Written by Stephen Burns, Ruth Promislow, Michael Whitt, Sebastien Gittens and Kees de Ridder
The Canadian Internet Registration Authority (CIRA) launched a domain name system (DNS) service on April 23, 2020. CIRA is the entity responsible for overseeing Canada's .ca country-code top-level domain (ccTLD). CIRA is offering its new DNS service—branded "Canadian Shield"—to assist Canadians with online privacy and security. Canadian Shield is an alternative to the DNS service provided by your internet service provider (ISP).
What is a DNS?
Every time you type a domain name (that is, a uniform resource locator or URL) into your browser, your computer sends your request for that domain name to a DNS. The DNS then sends you the internet protocol (IP) address of the server corresponding to the domain name. Your computer then uses that IP address to access the website.
By way of analogy, IP addresses are like latitude and longitude coordinates, domain names are like municipal addresses, and the DNS is like a map. When you type in a domain name, such as www.cira.ca, your computer asks the DNS for the corresponding IP address, which in this case is 220.127.116.11. Once your computer knows the domain name's IP address, your computer can communicate directly with the website's server.
How Do I Choose My DNS Provider?
By default, your DNS is set by your internet service provider (ISP). You can change your DNS provider by tweaking settings in your router, computer, browser, phone, game console, or any other device that connects to the internet. You can check which DNS you are using by performing a DNS leak test, which you can run from your browser using free online services.
What Data do DNS Providers Collect?
To do its job, the DNS must know your IP address and the domain names you request. DNS providers need this information for only a moment, but may keep logs of such data indefinitely.
How Can a DNS Provider Protect Me?
Keeping limited logs. DNS providers can protect users by limiting the retention of logs of users IP addresses and the websites they visit. Advertisers, government authorities, and hackers cannot abuse what does not exist. Canadian Shield says that it keeps logs for up to 24 hours, or longer if "malicious or anomalous" behaviour is suspected or detected.
Blocking dangerous content. Another way DNS providers can protect users is by blocking certain domain names and IP addresses. This prevents your computer from ever communicating with the server associated with the blocked IP address. You can configure Canadian Shield to block harmful and adult content.
Validating requests. DNS providers can use DNS system security extensions (DNSSEC), which reduce the risk of man-in-the-middle attacks, where legitimate DNS requests are redirected to illegitimate websites. DNSSEC does this by adding cryptographic signatures to existing DNS records and validating those signatures to ensure nothing is changed en route to the user. Canadian Shield says it provides DNSSEC validation.
Encrypting DNS traffic. DNS providers can also encrypt the data between the user's device and the DNS server, by using DNS over HTTPS (DoH) or DNS over TLS (DoT). Canadian Shield supports both DoH and DoT encryption standards.
All of these measures are voluntary on the part of the DNS provider, and may require some configuration by the user.
Do I Need to Take any Further Security Measures?
A DNS provider can only encrypt your DNS traffic, and only in transit. The DNS has to decrypt your IP address, and the domain name you requested, to provide you with the IP address associated with that domain name. The DNS provider cannot encrypt data exchanged between you and the websites you visit. You and websites you visit should take further security measures to encrypt such data. For example, users may implement virtual private network (VPN) solutions, and servers can use hypertext transfer protocol secure (HTTPS).
Changing your DNS to a trusted provider does not replace other security measures, such as HTTPS, antivirus, traditional software and hardware firewalls, VPNs, and installing operating system updates as soon as they are released.
You are not the only one who can change your DNS settings. Antivirus software and VPNs can override your DNS settings. Your device can override the DNS settings of your router. Your browser can override the DNS settings of your computer. Under certain conditions, your device may continue to use its default DNS settings rather than, or in addition to, the DNS settings you manually enter. You may be able to change your antivirus or VPN settings to use the DNS provider of your choice. You can check which DNS provider your browser uses by performing a DNS leak test.
What is Special About Canadian Shield?
Canadian Shield is in Canada. Canadian Shield's servers are in Canada, and thereby likely avoid regulation by other jurisdictions. By being in Canada, Canadian Shield could be faster for users in Canada compared to DNS providers that are geographically distant.
CIRA is a non-profit. This reduces the motivation to sell your DNS query data to third parties, such as advertisers.
Canadian Shield will be audited. CIRA has committed to a full, annual privacy audit to be conducted by a third party.
Canadian Shield is customizable. Canadian Shield offers three levels of security: private, protected, and family. The private level replaces your default DNS provider with Canadian Shield, which you may deem more trustworthy. The private level does not filter content. The protected level includes the security of the private level, and also blocks websites known or believed by CIRA to be associated with security threats, such as malware and phishing. The family level includes the security of the protected level, and also blocks adult content.
Who Can Use Canadian Shield?
While it could technically be used by any internet-enabled device, Canadian Shield's terms only permit use by individuals and families residing in Canada. CIRA also offers CIRA DNS Firewall, a paid service for organizations.
How Does Canadian Shield Decide What to Block?
To compile its list of dangerous websites, Canadian Shield aggregates threat lists from third parties, both commercial and open source. One of these threat lists comes from the Canadian Centre for Cyber Security, a government entity responsible for protecting the cyber security of the federal government and Canada's critical internet infrastructure. According to CIRA, 100,000 websites are added to the aggregated threat list every day. Users can submit malicious domains or IP addresses, and report false positives, by using Canadian Shield's support page.
How Does Canadian Shield Use My Data?
CIRA may share anonymized aggregate data with the public, such as information about threat types, geolocation, and performance of Canadian Shield (e.g., number of websites blocked, and infrastructure uptime). CIRA may also share certain data with intelligence partners, including the number of times a given domain is blocked.
Who Made Canadian Shield?
CIRA has partnered with several third parties to develop and implement Canadian Shield.
Akamai. Canadian Shield uses technology owned by Akamai, a company with headquarters in the United States and offices throughout the world, including in Ottawa and Toronto. Akamai is responsible for 4% of all global DNS queries, and serves between 15% and 30% of global web traffic.
Mobilize. Canadian Shield will soon offer a mobile phone app, simplifying the process for setting up Canadian Shield on iPhone and Android devices. This app was created in partnership with Mobilize, an American company. It is possible to configure mobile devices to use Canadian Shield without installing this app.
TekSavvy. Canadian Shield will be served by TekSavvy's data centres in Toronto, Montreal, and Vancouver. TekSavvy is a Canadian ISP with headquarters in Chatham, Ontario.
Should I Change My DNS Provider?
If you would like assistance in deciding which online security and privacy measures are right for you and your business, we invite you to contact to Bennett Jones' cybersecurity team.