This FAQ is intended to answer technical questions related to the service and not general questions about the program. Book a meeting with us or consult with your local research network or CANARIE for more details on the program specifics.
This program is only available to members that are connected to CANARIE through their provincial or territorial partner in Canada’s National Research and Education Network (NREN). The first step is to determine that you are eligible for the service under this program and then to execute the Organization Cybersecurity Collaboration Agreement (OCCA) with CANARIE. CIRA or your local NREN partner can assist with information about this process if you are unsure.
Existing CIRA DNS Firewall customers, who are eligible for the program, will need to execute the OCCA described above and then CIRA can convert your account status to the program as at the latter of January 1, 2021 or the date that your OCCA was executed.
The Domain Name System (DNS) is a massively distributed hierarchical database that associates human readable domain names with the IP addresses that computers understand. It is like the internet’s phonebook. Domains use “authoritative” resolvers that are the source of truth about the DNS record. A user on the internet uses “recursive” resolvers that know how to look up the truth by visiting the authoritative resolvers. They then typically cache that answer for a period of time before doing another lookup.
CIRA Anycast DNS provides a secondary authoritative DNS resolver for your domain names to make them faster, more resilient, and more resistant to hacker attacks (like DDOS). It is a best practice for reliability to maintain at least two clouds of secondary service for critical domains. Over 300 educational organizations in Canada use CIRA’s authoritative Anycast DNS service.
CIRA DNS Firewall is what is called a “policy-enabled” recursive service. It provides the answers to end users visiting domains in a browser or through an application. The policy part means that it has been configured to block attempted visits to known threats.
In short, CIRA operates services for both the authoritative (CIRA Anycast DNS) and recursive (CIRA DNS Firewall) sides of the DNS.
We have found that most educational organizations in Canada operate their own recursive servers whether through Bind, Active Directory DNS or other software packages. For those wanting to use the CIRA DNS Firewall, DNS administrators typically continue to use the local recursive server but forward queries to CIRA. This allows the local server operate with more resilience. In this case, since CIRA operates two recursive clouds we do not recommend backing up the service with another provider.
This is not an open DNS service and so you need to complete the CANARIE CIP paperwork and sign up with CIRA to have your administrative user and corporate IP addresses added to the service. This is usually accomplished via an initial onboarding meeting to help answer any questions that you may have. However, for those familiar with their DNS and that are interested in getting set-up quickly, by completing the registration form you will get login credentials for portal access. On your end it is normally simply configuring your DNS servers to forward queries and this is documented in the quick start guide and online help. CIRA operates two clouds for redundancy and uses IPv6, IPv6 and DNS-encryption based options.
Yes. For those running some remote locations that may not have a fixed IP address.
There is no limitation on the number of networks or users you can protect under the terms of service. However, all of them must be from the contracting organization.
A long local cache is a potential security risk because the local server would not be immediately aware of a new threat that has been created on an existing domain). This can happen in the event of an existing website being hacked. We typically recommend a short local cache but it is up to the IT administrator managing the network to decide.
CIRA ran an analysis of the performance of the CIRA DNS Firewall servers using a tool called RIPE Atlas. For Canadian queries the CIRA service ranked favorably (within +/- a few milliseconds) with some of the biggest players in the world such as Google and Cloudflare. For networks that are peered to internet exchange points in Canada (like research networks) we should exceed the performance of the vast majority of recursive resolvers.
CIRA gets its primary threat feed from Akamai. Akamai receives an anonymized stream of DNS queries from 100’s of ISPs around the world. Within minutes of a domain being queried globally it is analyzed and added to threat-feed if malicious. The Akamai feed is also preloaded with algorithmically generated domains ( DGAs ) to block malware command and control. The feed also incorporates 37 other public and commercial feeds from major cybersecurity vendors such as Sophos. Finally, we have incorporated the feed from the Canadian Center for Cybersecurity (CCCS) and for higher-education, the feed from CANSSOC.
First and foremost, under the program with research networks, the CIRA solution has no cost to the organization. The CIRA solution has a unique threat feed, is solely located in Canada for better data sovereignty and privacy, and is delivered by a non-profit organization with no commercial interest in our customers’ data. We are also working closely with other Canadian educational and government institutions to continue our mission for a more trusted Canadian Internet
Our incorporation of additional, and uniquely Canadian, feeds further improves the cyber-threat protection versus other options. The basic (free) OpenDNS service is intended for households does not do any kind of malware blocking nor does it allow for content filtering. CISCO Umbrella and the CIRA DNS Firewall offer, what we feel are comparable cybersecurity and content filtering. It is noted that CISCO Umbrella, at time of this program launch, has desktop client software (added cost) that CIRA does not. When considering that most organizations have already made significant investments in endpoint software we believe that, for most uses, the CIRA DNS Firewall is perfectly suited as an added layer of cyber-protection. This is especially true for organizations, like schools that run public network access, land have limited control over the users on the networks.
Organizations that sign up for the service are able to configure their networks via IP address and to manage them from within the portal.
For HTTP traffic, users clicking on malicious link or a link to content that is being filtered receive a block page (HTTP) that can be customized by the organization. For HTTPs traffic the page will not resolve.
CIRA DNS Firewall supports over 60 different content filtering categories that can be manually configured by the organization. Individual URLs can also be blacklisted. Notably, CIRA makes available a child exploitation block feed from Cybertip.ca that can be optionally turned on.
For those that choose to turn on content filtering categories, individual domains can be white listed. This is often used when organizations want to block a certain type of content that is known to be risky from certain networks (i.e. online storage services from administrative networks) but to allow access to only approved services.
Yes, using the black list. This is particularly handy for when an organization is targeted in a spear phishing attempt that may not have been identified on global threat lists because you can immediately add identified threats to the block list. Notably, custom lists can also be bulk uploaded at initial set-up for those who maintain a current list.
Yes, the threat feed can be turned off but individual threats cannot be automatically whitelisted.
CIRA maintains a simple method for reporting potential false positives. The link to this support form is found in the online help in the web portal for the service. Notably, in running the service for over three years we have only seen a tiny handful of false positive reports – an equal number of which turned out to be legitimate threats.