Skip to main content

Home and general FAQ

  • What is the DNS?

    The DNS standard is as old as the world-wide-web itself (remember when we called it that!) It is a massively redundant hierarchical system of databases that is used to correlate human readable domain names with the IP addresses of the servers where websites and applications live. It is designed to ensure 100% availability for the Internet’s critical infrastructure. It looks like this:

    www.cira.ca --> 52.60.203.65

    Most households don’t think about the DNS and stick with whatever their ISP has pre-configured but there are many options available for those that choose to use a different service to handle their queries.  The CIRA Canadian Shield is one such option.

    If you want to get really deep then please read our resource on how the DNS works or see the full glossary of terms

  • What are malicious domains?

    Malicious domains are websites or URLs that either try to damage your computer or device, spy on end users, attempt to install malware or attempt to steal private data for either resale or to directly steal from you.

  • How do domains (URLs) play a role?

    Hackers will often use a domain that looks similar to a legitimate company or are common typing mistakes for real domains. Links are often sent in communication tools like email and SMS to these fake domains. Additionally, a lot of malicious software uses pseudo-random domain strings to communicate with command and control servers. With CIRA Canadian Shield, access to these malicious domains is blocked at the internet layer.

  • What is malware?

    Remember when we used to just worry about getting a computer virus? Well, much has changed. Malware is a whole family of malicious software that includes the humble virus. Malware is code that gets on your PC or device and can include things like ransomware that locks your data until you pay, keyloggers that watch what you type on a keyboard (including passwords), bitcoin miners that use your computer and electricity to generate money for someone else, and much, much more.

  • What is phishing?

    Phishing is the attempt to obtain private information by tricking the end user into entering data onto a website. Generally, a phishing website tries to look like a legitimate site and will often use a domain name that looks similar to a real company. Usually the first interaction with phishing comes from an email, instant message or other type or electronic communication.

  • What is botnet?

    Technically a botnet is a string of connected computers (hence the term “net”) that coordinate to perform a task; but when put to nefarious use they can be used to launch things like DDoS attacks (which is an attempt to overwhelm resources with a massive number of illegitimate traffic). Many botnets use the DNS to function and in these cases infected machines can be stopped from using PC and network resources.

  • How does CIRA Canadian Shield protect my computers and devices?

    When you use CIRA Canadian Shield, websites that contain malicious software or engage in phishing are blocked at the DNS layer. This means that no connection to the bad websites or web applications get established. Additionally, when you enable it by changing the DNS settings in the router, every device in the household that uses the home network is automatically protected. Alternatively, you can change the settings on individual computers or consoles on the network.

  • Where do you get your threat intelligence?

    CIRA works with Akamai, a global provider of internet technology. They are responsible for over 30% of all traffic in the internet and 4% of all global DNS queries (yes that is billions and billions of queries). Anytime a DNS lookup is performed for the very first time anywhere it is automatically quarantined and inspected. If it is determined to be malicious then it is added globally to the block list. Machine learning and AI is also used to detect patterns in seemingly unrelated DNS lookups to detect and block malicious activity. Many botnets use algorithmically generated domain names to function and many have been reverse engineered so that the malicious domains are automatically on the list. And finally, the service incorporates 3rd party feeds from both commercial cybersecurity vendors and the open source community.

    Notably, while the threat detection is global, the service is only delivered from servers located in Canada and managed by CIRA.

  • What are the three levels (Private, Protected, Family) of CIRA Canadian Shield?

    Different people have different needs and you can decide for yourself what you need.

    The three levels are accessed based on which IP addresses you use to access the DNS resolver.

    Private is an open recursive DNS service. It offers DNS resolution but no cybersecurity or filtering. It is considered private because we do not keep your IP address longer than is needed for managing the service against threats. We do not attempt to relate it to you or location or use it for marketing or resale purposes.

    Protected includes the features of the private option but also adds security. When you attempt to visit a domain that contains malware or engages in phishing then the request gets refused and you are presented with a block page (HTTP) or it won’t resolve (HTTPs).

    Family adds to the cybersecurity in the protected service to include blocking pornographic content. It is not blocking other forms of content that some may consider adult, such as sites about drugs, gambling, or self-harm.

     

  • Does this replace my other security software like antivirus or traditional firewall?

    We do not recommend turning off other layers of security. This security layer exists outside your home network to provide blanket protection when the malware uses a domain name, or the DNS, to either infect the computer or to communicate with command and control servers. Other layers of protection, like a firewall, also protect against packet-level hacks while antivirus software can detect and remove malicious code that may come along with something you or your family legitimately installed (think of a nefarious Minecraft mod). And finally, don't forget to install those operating system updates as soon as they are released.

  • How can I configure Canadian Shield?

    Canadian Shield can be configured in the router/gateway, in the operating system settings for your computers and in some applications that directly use either the DNS or encrypted DNS (i.e. some browsers). It can also be installed on mobile devices through a simple app download.

    Full instructions are available from the service home page.

  • What are the ways I can test to see if I have configured it correctly?

    We certainly don’t want you to try our service by visiting actual malicious sites! We have pre-configured a simple test that is available on the set-up page. This test will work with most browser/operating system combinations but we have found some instances where the simple test will not return the expected result and so have set-up some URLs you can use.

    If you have configured Private, you should check for the following things:

    • DNS resolution is happening correctly, i.e., you are able to browse the web.

    If you have configured Protected, you should check for the following things:

    • DNS resolution is happening correctly, i.e., you are able to browse the web.
    • If you try to click the link: canadianshield-phishing-test.cira.ca, you should be redirected to Phishing Block Page or you will receive an error message if you have done it incorrectly.

    If you have configured Family, you should check for the following things:

    • DNS resolution is happening correctly, i.e., you are able to browse the web.
    • If you try to click the link: canadianshield-phishing-test.cira.ca ,you should be redirected to Phishing Block Page or you will receive an error message if you have done it incorrectly.
    • If you try to click the link: canadianshield-content-test.cira.ca, you should get an inappropriate content block page or you will receive an error message if you have done it incorrectly.
  • What will I see when you block a site?

    For the protected and family services, DNS queries to HTTP sites in the respective block lists will be directed to a block page describing the reason for the block (malware, phishing, or family content filtering). There is no blocking in the open recursive service. 

    Today, attempts to visit HTTPs sites will return an "NXDOMAIN". This means that the site will not resolve and it will return a timed-out response. CIRA is currently developing features that return block pages for both HTTP and HTTPs traffic. While we recognize that this is not ideal, in most cases malware and phishing sites use domains you don't want to resolve anyway. Moreover, if you review the non-resolving domain you will often spot a typo-squat, fake name, or random string of characters to help you identify that the site is malicious – something you may not have noticed when clicking on a link.

  • How do you prevent false positives (i.e. accidentally blocking a legitimate domain)?

    CIRA Canadian Shield leverages a threat feed that is global and used by ISPs around the world and is designed to have a very low false positive rate. The threat feed is used for the CIRA DNS Firewall that currently protects 1.8 million Canadian users and the rate of false positives to legitimate queries is something very close to zero.  Please use our support form if you believe we are blocking a domain in error. 

  • How is CIRA Canadian Shield different from a Virtual Private Network (VPN) and will it work with my VPN?

    The core benefit of CIRA Canadian Shield is that it blocks malware and phishing using the DNS. While it does offer options for DNS encryption it does not encrypt all traffic and so is not a replacement for those looking for a full VPN. 

    The exception is for those looking for a mobile VPN specifically for browser-based traffic over HTTP while on public networks. In this instance, the mobile application has an option, called “Secure WiFi” that is a paid upgrade and will encrypt all non-HTTPs traffic when on public WiFi networks.

    Please note that if you are using a VPN then the CIRA Canadian Shield will not be providing DNS service, including protection, while you are on the VPN.

  • What do I do if my router/gateway doesn’t allow me to change my DNS settings?

    Unfortunately, this is true for some gateways provided by ISPs. In these instances, you should be able to configure CIRA Canadian Shield to work by changing the DNS settings in the operating systems. It will require you to configure each device separately, but for most households this can be effective for their connected computers.

    The second option is to put the gateway into a bridge-only setting and to run your own router for the home network – this method is commonly used by people who prefer to use their own router to that provided by the ISP.

    Finally, you can take advantage of CIRA Canadian Shield by configuring the DNS over HTTPs (DoH) settings in the individual applications that support them. This means that DNS queries from these applications will go over an encrypted path to the CIRA resolver.

  • Is CIRA Canadian Shield compatible with my antivirus software?

    CIRA Canadian Shield provides, what security teams call, “defence-in-depth”. This means that it is an effective layer that improves existing security solutions by providing both a unique defensive layer and unique threat intelligence. We recommend that households use DNS-based cybersecurity.

    The issue of compatibility depends on the features that are available in your antivirus software. Some offer DNS-based security and privacy and these may need to be disabled to take advantage of CIRA Canadian Shield. Consult your user documentation from your A/V vendor.

  • What is DNS over HTTPs (DNS encryption)?

    Traditional DNS typically uses port 53 to send queries to recursive servers in a format that can be read and understood along the path by those with the technical know-how to do so. The DNS can also be used to block access to content or to the internet entirely. DNS over HTTPs (DoH) is a new protocol that uses the HTTPs encryption that the browser uses to encrypt the query and send it over the same path as the browser (port 443). This means that it is indistinguishable from other content in transit to the recursive resolver.

    The resolver still has to decrypt the information to know the query so you are not invisible to them. In essence with DoH a consumer has a way to have more privacy and to choose with whom they decide to bring into their circle of trust as it relates to the DNS.

  • Does CIRA support DNS over TLS (DoT) and DNS over HTTPs (DoH)?

    Yes. Both DNS encryption standards are supported.

  • Does DNS over HTTPs replace DNSSEC?

    The short answer is no. DNS over HTTPs can reduce the risk associated with man in the middle attacks that redirect legitimate DNS queries to a phishing or malware site but it doesn’t do the same authentication across the entire DNS that DNSSEC performs. The same is true of DNS over TLS.

  • Does CIRA Canadian Shield support DNSSEC?

    Yes, CIRA Canadian Shield provides DNSSEC validation.

  • Is CIRA Canadian Shield supported over IPv6?

    Yes. CIRA Canadian Shield works over both IPv4 and IPv6.

  • Can I report a malicious domain?

    If you wish to report a malicious domain, group of domains, or IP addresses then you can do so via our support page. We will review and take appropriate action.

  • How do I report a false positive or a previously infected domain that has been cleaned up?

    Based on our experience running a commercial version of the service, CIRA Canadian Shield has a very low false positive rate having only lodged a handful of requests on over 1.8 million users. Most times, domains that are reported to us as a false positive are found to be hosting malicious content without the knowledge of the domain owner. If you believe that your domain is being blocked incorrectly by CIRA Canadian Shield then please visit our support page to lodge the request for review.

    If your site has been hijacked or misused by hackers and as a result has been placed on block lists (including ours) then you are in a very difficult situation. Once the problem has been rectified on your end you can request a review using our support page. This can involve multiple global vendors and so we cannot provide a time-frame for when the review will be complete.

  • How do I get support?

    CIRA Canadian Shield is a free personal-user service and offers basic email-only support via webform.

    Please visit our support form

  • Why do I get a Reddit blocked warning with the Family service on some non-Reddit sites?

    Reddit is categorized by many content filtering lists, including ours, as hosting pornographic content and so it is on the block list for the Family plan. Reddit is a well known as a very useful site for free speech, but that means it can sometimes include mature content. 

    The problem on non-Reddit sites occurs because Reddit also runs advertising programs and the companies that advertise on there will often host tracking code from Reddit. In otherwords, when legitimate sites host Reddit code, that code is blocked and a pop-up warning appears on the mobile app for Canadian Shield.

    The site you visit will continue to resolve and function as expected.


Mobile App (coming soon!) FAQ

  • What is an unsecure Wi-Fi network?

    An unsecure wireless connection is one you can access without a password. Public networks offered in places like cafes, retail stores and parks are often open and unsecured networks.

  • What phones and OS versions are supported?

    iOS Phones: The application is available for download from the Apple App Store on iOS phones running iOS 10 and higher

    Android Phones: The application is downloadable from the PlayStore on many new mobile phones activated after August 1, 2018 running Android 4.3 or higher

  • How do I turn off notifications?

    Go into your phone settings and select:

    iOS: Settings>Notifications>Secure Wi-Fi>Turn off notifications

    Android: Settings>Notifications>Secure Wi-Fi>Turn off notifications

  • How do I cancel my Premium add-on service?

    To cancel the Full-time Secure Wi-Fi subscription:

    1. (Android) Open the Canadian Shield Secure Wi-Fi app
    2. Touch “Unsubscribe”.

    Note: Premium service will be available until the end of your current billing cycle. You will not be billed after that.

  • How can I tell if the app is working?

    The app is running whenever the following icon is displayed in the notification bar (at the top of your device), while you are connected to a Wi-Fi network:

    • Android - key symbol
    • iOS - VPN symbol

    You also will also notice that where you may have experienced poor or no data service in the past on Wi-Fi, that your data session will continue seamlessly without interruption.

    Please note that each feature can be turned on/off. The VPN will be running all the time for the Canadian Shield application, however, Wi-Fi Bonding and Secure Wi-Fi are premium features and require the user to subscribe. Once subscribed, the user can enable/disable the features by tapping the On/Off option bar.

  • Why am I unable to access the internet on some public Wi-Fi networks?

    This may occur for several reasons:

    • Many public Wi-Fi networks require you to login first before allowing Internet access.  You can do this by opening a browser.  Make sure you have completed the login process.
    • You could have a poor Wi-Fi signal.  Move to an area where the signal strength is stronger.
    • Internet access could be impaired due to high Wi-Fi network congestion caused by too many users.
  • Why does my phone automatically connect to a Wi-Fi network?

    Your phone may be automatically connecting to Wi-Fi networks that use the same name as a network that you have connected to previously (e.g. Starbucks, Cable Wi-Fi, Boingo, etc.).

  • Does Canadian Shield Secure Wi-Fi run all the time?

    If the user subscribes to Premium Services and has Secure Wi-Fi enabled, then yes. Secure Wi-Fi monitors your network activity, so it can automatically detect when you connect to a Wi-Fi network and protect your Wi-Fi sessions when needed.

  • Does the application impact my battery?

    Canadian Shield uses very little battery power itself so your overall battery usage will be approximately the same as before having Canadian Shield Wi-Fi Bonding on your device. However, your device will show Canadian Shield as using more battery than it really does, because it will now assign the battery impact of the traffic performed by your apps to the Canadian Shield app. This is because your network traffic is being handled by Canadian Shield, and the device estimates battery usage based on how much data is sent/received by an app. When Canadian Shield is installed, it will appear to the device’s Operating System that Canadian Shield is responsible for all data usage instead of the actual app that is performing the traffic. In reality, data usage is actually coming from your normal app usage and Canadian Shield is simply optimizing and securing the data from those apps. In other words, the Operating System is simply shifting the blame for data/battery usage from your apps to Canadian Shield, so the battery usage of your apps will appear to go down and when combined with the Canadian Shield battery usage, the overall battery usage on your device will ultimately remain approximately the same as before installing Canadian Shield.

  • Can I continue to use the mobile app when I travel outside of Canada?

    Yes. The app will work on any Wi-Fi network or mobile data network outside of Canada.


Mobile App - Secure WiFi upgrade (coming soon!) FAQ

  • What is Encrypted Wi-Fi?

    The Encrypted Wi-Fi service provides a safer and more efficient way to use both unsecure and password-protected Wi-Fi networks by reducing the risk of your personal and sensitive data being compromised. Now you can email, browse and stream safely on Wi-Fi networks. Encrypted Wi-Fi is the smart and efficient solution not only protecting you, but also optimizing your device’s performance while in protected mode.

  • How Does Encrypted Wi-Fi Work?

    Encrypted Wi-Fi is a service that automatically detects when you access a Wi-Fi network, and when enabled, will encrypt the data you transmit before it leaves your phone to ensure your privacy and protection.

  • Does Wi-Fi encrypt traffic that is already encrypted?

    No, Encrypted Wi-Fi only encrypts unsecured (HTTP) traffic.

  • How do users activate the Encrypted Wi-Fi service?

    Tap “Upgrade to Premium” you will be presented with a subscribe screen. Follow the prompts to complete your upgrade.

  • Does the Encrypted Wi-Fi service slow down my network connection?

    There may be a slight reduction in speed due to the encryption used to protect your data.

  • While I am connected to Wi-Fi, will I still be secure?

    Yes, while on Wi-Fi, as long as the Encrypted Wi-Fi feature is enabled, your traffic will be automatically encrypting your Wi-Fi traffic in the background, providing you the security you’ve come to expect without compromising your personal and sensitive data.

  • What is Wi-Fi Bonding?

    Wi-Fi Bonding is a premium feature that's available in the app. It helps provide an optimal Wi-Fi data experience by automatically and seamlessly leveraging cellular data to boost your data performance wherever you experience slow or no data over Wi-Fi. Now you can browse, enjoy media or look up directions on a map app without interruption as you move between Wi-Fi networks like at home and the cellular network, or transition between Wi-Fi networks. Not only do you get the benefit of an uninterrupted data session, you also still enjoy the security provided by the Secure Wi-Fi feature, so you are without risk of compromising personal and sensitive data.

  • How Does Wi-Fi Bonding work?

    Wi-Fi Bonding runs transparently in the background on your device and detects when your Wi-Fi network is slow or the signal level is too poor for sending data, and it will automatically and simultaneously leverage the cellular channel to augment the Wi-Fi channel so your data session performs at the best possible overall speed, while remaining constant and uninterrupted.

  • Will Canadian Shield Wi-Fi Bonding affect my internet access as well?

    Canadian Shield Wi-Fi Bonding will not change the way your Wi-Fi network operates. However, it will enhance the way your device behaves on Wi-Fi by automatically detecting when there are problems with the Wi-Fi connection. So, if you have a poor Wi-Fi signal or if the Wi-Fi is too congested, it will simultaneously leverage cellular to boost your overall data performance. This also helps with the “driveway problem,” where being at the edge of the Wi-Fi may be unusable and it will make this transition seamless as you continue browsing or try using an application that requires immediate data while in a “dead zone.”