CIRA DNS Firewall: November 2025 Upgrade

CIRA has upgraded the DNS Firewall Off-Network Protection clients. Devices that use the previous clients no longer appear in the portal, although they will continue to resolve DNS and remain protected until November 30, 2025.

Once your devices are registered with the new applications, they will appear in the device list again and can be managed as before.

On the previous platform, device details such as your username appeared in the HUB dashboard. These details no longer display for the legacy applications, although queries and blocks still do. Once the device is upgraded to the new client, full device information will be shown in the updated reports.

For step-by-step instructions, please refer to the updated Off-Network Protection documentation.

If the upgrade is not completed by November 30, the current Off-Network Protection (ONP) client will automatically deactivate. The device will revert to using the local network DNS and protection outside the corporate network will stop until the new applications are installed.

Policy updates, user level controls, activity reporting and the security improvements introduced with the upgraded platform will not apply to devices that continue using the old ONP client.

After November 30, the previous ONP applications cannot be reinstalled. Only the new applications can be used to restore Off-Network Protection.

Android / ChromeOS

https://play.google.com/store/apps/details?id=ca.cira.dnsfirewall  

• The application will appear as CIRA DNS Firewall  

• Opening an activation link on an Android device will redirect to Google Play  

iOS

https://apps.apple.com/ca/app/cira-dns-firewall/id6753696160  

• The application will temporarily appear as CIRA DNS Firewall NEW  

• Opening an activation link on an iOS device will redirect to the App Store  

Windows  

1. Generate a new activation link in CIRA Hub  
2. Open the link in your browser  
3. The updated Windows .msi installer will download automatically  
4. Uninstall the previous ONP application before installing the new version  

macOS  

https://apps.apple.com/ca/app/cira-dns-firewall-new/id6753696160?platform=mac 

• The application will temporarily appear as CIRA DNS Firewall NEW  

• Opening an activation link on a macOS device will redirect to the App Store  

The direct link is:
https://www.cirahub.ca/help/sys/en/Default.htm#Supplementary%20Docs/SupplementaryDocs.htm?TocPath=CIRA%20DNS%20Firewall%7CSupplementary%20Documents%7C_____0

To reach this page manually:

1. Go to CIRA Hub Resources 
2. Select CIRA DNS Firewall
3. Open Supplementary Documents
4. Locate the ONP documents at the bottom of the list

The ONP MDM files are also available on the CIRA Hub Resources page.

The new applications must be aware of your internal domains (for example, example.ca or corp.example.ca) to allow internal DNS servers to resolve them correctly.

Please provide CIRA with a list of your local domains so that they can be added to the local domain bypass list for your organization.

A future release will provide a self-service option to configure this directly in the portal.

The core troubleshooting process remains unchanged.

1. Determine whether the issue is an on-network or off-network issue.
   • If it is on-network, confirm whether the correct local domains have been added.
2. Perform a re-sync.
3. Disable and re-enable the application.
4. Collect diagnostic logs from the application and send them to CIRA Support so a ticket can be reviewed by engineering.

DNS Firewall no longer permits overlapping IP subnets. As part of the platform upgrade, your IP ranges were automatically adjusted so that none of your subnets overlap.

Your total IP coverage remains unchanged. Previously, the portal resolved overlaps by prioritizing the most specific subnet. The new logic separates ranges into non-overlapping blocks.

Example:
If you previously configured 1.1.1.0/24 and 1.1.1.150/32, the /24 network is automatically divided into the following ranges to avoid overlap:

• 1.1.1.0/25
• 1.1.1.128/28
• 1.1.1.144/30
• 1.1.1.148/31
• 1.1.1.151/32
• 1.1.1.152/29
• 1.1.1.160/27
• 1.1.1.192/26

If you need assistance adding new IP ranges or adjusting subnets, please contact CIRA Support.

The Global Domain Override feature has been retired. All domains previously listed in Global Domain Override have been migrated to the URL Filtering Allowlist.

Any domain added to the Allowlist will now be permitted.

These two features have been deprecated. If you require similar scheduling controls, CIRA Support can implement a workaround. Please provide:

• A list of the schedule times
• The categories that must be blocked during the schedule
• The networks where the schedule should apply

DNS Firewall reporting has been improved to increase accuracy. The changes include:

1. DNS-level block counting
   Previously, blocks were counted each time the browser retried a blocked website. With the new platform, block events are counted once at the DNS layer, resulting in more accurate and often lower block totals.
2. Improved threat feeds
   The upgraded platform uses updated and more accurate threat intelligence. This reduces false positives and incorrect categorizations, which may change your block counts.