The Canadian Internet Registration Authority (CIRA) launched a domain name system (DNS) service on April 23, 2020. CIRA is the entity responsible for overseeing Canada’s .ca country-code top-level domain (ccTLD). CIRA is offering its new DNS service—branded “Canadian Shield”—to assist Canadians with online privacy and security. Canadian Shield is an alternative to the DNS service provided by your internet service provider (ISP).
DNS? Every time you type a domain name (that is, a uniform resource locator or URL) into your browser, your computer sends your request for that domain name to a DNS. The DNS then sends you the internet protocol (IP) address of the server corresponding to the domain name. Your computer then uses that IP address to access the website.
Keeping limited logs. DNS providers can protect users by limiting the retention of logs of users IP addresses and the websites they visit. Advertisers, government authorities, and hackers cannot abuse what does not exist. Canadian Shield says that it keeps logs for up to 24 hours, or longer if “malicious or anomalous” behaviour is suspected or detected.
Blocking dangerous content. Another way DNS providers can protect users is by blocking certain domain names and IP addresses. This prevents your computer from ever communicating with the server associated with the blocked IP address. You can configure Canadian Shield to block harmful and adult content.
Validating requests. DNS providers can use DNS system security extensions (DNSSEC), which reduce the risk of man-in-the-middle attacks, where legitimate DNS requests are redirected to illegitimate websites. DNSSEC does this by adding cryptographic signatures to existing DNS records and validating those signatures to ensure nothing is changed en route to the user. Canadian Shield says it provides DNSSEC validation.
Encrypting DNS traffic. DNS providers can also encrypt the data between the user’s device and the DNS server, by using DNS over HTTPS (DoH) or DNS over TLS (DoT). Canadian Shield supports both DoH and DoT encryption standards.
All of these measures are voluntary on the part of the DNS provider, and may require some configuration by the user.
How does Canadian Shield work?
Canadian Shield’s servers are in Canada, and thereby likely avoid regulation by other jurisdictions. By being in Canada, Canadian Shield could be faster for users in Canada compared to DNS providers that are geographically distant.
Being that CIRA is a non-profit, this reduces the motivation to sell your DNS query data to third parties, such as advertisers.
CIRA has also committed to a full, annual privacy audit to be conducted by a third party.
Canadian Shield offers three levels of security: private, protected, and family. The private level replaces your default DNS provider with Canadian Shield, which you may deem more trustworthy. The private level does not filter content. The protected level includes the security of the private level, and also blocks websites known or believed by CIRA to be associated with security threats, such as malware and phishing. The family level includes the security of the protected level, and also blocks adult content.
While it could technically be used by any internet-enabled device, Canadian Shield’s terms only permit use by individuals and families residing in Canada. CIRA also offers CIRA DNS Firewall, a paid service for organizations.
How Does Canadian Shield Decide What to Block?
To compile its list of dangerous websites, Canadian Shield aggregates threat lists from third parties, both commercial and open source. One of these threat lists comes from the Canadian Centre for Cyber Security, a government entity responsible for protecting the cyber security of the federal government and Canada’s critical internet infrastructure. According to CIRA, 100,000 websites are added to the aggregated threat list every day. Users can submit malicious domains or IP addresses, and report false positives, by using Canadian Shield’s support page.
How Does Canadian Shield Use registrant Data?
Canadian Shield’s privacy policy states that they will not retain any personally identifiable information (PII) for marketing purposes, and will not resell your PII. CIRA will keep your PII for up to 24 hours to stop abuse of Canadian Shield for “malicious behaviour” and “illegal activity”. CIRA may retain that information for longer than 24 hours if it observes behaviours that CIRA “deems to be malicious or anomalous.”
CIRA may share anonymized aggregate data with the public, such as information about threat types, geolocation, and performance of Canadian Shield (e.g., number of websites blocked, and infrastructure uptime). CIRA may also share certain data with intelligence partners, including the number of times a given domain is blocked.
What is the composition of bodies behind the Canadian Shield?
CIRA has partnered with several third parties to develop and implement Canadian Shield.
Akamai. Canadian Shield uses technology owned by Akamai, a company with headquarters in the United States and offices throughout the world, including in Ottawa and Toronto. Akamai is responsible for 4% of all global DNS queries, and serves between 15% and 30% of global web traffic.
Mobilize. Canadian Shield will soon offer a mobile phone app, simplifying the process for setting up Canadian Shield on iPhone and Android devices. This app was created in partnership with Mobilize, an American company. It is possible to configure mobile devices to use Canadian Shield without installing this app.
TekSavvy. Canadian Shield will be served by TekSavvy’s data centres in Toronto, Montreal, and Vancouver. TekSavvy is a Canadian ISP with headquarters in Chatham, Ontario.
Should I Change My DNS Provider?
That decision is up to you. The first step is finding out which DNS provider you are already using, and comparing their privacy policy and security measures to those of the alternatives, Canadian Shield being one of many free, privacy-focused options.