Skip to main content

Mozilla is enabling CIRA Canadian Shield as the default trusted recursive resolver (TRR) for Canadian Firefox users. It is another step forward by the organization as they make DNS encryption the default for the browser under their overall commitment to privacy.  Since CIRA Canadian Shield supports both traditional IPv4 and IPv6 as well as the emerging DNS encryption standards, it was a natural fit.

By default, Firefox uses, DNS over HTTPs, which is more commonly referred to by its acronym, “DoH” in the community. Before we dig into the mechanics it is first important to understand what it is doing.

What is the DNS

Every time you click on a link or type an address into the browser you are using a link that is human-understandable. In order for this address to find its way to a server it needs to be translated into the IP address that a machine understands.

This is called the Domain Name System (DNS) and it is often described as the internet’s phone book. For most Canadians, this lookup originates at a server located at their Internet Service Provider at something called a recursive resolver. Many people who work in IT, or who just generally like to play with technology, change this DNS setting, either on their router, operating system or browser.  They do it to get more privacy, better performance, or even just because it is fun. This flexibility it is one of the amazing things about the DNS - the user has choice.

What is wrong with the DNS that we need these new solutions?

One of the features of the DNS is that all this information exchanges in the wild of the internet in clear text. The entire (original) point of the internet was that it was a free and open, and where notions of privacy between two “conversations” did not exist.  The internet of old was built on utopian principals and, that utopia has been strained of late.  As a result, the IETF created new standards for DNS privacy – including DoH.

What is DoH

DoH is one of two emerging methods (the other being DoT) to encrypt the DNS traffic - which in this case is between your browser and the CIRA DNS resolver (or server). We then resolve the query and send you on your merry way to the website, mail server, online application, or cat video that you were looking for. 

Because this is encrypted the information (or zone file) that we exchange is not available for interception, inspection, and possibly even editing. The latter of which, could send you to somewhere you didn’t intend.

DoH is an excellent addition to the security and privacy landscape and when combined with the other things people do, delivers a net positive. CIRA recommends that you consider using DNS encryption for personal and business use. It is a useful part of an overall privacy and security solution.

Want to read more? We have written quite a bit on this subject but a good primer is our blog on DNS Encryption – Evolution or Revolution

What is Mozilla/Firefox doing with CIRA and DoH?

By default Firefox is using DoH for DNS resolution – it is the first major browser to do this. What is super exciting is that for those who identify (in their settings) that they are located in Canada, Firefox will default to using CIRA Canadian Shield – Private, as its DNS resolver. This service level is simply answering queries privately and with no filtering of any kind (more on this later).

Why CIRA? First off, we easily met Mozilla’s strict TRR program through our commitment to security, privacy, and transparency.

CIRA is a nationally-focused supplier and the first of its kind in the world to offer a kind of sovereign DoH resolution. One that is designed to optimize quality and privacy for Canadians – but is still available throughout the world for those who travel. We are a non-profit with no interest in your data and, in fact, a stated interest in your privacy and in the open internet. We have the appropriate procedures in place to ensure privacy and have hired an auditor to test those systems. And finally, we offer a very high quality, high-reliability service with nodes located very close to Canadians and very well peered to the various networks that make up the internet in Canada (and that connect to the outside world).

Sound amazing?  We think so and we have heard a lot of rumblings in the world of global internet governance that suggest we will start seeing similar models emerge elsewhere in the world.  However, make no mistake that for DNS nerds, like us, CIRA being first is a reason to be proud to be a Canadian.

What if I want to change resolvers?

Firefox DNS settings are configurable in the settings, to enable both traditional DNS settings and to change the default DoH provider to whatever the end user prefers. Firefox comes with a number of DoH providers that you can optionally select or you can add your own custom resolver.

CIRA Canadian Shield in the Firefox nightly build

I thought CIRA Canadian Shield was for filtering out malware, why is Firefox defaulting to private DNS resolution with no filtering?

It is true that the majority of the current CIRA Canadian Shield user base is using the service that filters malware, but a sizable number do choose the private-only option. 

The decision to implement any kind of content filtering – even if that “content” is malware, phishing sites and botnets - is a choice for the individual to make. We wrote in the past on how malware filtering is not censorship, but even with that idea in mind, if you are choosing security then you should know you have done it.

Every choice of firewalls, antivirus software, email filtering, VPNs,  etc, are made by the individual and all impact each other. Moreover, every cybersecurity service out there leverages unique threat blocking technology. In short, that technology choice is up to the individual and while we would love to see secure DNS be part of default settings it is not something we are likely to see anytime soon by any software company.

How can I use the CIRA Canadian Shield Protected or Family versions?

For those users who want to use CIRA Canadian Shield Protected or Family editions changing the default DoH provider is simple. From the same set-up panel in Firefox:

For protected:  Select Custom for the provider and enter

https://protected.canadianshield.cira.ca/dns-query   - you will take advantage of a threat blocking service with millions of malicious domains in the threat list and that is adding over 100,000 net new ones per day.

For family:  Select Custom for the provider and enter

https://family.canadianshield.cira.ca/dns-query   - get all the benefits of the protected version plus add blocking for pornographic content

Choose custom and enter the protected url for the CIRA service

For a full set of configuration options please visit

https://www.cira.ca/cybersecurity-services/canadian-shield/configure

I am an enterprise IT manager – does DNS encryption get around my other security

Mozilla has taken several important steps to helping make Firefox safe on the corporate network. You can read how to properly configure and manage DoH in a corporate environment over on their site. In short, DNS over HTTPs looks like it is here to stay with various browsers and operating systems beginning rollouts – but the initial fears over the impact on corporate networks were a little over blown and can be mitigated by mature IT departments.

Wrapping it up - a great solution for Canadians

CIRA Canadian Shield accessed via its DoH address affords and important piece of the privacy pie for Canadians and CIRA is excited by this new step in its deployment. Our non-profit mandate to help build a more trusted internet is complemented by this great new development.

Other resources

DNS Filtering is not censorship

DNS over HTTPS – Who do you love

DNS over HTTPs and the Application Layer