EDIT:Where do you get your threat intelligence?
CIRA works with Akamai, a global provider of internet technology. They are responsible for over 30% of all traffic in the internet and 4% of all global DNS queries (yes that is billions and billions of queries). Anytime a DNS lookup is performed for the very first time anywhere it is automatically quarantined and inspected. If it is determined to be malicious then it is added globally to the block list. Machine learning and AI is also used to detect patterns in seemingly unrelated DNS lookups to detect and block malicious activity. Many botnets use algorithmically generated domain names to function and many have been reverse engineered so that the malicious domains are automatically on the list. And finally, the service incorporates 3rd party feeds from both commercial cybersecurity vendors and the open source community.
Notably, while the threat detection is global, the service is only delivered from servers located in Canada and managed by CIRA.
Does CIRA support DNS over TLS (DoT) and DNS over HTTPs (DoH)?
Yes. Both DNS encryption standards are supported.
See the “Summary of CIRA Canadian Shield DNS resolver addresses” table here:On a 86u running 394.19. There does not appear to be any instructions on setting up DoT. Just platform specific instructions for setting up their non-encrypted dns.
Thank you Sir! Was browsing from my phone and did not realize I could scroll that table to the right for the DoT specific info. Works like a charm.
if you like that, you should consider setting up unbound, which makes you your own DNS...assuming you're running Merlin's firmwareThank you Sir! Was browsing from my phone and did not realize I could scroll that table to the right for the DoT specific info. Works like a charm.
if unbound fails, there is a fallback where you can set CIRA, google, quad9, cloudflare...otherwise your network wouldn't resolve anythingI would rather someone else own the DNS like QUAD9. When problems happen with DNS I don't want to be exposed until someone can write a fix for me which may take weeks. I will never run unbound as I don't want that much responsibility.