Skip to main content

Home and general FAQ

The DNS standard is as old as the world-wide-web itself (remember when we called it that!) It is a massively redundant hierarchical system of databases that is used to correlate human readable domain names with the IP addresses of the servers where websites and applications live. It is designed to ensure 100% availability for the Internet’s critical infrastructure. It looks like this:

www.cira.ca –> 52.60.203.65

Most households don’t think about the DNS and stick with whatever their ISP has pre-configured but there are many options available for those that choose to use a different service to handle their queries.  The CIRA Canadian Shield is one such option.

If you want to get really deep then please read our resource on how the DNS works or see the full glossary of terms.

Malicious domains are websites or URLs that either try to damage your computer or device, spy on end users, attempt to install malware or attempt to steal private data for either resale or to directly steal from you.

Hackers will often use a domain that looks similar to a legitimate company or are common typing mistakes for real domains. Links are often sent in communication tools like email and SMS to these fake domains. Additionally, a lot of malicious software uses pseudo-random domain strings to communicate with command and control servers. With CIRA Canadian Shield, access to these malicious domains is blocked at the internet layer.

Remember when we used to just worry about getting a computer virus? Well, much has changed. Malware is a whole family of malicious software that includes the humble virus. Malware is code that gets on your PC or device and can include things like ransomware that locks your data until you pay, keyloggers that watch what you type on a keyboard (including passwords), bitcoin miners that use your computer and electricity to generate money for someone else, and much, much more.

Phishing is the attempt to obtain private information by tricking the end user into entering data onto a website. Generally, a phishing website tries to look like a legitimate site and will often use a domain name that looks similar to a real company. Usually the first interaction with phishing comes from an email, instant message or other type or electronic communication.

Technically a botnet is a string of connected computers (hence the term “net”) that coordinate to perform a task; but when put to nefarious use they can be used to launch things like DDoS attacks (which is an attempt to overwhelm resources with a massive number of illegitimate traffic). Many botnets use the DNS to function and in these cases infected machines can be stopped from using PC and network resources.

When you use CIRA Canadian Shield, websites that contain malicious software or engage in phishing are blocked at the DNS layer. This means that no connection to the bad websites or web applications get established. Additionally, when you enable it by changing the DNS settings in the router, every device in the household that uses the home network is automatically protected. Alternatively, you can change the settings on individual computers or consoles on the network.

CIRA works with Akamai, a global provider of internet technology. They are responsible for over 30% of all traffic in the internet and 4% of all global DNS queries (yes that is billions and billions of queries). Anytime a DNS lookup is performed for the very first time anywhere it is automatically quarantined and inspected. If it is determined to be malicious then it is added globally to the block list. Machine learning and AI is also used to detect patterns in seemingly unrelated DNS lookups to detect and block malicious activity. Many botnets use algorithmically generated domain names to function and many have been reverse engineered so that the malicious domains are automatically on the list. And finally, the service incorporates 3rd party feeds from both commercial cybersecurity vendors and the open source community.

Notably, while the threat detection is global, the service is only delivered from servers located in Canada and managed by CIRA.

Different people have different needs and you can decide for yourself what you need.

The three levels are accessed based on which IP addresses you use to access the DNS resolver.

Private is an open recursive DNS service. It offers DNS resolution but no cybersecurity or filtering. It is considered private because we do not keep your IP address longer than is needed for managing the service against threats. We do not attempt to relate it to you or location or use it for marketing or resale purposes.

Protected includes the features of the private option but also adds security. When you attempt to visit a domain that contains malware or engages in phishing then the request gets refused and you are presented with a block page (HTTP) or it won’t resolve (HTTPs).

Family adds to the cybersecurity in the protected service to include blocking pornographic content. It is not blocking other forms of content that some may consider adult, such as sites about drugs, gambling, or self-harm.

We do not recommend turning off other layers of security. This security layer exists outside your home network to provide blanket protection when the malware uses a domain name, or the DNS, to either infect the computer or to communicate with command and control servers. Other layers of protection, like a firewall, also protect against packet-level hacks while antivirus software can detect and remove malicious code that may come along with something you or your family legitimately installed (think of a nefarious Minecraft mod). And finally, don’t forget to install those operating system updates as soon as they are released.

Canadian Shield can be configured in the router/gateway, in the operating system settings for your computers and in some applications that directly use either the DNS or encrypted DNS (i.e. some browsers). It can also be installed on mobile devices through a simple app download.

Full instructions are available from the service home page.

We certainly don’t want you to try our service by visiting actual malicious sites! We have pre-configured a simple test that is available on the set-up page. This test will work with most browser/operating system combinations but we have found some instances where the simple test will not return the expected result and so have set-up some URLs you can use.

If you have configured Private, you should check for the following things:

  • DNS resolution is happening correctly, i.e., you are able to browse the web.

If you have configured Protected, you should check for the following things:

  • DNS resolution is happening correctly, i.e., you are able to browse the web.
  • If you try to click the link: canadianshield-phishing-test.cira.ca canadianshield-phishing-test.cira.ca, you should be redirected to Phishing Block Page or you will receive an error message if you have done it incorrectly.

If you have configured Family, you should check for the following things:

  • DNS resolution is happening correctly, i.e., you are able to browse the web.
  • If you try to click the link: canadianshield-phishing-test.cira.ca ,you should be redirected to Phishing Block Page or you will receive an error message if you have done it incorrectly.
  • If you try to click the link: canadianshield-content-test.cira.ca, you should get an inappropriate content block page or you will receive an error message if you have done it incorrectly.

For the protected and family services, DNS queries to HTTP sites in the respective block lists will be directed to a block page describing the reason for the block (malware, phishing, or family content filtering). There is no blocking in the open recursive service.

Today, attempts to visit HTTPs sites will return an “NXDOMAIN”. This means that the site will not resolve and it will return a timed-out response. CIRA is currently developing features that return block pages for both HTTP and HTTPs traffic. While we recognize that this is not ideal, in most cases malware and phishing sites use domains you don’t want to resolve anyway. Moreover, if you review the non-resolving domain you will often spot a typo-squat, fake name, or random string of characters to help you identify that the site is malicious – something you may not have noticed when clicking on a link.

CIRA Canadian Shield leverages a threat feed that is global and used by ISPs around the world and is designed to have a very low false positive rate. The threat feed is used for the CIRA DNS Firewall that currently protects 1.8 million Canadian users and the rate of false positives to legitimate queries is something very close to zero.  Please use our support form if you believe we are blocking a domain in error.

The core benefit of CIRA Canadian Shield is that it blocks malware and phishing using the DNS. While it does offer options for DNS encryption it does not encrypt all traffic and so is not a replacement for those looking for a full VPN.

The exception is for those looking for a mobile VPN specifically for browser-based traffic over HTTP while on public networks. In this instance, the mobile application has an option, called “Secure WiFi” that is a paid upgrade and will encrypt all non-HTTPs traffic when on public WiFi networks.

Please note that if you are using a VPN then the CIRA Canadian Shield will not be providing DNS service, including protection, while you are on the VPN.

Unfortunately, this is true for some gateways provided by ISPs. In these instances, you should be able to configure CIRA Canadian Shield to work by changing the DNS settings in the operating systems. It will require you to configure each device separately, but for most households this can be effective for their connected computers.

The second option is to put the gateway into a bridge-only setting and to run your own router for the home network – this method is commonly used by people who prefer to use their own router to that provided by the ISP.

Finally, you can take advantage of CIRA Canadian Shield by configuring the DNS over HTTPs (DoH) settings in the individual applications that support them. This means that DNS queries from these applications will go over an encrypted path to the CIRA resolver.

CIRA Canadian Shield provides, what security teams call, “defence-in-depth”. This means that it is an effective layer that improves existing security solutions by providing both a unique defensive layer and unique threat intelligence. We recommend that households use DNS-based cybersecurity.

The issue of compatibility depends on the features that are available in your antivirus software. Some offer DNS-based security and privacy and these may need to be disabled to take advantage of CIRA Canadian Shield. Consult your user documentation from your A/V vendor.

Traditional DNS typically uses port 53 to send queries to recursive servers in a format that can be read and understood along the path by those with the technical know-how to do so. The DNS can also be used to block access to content or to the internet entirely. DNS over HTTPs (DoH) is a new protocol that uses the HTTPs encryption that the browser uses to encrypt the query and send it over the same path as the browser (port 443). This means that it is indistinguishable from other content in transit to the recursive resolver.

The resolver still has to decrypt the information to know the query so you are not invisible to them. In essence with DoH a consumer has a way to have more privacy and to choose with whom they decide to bring into their circle of trust as it relates to the DNS.

Yes. Both DNS encryption standards are supported.

The short answer is no. DNS over HTTPs can reduce the risk associated with man in the middle attacks that redirect legitimate DNS queries to a phishing or malware site but it doesn’t do the same authentication across the entire DNS that DNSSEC performs. The same is true of DNS over TLS.

Yes, CIRA Canadian Shield provides DNSSEC validation.

Yes. CIRA Canadian Shield works over both IPv4 and IPv6.

If you wish to report a malicious domain, group of domains, or IP addresses then you can do so via our support page. We will review and take appropriate action.

Based on our experience running a commercial version of the service, CIRA Canadian Shield has a very low false positive rate having only lodged a handful of requests on over 1.8 million users. Most times, domains that are reported to us as a false positive are found to be hosting malicious content without the knowledge of the domain owner. If you believe that your domain is being blocked incorrectly by CIRA Canadian Shield then please visit our support page to lodge the request for review.

If your site has been hijacked or misused by hackers and as a result has been placed on block lists (including ours) then you are in a very difficult situation. Once the problem has been rectified on your end you can request a review using our support page. This can involve multiple global vendors and so we cannot provide a time-frame for when the review will be complete.

CIRA Canadian Shield is a free personal-user service and offers basic email-only support via webform.

Please visit our support form.

Reddit is categorized by many content filtering lists, including ours, as hosting pornographic content and so it is on the block list for the Family plan. Reddit is a well known as a very useful site for free speech, but that means it can sometimes include mature content.

The problem on non-Reddit sites occurs because Reddit also runs advertising programs and the companies that advertise on there will often host tracking code from Reddit. In otherwords, when legitimate sites host Reddit code, that code is blocked and a pop-up warning appears on the mobile app for Canadian Shield.

The site you visit will continue to resolve and function as expected.

Read our policy statement on how to report suspected vulnerabilities  policy statement on how to report suspected vulnerabilities for any of CIRA’s services.

Simply put, it is our goal to build trusted internet in Canada by making the DNS privacy and security that CIRA Canadian Shield delivers ubiquitous. Over time we expect to announce more partnerships to help bring this vision to life. Partnerships that include more browsers and operating systems as well as more technology to deliver even better features. Want to partner with us for technology, infrastructure, transit or anything else? Please contact us here: cybersecurity.services (at) cira.ca

Consider the following possible actions as soon as possible because time is of the essence:

  1. Contact the company by which you paid (Paypal, Adyen, Ingenico, etc.) and explain that you have been scammed by an untrustworthy site and ask them to refund the amount you paid.
  2. You may be able to get help and advice from your bank if needed on what to do.
  3. If you paid via credit card – call your bank and ask to start the “chargeback process” as you have been the subject of fraud.
  4. Report the scam to the local authorities via the Canadian anti-fraud center website https://www.antifraudcentre-centreantifraude.ca/index-eng.htm.

Canadian Shield utilizes a neutral third party, Pingdom.com, to monitor and report on the status of Canadian Shield’s services. You can view the live and historical reports here.

Mobile App FAQ

An unsecure wireless connection is one you can access without a password. Public networks offered in places like cafes, retail stores and parks are often open and unsecured networks.

iOS Phones: The application is available for download from the Apple App Store on iOS phones running iOS 10 and higher

Android Phones: The application is downloadable from the PlayStore on many new mobile phones activated after August 1, 2018 running Android 4.3 or higher

Go into your phone settings and select:

iOS: Settings>Notifications>Secure Wi-Fi>Turn off notifications

Android: Settings>Notifications>Secure Wi-Fi>Turn off notifications

To cancel the Full-time Secure Wi-Fi subscription:

  1. (Android) Open the Canadian Shield Secure Wi-Fi app
  2. Touch “Unsubscribe”.

Note: Premium service will be available until the end of your current billing cycle. You will not be billed after that.

The app is running whenever the following icon is displayed in the notification bar (at the top of your device), while you are connected to a Wi-Fi network:

  • Android – key symbol
  • iOS – VPN symbol

You also will also notice that where you may have experienced poor or no data service in the past on Wi-Fi, that your data session will continue seamlessly without interruption.

Please note that each feature can be turned on/off. The VPN will be running all the time for the Canadian Shield application, however, Wi-Fi Bonding and Secure Wi-Fi are premium features and require the user to subscribe. Once subscribed, the user can enable/disable the features by tapping the On/Off option bar.

This may occur for several reasons:

  • Many public Wi-Fi networks require you to login first before allowing Internet access.  You can do this by opening a browser.  Make sure you have completed the login process.
  • You could have a poor Wi-Fi signal.  Move to an area where the signal strength is stronger.
  • Internet access could be impaired due to high Wi-Fi network congestion caused by too many users.

Your phone may be automatically connecting to Wi-Fi networks that use the same name as a network that you have connected to previously (e.g. Starbucks, Cable Wi-Fi, Boingo, etc.).

If the user subscribes to Premium Services and has Secure Wi-Fi enabled, then yes. Secure Wi-Fi monitors your network activity, so it can automatically detect when you connect to a Wi-Fi network and protect your Wi-Fi sessions when needed.

Canadian Shield uses very little battery power itself so your overall battery usage will be approximately the same as before having Canadian Shield Wi-Fi Bonding on your device. However, your device will show Canadian Shield as using more battery than it really does, because it will now assign the battery impact of the traffic performed by your apps to the Canadian Shield app. This is because your network traffic is being handled by Canadian Shield, and the device estimates battery usage based on how much data is sent/received by an app. When Canadian Shield is installed, it will appear to the device’s Operating System that Canadian Shield is responsible for all data usage instead of the actual app that is performing the traffic. In reality, data usage is actually coming from your normal app usage and Canadian Shield is simply optimizing and securing the data from those apps. In other words, the Operating System is simply shifting the blame for data/battery usage from your apps to Canadian Shield, so the battery usage of your apps will appear to go down and when combined with the Canadian Shield battery usage, the overall battery usage on your device will ultimately remain approximately the same as before installing Canadian Shield.

Yes. The app will work on any Wi-Fi network or mobile data network outside of Canada.

Mobile App - Encrypted WiFi FAQ

The Encrypted Wi-Fi service provides a safer and more efficient way to use both unsecure and password-protected Wi-Fi networks by reducing the risk of your personal and sensitive data being compromised. Now you can email, browse and stream safely on Wi-Fi networks. Encrypted Wi-Fi is the smart and efficient solution not only protecting you, but also optimizing your device’s performance while in protected mode.

Encrypted Wi-Fi is a service that automatically detects when you access a Wi-Fi network, and when enabled, will encrypt the data you transmit before it leaves your phone to ensure your privacy and protection.

No, Encrypted Wi-Fi only encrypts unsecured (HTTP) traffic.

Tap “Upgrade to Premium” you will be presented with a subscribe screen. Follow the prompts to complete your upgrade.

There may be a slight reduction in speed due to the encryption used to protect your data.

Yes, while on Wi-Fi, as long as the Encrypted Wi-Fi feature is enabled, your traffic will be automatically encrypting your Wi-Fi traffic in the background, providing you the security you’ve come to expect without compromising your personal and sensitive data.

Wi-Fi Bonding is a premium feature that’s available in the app. It helps provide an optimal Wi-Fi data experience by automatically and seamlessly leveraging cellular data to boost your data performance wherever you experience slow or no data over Wi-Fi. Now you can browse, enjoy media or look up directions on a map app without interruption as you move between Wi-Fi networks like at home and the cellular network, or transition between Wi-Fi networks. Not only do you get the benefit of an uninterrupted data session, you also still enjoy the security provided by the Secure Wi-Fi feature, so you are without risk of compromising personal and sensitive data.

Canadian Shield Wi-Fi Bonding will not change the way your Wi-Fi network operates. However, it will enhance the way your device behaves on Wi-Fi by automatically detecting when there are problems with the Wi-Fi connection. So, if you have a poor Wi-Fi signal or if the Wi-Fi is too congested, it will simultaneously leverage cellular to boost your overall data performance. This also helps with the “driveway problem,” where being at the edge of the Wi-Fi may be unusable and it will make this transition seamless as you continue browsing or try using an application that requires immediate data while in a “dead zone.”

Privacy related questions

Canadian Shield can be configured on the router/gateway, in the operating system settings for your computers and in some applications that directly use either the DNS or encrypted DNS (i.e. some browsers). It can also be installed on mobile devices through a simple app download. You can also use the Canadian Shield browser extension to get protection quickly.

Full instructions are available from the configure page.

CIRA Canadian Shield browser extension is another way to leverage Canadian Shield to protect yourself from malicious sites while browsing on popular browsers. It can be easily downloaded and activated on most common browsers and once installed will keep all your browser sessions protected.

The browser extension checks URLs inputted to the browser bar or links clicked on while browsing against local & remote blocklists provided by CIRA.  The list is continually updated to ensure that malicious sites cannot be accessed by users.

Users can report erroneous blocks by using the Canadian Shield support page.

Please note that the browser extension only protects web browsing.  To protect links accessed but other applications such as email clients, users should configure Canadian Shield at the OS or router level.

Canadian Shield is intended for home/personal use only and as a result may not work when users are logging in from an office and certain other remote environments.

The browser extension uses DNS over HTTPS (DoH) to validate the safety and security of a website. This means that users may run into issues using the extension in an environment that blocks DoH requests. In Firefox, for example, the browser extension makes a request to Canadian Shield to verify if the page should be blocked. Once it verifies the website is okay, it allows the request to continue.  If an office is blocking DoH the browser extension may prevent a user from using their browser. We recommend that if you see this behaviour that you disable the extension on your work network, and then re-enable it when you are back at home.

With other browsers in this environment, such as Google Chrome, the extension may allow users to continue to visit websites but will not offer Shield’s protection capabilities. Web pages will resolve and display just fine. However, this does mean that if the DoH request is blocked in an office environment, it will never decide that anything is blocked.

CIRA is working on an update to the extension that will let users know when the extension is not functioning normally.

First a description from the CCCS on what they do:

The Canadian Centre for Cyber Security (CCCS) shares enhanced cyber threat information in order to help strengthen Canada’s resiliency against cyber threats. This threat information includes Indicators of Compromise (IoCs) derived from many sources such as Canadian cyber incidents, malware analysis and strategic partnerships. All indicators are validated before being shared in order to maintain a high quality. No personally identifiable information (PII) of any kind is transmitted back to the Canadian Centre for Cyber Security.

Secondly, we are working with them in two ways:

1. We have incorporated the Canadian Centre for Cyber Security threat feed into CIRA Canadian Shield; this in addition to our own threat intelligence and to other 3rd party feeds.

2. CIRA is providing the Canadian Centre for Cyber Security with anonymized threat blocking data for research purposes to enhance their threat intelligence. All personally identifiable information (PII) (i.e. your IP addresses) is scrubbed from this data.

CIRA only sends anonymized data to the Canadian Centre for Cyber Security for research purposes on the amount and types of threats that we see in Canada. This data is used to improve cyber-threat protection for all of Canada.

CIRA, like every other organization in Canada, is required to comply with Canadian law. CIRA will only ever act on a court order and notably, only stores personally identifiable information for 24 hours for the purpose of mitigating abuse, like DDoS attacks, on the system.

Browser extension questions

Canadian Shield can be configured on the router/gateway, in the operating system settings for your computers and in some applications that directly use either the DNS or encrypted DNS (i.e. some browsers). It can also be installed on mobile devices through a simple app download. You can also use the Canadian Shield browser extension to get protection quickly.

Full instructions are available from the configure page.

CIRA Canadian Shield browser extension is another way to leverage Canadian Shield to protect yourself from malicious sites while browsing on popular browsers. It can be easily downloaded and activated on most common browsers and once installed will keep all your browser sessions protected.

The browser extension checks URLs inputted to the browser bar or links clicked on while browsing against local & remote blocklists provided by CIRA.  The list is continually updated to ensure that malicious sites cannot be accessed by users.

Users can report erroneous blocks by using the Canadian Shield support page.

Please note that the browser extension only protects web browsing.  To protect links accessed but other applications such as email clients, users should configure Canadian Shield at the OS or router level.

Canadian Shield is intended for home/personal use only and as a result may not work when users are logging in from an office and certain other remote environments.

The browser extension uses DNS over HTTPS (DoH) to validate the safety and security of a website. This means that users may run into issues using the extension in an environment that blocks DoH requests. In Firefox, for example, the browser extension makes a request to Canadian Shield to verify if the page should be blocked. Once it verifies the website is okay, it allows the request to continue.  If an office is blocking DoH the browser extension may prevent a user from using their browser. We recommend that if you see this behaviour that you disable the extension on your work network, and then re-enable it when you are back at home.

With other browsers in this environment, such as Google Chrome, the extension may allow users to continue to visit websites but will not offer Shield’s protection capabilities. Web pages will resolve and display just fine. However, this does mean that if the DoH request is blocked in an office environment, it will never decide that anything is blocked.

CIRA is working on an update to the extension that will let users know when the extension is not functioning normally.

Loading…