms.

These channels are used for:

• enrollment credentials,
• operational coordination,
• incident communication,
• and trusted onboarding workflows.

Contractual Framework

During the current operational test phase, participating organisations require an agreement with the operational DNS TAPIR service partner.

At the current stage of the project, this role is handled by Internetstiftelsen.

The agreement establishes:

• operational expectations,
• governance principles,
• privacy and handling requirements,
• and participation conditions.

The contractual framework may evolve as DNS TAPIR transitions toward long-term production operation and federation between multiple operational environments.

Enrollment Credentials

After onboarding and contractual processes are completed, enrollment credentials are distributed through trusted out-of-band communication channels.

These credentials are used to:

• authenticate DNS TAPIR Edge platform deployments,
• establish trusted communication,
• and enable participation in operational telemetry exchange.

Credential handling procedures may vary depending on:

• deployment model,
• federation structure,
• and operational requirements.

Current Operational Scope

The current operational test phase focuses primarily on participation by:

• Internet service providers,
• DNS resolver operators,
• operational security partners,
• and selected infrastructure participants.

Some participation models, including limited consumer-oriented integrations, are planned for future phases but are not currently part of the operational deployment model.

Data Handling Principles

DNS TAPIR is designed around privacy-preserving operational collaboration.

Key principles include:

• minimisation before sharing,
• participant-controlled governance,
• controlled federation,
• and operational transparency.

The platform is intentionally designed to avoid unnecessary centralisation of raw DNS telemetry which includes IP addresses of the users.

Participating organisations remain in control of:

• local operational policy,
• local deployment,
• and operational enforcement decisions.

Blocking and Policy Integration

The DNS TAPIR Policy Processor (POP) is an edge software that supports integration with DNS blocking workflows through policy-driven operational outputs.

This may include:

• RPZ generation,
• operational intelligence feeds,
• or local policy integration.

The participating Internet service provider or DNS resolver operator always remains responsible for:

• local blocking decisions,
• enforcement policies,
• and operational customer impact management.

DNS TAPIR provides operational intelligence and analytical support — not centralised enforcement.

Existing DNS-Security Services

DNS TAPIR can operate alongside most existing DNS-security environments.

Participation does not require immediate replacement of:

• existing DNS-security providers,
• blocking platforms,
• recursive DNS infrastructure,
• or SOC workflows.

Many participants begin with:

• passive observation,
• operational evaluation,
• and gradual integration into existing operational processes.

Operational Requirements

Typical operational requirements include:

• access to DNS telemetry through DNSTAP,
• compute capacity for the DNS TAPIR Edge platform,
• secure communication channels,
• and operational contact points.

Exact requirements depend on:

• deployment scale,
• telemetry volume,
• analytical scope,
• and local operational requirements.

Governance and Participation

DNS TAPIR is designed as a cooperative operational capability.

Participants contribute to:

• operational collaboration,
• shared situational awareness,
• and continuously evolving analytical capability.

The governance model is based on:

• transparency,
• operational trust,
• participant cooperation,
• and privacy-preserving federation.

Participation should not be viewed as a traditional supplier relationship.

Participants contribute to a shared operational capability intended to strengthen:

• cyber resilience,
• DNS threat detection,
• and operational situational awareness across the ecosystem.

GDPR and NIS2 Considerations

DNS telemetry may contain privacy-sensitive and operationally sensitive information.

DNS TAPIR therefore uses:

• local processing,
• minimisation before sharing,
• controlled federation,
• and participant-controlled governance.

The platform is designed to support operational collaboration while reducing unnecessary exposure of sensitive DNS telemetry.

DNS TAPIR may also support broader operational resilience and situational awareness goals associated with frameworks such as GDPR and NIS2.

The privacy proteection in DNS TAPIR is regurlarly audited by external experts. By publishing all software under an open source licens, there is transparency which opens up for community audits.

Contact

info@dnstapir.se