If I started this blog by saying, DNS over HTTPS, encryption and IETF RFC 8484 I would lose three-quarters of my total audience. Heck – I wouldn’t be surprised if I lost half of my technical audience.
If I already lost you just by joking about losing you…please stay. I promise - it will be worth it.
One of the unintended consequences of DNS privacy settings in a web browser is that it also makes it ridiculously easy for anyone to add cybersecurity and DNS privacy in about five seconds. Why is that? Because the browser companies have put DNS encryption into the settings and the DNS is great at filtering out links to malicious content like ransomware.
A (very) brief description of DNS Encryption
What is DNS encryption? The Domain Name System (DNS) is a record of every single domain that you go to. In order for the internet to work, you need to find things and so you need to consult a public map that is up to date. Since it would be impractical for you to maintain your own handwritten book of IP addresses, you rely on what are called, “recursive DNS resolvers”. I am not going to go deeper into how this works, but many Canadians rely on their ISP for this function.
If you really want to get a basic look at how the DNS works, here is a short video we produced years ago that is still good today and is almost hipster in how retro it looks. In short, without the DNS, nothing else works. But let me reiterate - it is a record of every single place that you go to.
DNS encryption was introduced as a way to give consumers an option for privacy. It allows what was previously sent in clear text across the wilds of the internet to be secured. It also makes it easier for consumers to decide with whom to share their DNS information. You always had this choice, but it just wasn’t easy for many to implement. Now you get that choice and better features to go with it. If you would like an honest deep dive on DoH encryption we did a three-part series.
Okay – I want to use DNS privacy - Why CIRA’s service is the best.
First, when you are talking to DNS nerds about the DNS there are strong opinions. Mine is strong, and certainly biased – but for benevolent reasons.
I recommend CIRA Canadian Shield not just because I have to, but also because it provides protection and privacy in a made in Canada package for individuals and families across the country. If you're looking for a business solution, CIRA DNS Firewall offers the same great protection but with added features such as reporting, custom configuration, and advanced support. Of course, CIRA Canadian Shield has the best feature of all - it's free.
If you're concerned about privacy you should know that we have no interest in your data, no need to advertise to you or to sell your data to those who might. Our only interest is to help build a more trusted internet for all Canadians. It is core to our non-profit mandate and one we take seriously. Even if we wanted to keep data, it would cost us a ton of money in physical storage and CPU cycles to do so; money we would rather use to deliver better service today and add more features in the future.
Another great benefit of CIRA Canadian Shield is the option to block malware and phishing attacks. In fact, the data science we use to detect threats combines commercial and public threat feeds, including a Canada-specific feed from the Canadian Center for Cybersecurity, and a unique threat feed from one of the largest internet companies in the world, Akamai. Our unique threat data is critical because if we just blocked what your antivirus software already detects then we aren't really adding anything extra.
Benefits of configuring the browser for DNS privacy/encryption
Now, before we go further let’s be clear on what you get and do not get for this simple browser setting change:
1) You are only protected when browsing (duh). Since many people use browser-based email and productivity applications this is likely sufficient to significantly improve security, even if incomplete. The DNS should be considered an additive layer and using a DNS service that includes cybersecurity does not mean that you can start forgetting all the other good practices.
2) You are not protecting other devices on the network that might potentially host threats that rely on or use the DNS (remember the webcams that DDoSed the internet a few years back). You also won’t help guests or all those other devices on the network like Roku boxes or other browsers or applications that family members may install that contains malware that uses the DNS. In short, there are plenty of advantages to implementing this security on your home router instead, but it is technically more challenging for many users.
Quick – what is the password for your home router?
Okay, fine, you knew it. You are smarter than I am. You are also smarter than probably 90% of users out there. Don’t believe me? Then here is a great article on user knowledge of their routers.
My router password is written down somewhere but to be completely honest that I don't know where. If I needed to do something to my router I would probably do a hard reset and start fresh. I am too lazy to do that. So there, I said it. As it relates to my home IT practices I am not smart and I am lazy. In other words, I am just like your users. If you are an IT manager with a bunch of work at home employees to take care of then thank goodness you are smart.
Being smart is a double-edged sword. You are also smart enough to know that if you have 100 users then you probably have maybe 30 or so different router and gateway scenarios to contend with. People don’t know how to hard reset their router let-alone that they can type in 192.168.x.x. to access it.
Enter the browser as a simple option for DNS Privacy that provides both privacy and security. A simple additional layer for when users are engaged in the riskiest activities (clicking on things).
Three steps that even the most non-technical of people can do
Three steps in the browser and less than 1 minute. If you want pictures, a bit more description and more options then follow the step-by-step instructions on our configuration page. There you can also find a simple button to test whether you have done it correctly.
Edge and Chrome
- Select the menu select settings.
- Select Security.
- Toggle on Use secure DNS and choose Custom. Cut and paste the following into the field: https://protected.canadianshield.cira.ca/dns-query
- Select Menu > Options.
- In the General panel, scroll down to Network Settings and click the Settings button.
- In the dialog box that opens, scroll down to Enable DNS over HTTPS. Select custom and cut and paste the following into the field: https://protected.canadianshield.cira.ca/dns-query
Apple has announced it is coming soon
If you are running an IT or cybersecurity team with at-home workers, what are you waiting for?
Three simple steps, nothing to support, effective. If you have workers at home, not only will you be helping to protect their home networks but you will be helping to keep malware off their networks that can impact work devices or employee productivity. Something they can set-up for all the at-home computers in seconds and help protect their whole network. After all, the way in isn't always the final target for threats. If you are looking for something more commercial then the DNS Firewall is still the right solution, but as a simple and effective layer, the DNS is a recommended best practice for households and business alike.
Now if only you could stop the home network risk from bad passwords, unsupported devices, uninstalled software updates and, worst of all...teenagers.