Skip to main content

CIRA DNS Firewall Client is a downloadable application that enables DNS privacy, security and content filtering. The client allows users to benefit from content policy and malware protection defined by network administrators without needing to be on the corporate network or VPN.

When CIRA DNS Firewall Client is active and running, you will see the [VPN] icon on iOS or the KEY icon on Android in the notification tray. The application provides you with the status on the main screen and, on Android, a protected status message will be present in the notification tray of the OS.

On Windows, you will see a green check Notification icon and the text “Your device is protected” in the notification area. Also, the client will show an icon in the system tray.

CIRA DNS Firewall Client scans all DNS requests against known threats and checks for any filtered content. “Requests scanned” is the total number of DNS requests that have been checked by the firewall against the content policies defined by your administrator.

“Items blocked” shows DNS requests which were blocked for being malicious (as defined by threat feeds) or based on web content filtering defined by an administrator. You can see the top domains scanned and blocked on the Client Protect feature screens and select between the last seven days and the last four weeks.

The CIRA DNS firewall client is not a significant drain on battery life. Data traffic generated by the client is based upon internet requests placed by applications on the device  Please note that some operating systems (OS) may incorrectly associate data/network traffic with the client rather than the originating application as it is the application requesting external network activity. However, DNS Firewall only creates a tiny amount of traffic on its own in order to sync content policies from CIRA services. The DNS Firewall Client acts as a proxy for all internet traffic in order to block malicious requests.

Application OS Version

OS Version (Supported/Compatible)

Where is the Application Hosted?

Google Android OS

Android version 5.0 and above

Google Play Store

Google Chromebook OS

Supported Chromebooks

Android version 5.0 and above

Google Play Store

Apple iOS

iPhone, iPad, and iPod Touch require iOS version 10.0 and above

Apple App Store

MS Windows

Windows version 10 and above

Desktop Windows client by Akamai


macOS version 10.15 (Catalina) and above

Apple App Store

The VPN permission is needed to allow the CIRA DNS Firewall application to manage your DNS traffic. Your data is not tunneled into a VPN server like traditional VPN services which encrypts all your traffic and modifies your online identity. Instead, CIRA DNS Firewall routes your DNS and HTTP/HTTPS queries to our DNS resolvers which examines if it needs to be blocked before allowing the query through. This ensures that a user’s local IP is always presented to the website or server the query is hitting. All other network traffic besides DNS and HTTP/HTTPS requests travel between the device and destination directly.

The CIRA DNS Firewall Client performs the following steps to determine if it is off-network. These steps are performed periodically or whenever there is a change in the device network condition.

  • First, the client will try to resolve a query to a pre-configured test host using the default DNS resolver. It will compare the result (DNS response) against a pre-configured list (for example: IP addresses) in its configuration. If the result is on the list, then the client is considered to be on-net for this test.
  • In addition, the client will make a DNS over HTTPS (DoH) query for the configured DoH hostname. If the DoH response contains the HTTP response header “X-Client-Location” with the value of “OnNet”, then the client is considered to be on-net for this test.
  • The client will be considered “on-net” only if the results from both tests are “on-net”. Otherwise, the client is considered to be off-net.

If the DoH query for the DoH hostname fails for all the configured DoH server IP addresses, the client will be provided with the feedback that the device is not protected. It will then retry the process at configured intervals.

Some direct Wi-Fi services, like connecting to a printer or an in-home security camera, may not work when a VPN is active. The application has logic to detect and allow direct Wi-Fi, so please try to connect more than once before temporarily disabling the CIRA DNS Firewall Client service.

  • Some games, especially those that have direct player matches, may not work when a VPN is active.
  • To temporarily disable the CIRA DNS Firewall Client follow the steps below:
    • Open the client application and tap on the menu (three dots upper right) and then tap on Configure.
    • Next tap on the CIRA DNS Firewall Client Protect toggle button, then tap OK on the warning message.
    • You can now connect to the printer, security camera or play the game.
    • To re-enable, open the CIRA DNS Firewall Client and repeat the steps above, toggling the client button to turn it on.
  • iOS Note: The Wi-Fi logo may disappear when the VPN is running, even though you are still connected to Wi-Fi. This is a known occurrence for all VPNs on iOS. To check that you are still on Wi-Fi, tap on your iPhone Settings application and look at the Wi-Fi status.
  • Some websites or applications may fail to load if content policies block partial content. For example: content filtering might block advertising or gaming sites causing a mobile game to not load. Application issues should be reported to your IT administrator.
  • Individual manual installations from activation email sent by an IT administrator
  • Mobile device management tool such as Microsoft Intune or Google Workspace Admin

Yes, but performance may be degraded based on local network performance and because the DNS resolvers the client uses to look up queries are all situated in Canada.

Device Reporting has the ability to search devices by username.  When installing the application on devices manually, you may provide any username and search for it in the reporting.

When installing the application via an MDM software such as InTune, please ensure that you are following the documentation which specifies how to dynamically assign usernames using variables.

When connected to your corporate network, the Windows application will show it is disconnected. CIRA DNS Firewall is protecting your device on the network level because it takes priority over the application level. This is discussed more in detail in the Getting Started Guide under the section “Overlapping Networks and Device Groups”.

When there are new versions of the application in the Google Play Store and Apple Store, the application will be upgraded based on device preferences – either auto updated or manually triggered by users. Click here for Android instructions or here for Apple iOS and macOS devices.  The latest version of Windows installer is available from the DNS Firewall portal. Detailed instruction on installing and upgrading clients can be found within the installation guide.

The latest version of the Getting Started Guide or Detailed Installation Guide can always be found in the DNS Firewall portal’s online help.

You can retrieve these documents by doing the following:

  • Click on the ? icon on the top right which will open a new window
  • Click on the Menu icon on the top left
  • Go to Contents > Supplementary Documents > Supplementary Documents
  • The documents will be under the PDF section

If you would like to be notified of these updates directly, please sign up for DNS Firewall service messages. Service messages are sent via email and posted as banner in the user portal. Please ensure that you have enabled “Service Email” option in your user profile to received future messages.

When a device using a Windows operating system is started, the application needs to first verify if your device is connected to your corporate network. If it is not, then the application will be enabled to protect the device and it will establish connections to the CIRA DNS resolvers. On Windows devices, this process takes a few seconds to be completed whereas it is quicker on other operating systems.

The applications on all operating systems have an option to be disabled based upon options selected at installation. When installing the application via an MDM software such as Microsoft InTune or Google Workspace Admin, you may prevent your users from disabling the application by following the steps in the Detailed Installation Guide.

Please note: allowing users to have the ability to disable the application may be advisable during initial service roll-out. It is possible that users will encounter DNS resolution issues on some networks and allowing end users to disable the feature may be a useful troubleshooting option.

The applications on all operating systems can be uninstalled. Like most common applications, the CIRA DNS Firewall application itself does not have any preventative measures of being uninstalled. To prevent uninstallation, it will need to be enforced on an MDM level depending on the software’s capabilities. For example, InTune cannot prevent a user from uninstalling an application, but it can force the application to be re-installed if it’s missing every time the device is synchronized. It is important to make sure the activation links are kept updated so that re-installation and re-registration are successful. The Windows application is a little different such that only users with Admin permissions can uninstall the application.

When registering a device with the activation link, it also prompts for first and last names. On all platforms, you may provide variables for these fields so that each device will have a unique identifier. These steps are documented in the Detailed Installation Guide’s InTune section.

Please verify the following:

  • Do you have Internet connectivity?
  • Does your organization, WiFi, or browser allow DoH requests? The CIRA DNS Firewall client needs to be able to reach via DoH.
  • Did you try rebooting?
  • Is the client activated with a non-expired activation link? You can try uninstalling and reactivating with a new activation link.

Local domain allow lists were previously used by DNS Firewall Windows client to aid in expedited resolution of local domain names. These lists also acted as a mechanism to ensure internal domain names were not transmitted to your ISP’s DNS resolvers. As of the 2.4 version of the Windows client, these domain lists are no longer needed by DNS Firewall as changes to the DNS resolution flows will prioritize local resolvers ahead of DNS Firewall.