The following is a set-up guide for CIRA Canadian Shield for the DNS Encryption with DNS over TLS (DoT) option. See all the set-up guides for Canadian Shield.
Before you proceed...
- If you set-up CIRA Canadian Shield on your router/gateway then the whole network is protected and you will not need to set-up individual devices.
- Before changing your DNS settings write down your existing IP addresses in case you need to go back. Go to the bottom of this page to see if you have configured it correctly.
Once you are done, you can go here to test your configuration.
A summary of DNS resolver addresses can be found here.
CIRA Canadian Shield supports DNS over TLS (or DoT). DoT describes sending encrypted DNS queries over port 853 on the router. It is often a preferred (to DoH) because it uses a dedicated port that can be monitored separately from port 443 whereas with DoH DNS traffic is sent with the rest of the web HTTPs traffic over port 443.
Setting up DoT would be considered advanced for most users. It requires a server or virtual machine and a resolver, and there are many possibilities including Unbound, BIND and others. You will need to enter the respective server locations and urls in the custom settings for most resolver software.
For the IPv6 address options please consult the table above, "Summary of CIRA Canadian Shield DNS resolver addresses"