What's new

Behold - the CIRA Canadian Shield

RMerlin

Asuswrt-Merlin dev
There's my answer:

Where do you get your threat intelligence?

CIRA works with Akamai, a global provider of internet technology. They are responsible for over 30% of all traffic in the internet and 4% of all global DNS queries (yes that is billions and billions of queries). Anytime a DNS lookup is performed for the very first time anywhere it is automatically quarantined and inspected. If it is determined to be malicious then it is added globally to the block list. Machine learning and AI is also used to detect patterns in seemingly unrelated DNS lookups to detect and block malicious activity. Many botnets use algorithmically generated domain names to function and many have been reverse engineered so that the malicious domains are automatically on the list. And finally, the service incorporates 3rd party feeds from both commercial cybersecurity vendors and the open source community.

Notably, while the threat detection is global, the service is only delivered from servers located in Canada and managed by CIRA.
EDIT:
And color me impressed:

Does CIRA support DNS over TLS (DoT) and DNS over HTTPs (DoH)?


Yes. Both DNS encryption standards are supported.
 

OzarkEdge

Part of the Furniture
>>Built by Canadians for Canadians

Finally! That should keep all that Canadian data from clogging up our Internet! :D

OE
 

L&LD

Part of the Furniture
So... anybody tried it yet? :)
 

Gar

Very Senior Member
So... anybody tried it yet? :)
Yeah, briefly. It didn't return very good rootcanary.org results, whatever that really means. 9.9.9.11 gives me best results.
 

jackiechun

Regular Contributor
I did some testing and confirmed that Canadian Shield has EDNS Client Subnet (aka ECS) enabled. Pairs nicely with 9.9.9.11 :)
 
Last edited:

dosborne

Very Senior Member
I set it up a month or more ago. No issues that I am aware of. Didn't notice anything being blocked so far either, not that I've tried any specific tests.
 

RMerlin

Asuswrt-Merlin dev
Anyone set this up with DoT or even DoH?

I cannot seem to find any info on their website with instructions on how to set up.
Set it up where?

The link I posted does contain instructions for multiple platforms.
 

Goobi

Regular Contributor
Set it up where?

The link I posted does contain instructions for multiple platforms.
On a 86u running 394.19. There does not appear to be any instructions on setting up DoT. Just platform specific instructions for setting up their non-encrypted dns.
 

heysoundude

Very Senior Member
Thank you Sir! Was browsing from my phone and did not realize I could scroll that table to the right for the DoT specific info. Works like a charm.
if you like that, you should consider setting up unbound, which makes you your own DNS...assuming you're running Merlin's firmware
 

coxhaus

Part of the Furniture
I would rather someone else own the DNS like QUAD9. When problems happen with DNS I don't want to be exposed until someone can write a fix for me which may take weeks. I will never run unbound as I don't want that much responsibility.
 

heysoundude

Very Senior Member
I would rather someone else own the DNS like QUAD9. When problems happen with DNS I don't want to be exposed until someone can write a fix for me which may take weeks. I will never run unbound as I don't want that much responsibility.
if unbound fails, there is a fallback where you can set CIRA, google, quad9, cloudflare...otherwise your network wouldn't resolve anything
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top