The organization that oversees .CA domains, among other important internet functions, is rolling out a free Canada-wide DNS-over-HTTPS service to protect people's privacy.
The Canadian Internet Registry Authority (CIRA) today said its new Canadian Shield service will allow people and businesses to encrypt their DNS queries in transit between their devices and CIRA's servers, providing an added layer of security at a time where millions in the country are transitioning to working from home mid-coronavirus pandemic.
That means ISPs and network snoops, for instance, can't easily see what websites and services those individual households and businesses are accessing, give or take. Anyone trying to track the sites you browse will have to work harder, or be thwarted entirely, depending on the circumstances. It should also help protect DNS queries from being tampered with in transit.
The DNS-over-HTTPS service can be configured to just encrypt DNS queries; encrypt DNS queries and block access to known malware, botnet and phishing websites; or encrypt DNS queries and block access to adult content as well as malware, botnet and phishing pages. Access is blocked by refusing to lookup queries.
"As a non-profit with no interest in monetizing user data, we were able to bring together a group of great partners who are committed to protecting Canadians online–including the first-ever national deployment of DNS over HTTPS globally," said CIRA VP of product Dave Chiswell.
"This will provide all Canadians and their families with the kind of online protection typically reserved for large institutions."
Cloudflare family-friendly DNS service flubs first filtering foray: Vital LGBTQ, sex-ed sites blocked 'by mistake'READ MORE
As the name suggests, DNS-over-HTTPS wraps DNS queries – which translate human-friendly domain names like theregister.com into computer-friendly IP addresses like 126.96.36.199 – in encrypted HTTPS connections. That means your broadband provider, for example, can't see your browser looking up theregister.com, and all it sees is you connecting to 188.8.131.52, which the ISP will have to lookup itself. If that's an IP address shared by many sites in a content-delivery network, such as Cloudflare or Akamai's, the ISP won't know for sure which site you're really visiting, if you use HTTPS.
Some ruthless internet providers like to monitor DNS queries flowing through their networks to commercialize their subscribers' online habits: selling anonymized and aggregated stats to advertisers, or using the data to target netizens with adverts tailored to their interests based on their web travels. DNS-over-HTTPS therefore provides some to a lot of privacy from this kind of snooping, depending on what you're browsing and how.
Canadians using the encrypted shield service will send their DNS queries through a secure pipe to CIRA's servers, which perform the lookup on the netizens' behalf. CIRA, as a non-profit internet registry, promises not to monetize these DNS queries.
CIRA noted that its service, which also offers DNS-over-TLS, will be particularly important as the COVID-19 pandemic has pushed so many Canadians out of their better-secured office networks and into work-from-home setups.
"As Canadians have shifted to working and learning from home en masse due to COVID-19, their personal devices and home networks are vulnerable to cyber-attacks," the Canuck registry noted. "Unfortunately, most do not have access to the protection that large corporations and institutions apply to their data and devices."
That said, DNS-over-HTTPS is not without its detractors. Cops, Feds, and ISPs have been vocal opponents of the technology, claiming it prevents service providers from being able easily to see what is going on in their networks, and makes it harder to uncover the activities of those engaging in criminal activity online. CIRA argued the police aren't necessarily completely locked out by encrypted DNS queries.
"Law enforcement have a number of tools and tactics available to track criminal activity on an ISP network, so the presence of DNS-over-HTTPS does not inhibit investigation," a CIRA spokesperson told us today. "For example, ISPs have access to the actual network traffic, which includes application and IP address information." ®