back to article Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North

The organization that oversees .CA domains, among other important internet functions, is rolling out a free Canada-wide DNS-over-HTTPS service to protect people's privacy. The Canadian Internet Registry Authority (CIRA) today said its new Canadian Shield service will allow people and businesses to encrypt their DNS queries in …

  1. Pascal Monett Silver badge

    "Cops, Feds, and ISPs have been vocal opponents of the technology"

    Well of course they have. They are the people who want to spy on us, or monetize our behavior. Ensuring our protection is depriving them of their means to keep their addiction going.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Cops, Feds, and ISPs have been vocal opponents of the technology"

      I don't trust CIRA with my DNS traffic any more than I do the other DUH providers

      1. doublelayer Silver badge

        Re: "Cops, Feds, and ISPs have been vocal opponents of the technology"

        I suppose that makes sense, but you have to trust at least one group with it. No matter how far you push your own DNS setups, something has to make the queries and those queries are going to be sent through an ISP. If you set up your own resolver, then you can still be tracked based on its queries. The benefit of using someone else's resolver is that, as long as you trust them not to spy, nobody who watches their traffic knows what you're doing because your data is mixed in with everyone else's. So if you don't trust them, do you have someone you do?

      2. Gene Cash Silver badge

        Re: "Cops, Feds, and ISPs have been vocal opponents of the technology"

        I don't trust anybody that much, but I do trust them a hell of a lot more than Google.

  2. cornetman Silver badge

    "That said, DNS-over-HTTPS is not without its detractors. Cops, Feds, and ISPs have been vocal opponents of the technology, claiming it prevents service providers from being able easily to see what is going on in their networks, and makes it harder to uncover the activities of those engaging in criminal activity online."

    Let me reassure the cops that I'm not one of those engaged in criminal activity.

    What's that? You have six lines written in my own hand?

    1. baud

      Now it's six social media posts.

  3. Johnny Canuck

    Maple syrup reserve

    You might think that graphic depicting the hockey player in front of a white board is amusing, but we really do have a maple syrup reserve.

    1. Jamesit

      Re: Maple syrup reserve

      Yup we do, Here's a link.

      1. Anonymous Coward
        Anonymous Coward

        Re: Maple syrup reserve

        not only is there a strategic reserve of maple syrup , someone once tried to steal it

  4. HildyJ Silver badge
    Paris Hilton

    CIRA sounds wonderful

    If I were Canadian, I'd sign up in a New York minute (a Montreal minute?).

    BUT, help me here, as a non-Canadian using a non-Canadian ISP, can I point my router to it instead of the Google DoH I currently use?

    Note that I understand response time might not be as good but avoiding Google might be worth it.

    1. My other car WAS an IAV Stryker Silver badge

      Re: CIRA sounds wonderful

      "Toronto minute" for anyone outside Quebec.

      I agree with the question of non-Canucks having a chance at it. Here in Michigan, we're so physically close -- and many are culturally close* -- to Canada that we might as well.

      * There's that "Hockeytown" moniker for Detroit. And MI probably has more Tim Horton's than any other US state. But for full effect, just go visit the Upper Peninsula.

  5. Sgt_Oddball Silver badge

    Canny Canadian

    Canucks cancel common collection concernation. Conserned citizens cannot concent controlling companies, cops. Celebrate

    Can competing country computer cads cease compelling cabbalist cajoling?

    1. quxinot

      Re: Canny Canadian

      Somewhere, a subeditor is sobbing....

    2. Anonymous Coward
      Anonymous Coward

      Re: Canny Canadian

      Mais il faut traduire ça en français aussi! Alors...

  6. tip pc Silver badge

    DoH only available in the Browser, unless you install some additional software

    The instructions on their page detail how to change normal dns to use their servers which is great.

    from the article i assumed there was some easy way to connect to their DoH service from a router or other easy setting.

    either you need to amend the Chrome or Firefox config or install a dns proxy on your machine or your network.

    1. A.P. Veening Silver badge

      Re: DoH only available in the Browser, unless you install some additional software

      And for a DNS proxy I recommend Pi-Hole.

      1. tip pc Silver badge

        Re: DoH only available in the Browser, unless you install some additional software

        Pinole doesn’t do DoH natively you need to additionally install a DoH proxy either on Pihole or on the net and point Pihole at it.

        The advantage of Pinole is that it can use dns on different ports than 53, most other systems won’t easily do they. The alternative is to start your adorn proxy up listening on UDP 53 then no need for Pihole.

  7. mmccul

    Anti-privacy under privacy name

    DNS over HTTPS is a privacy nightmare. Now, one place will see all your DNS queries, even if not intended for them. As many have pointed out, your ISP already knows where you are going just by looking at the IP headers and the unencrypted part of https requests your browser sends that includes little things like the domain name you are requesting (SNI).

    I've noticed a lot of anti-privacy initiatives, like DNS over HTTPS, advertised in the name of "enhancing privacy" when really, it's just about encouraging people to log all their activity at yet another data aggregator that isn't normally in a position to capture any of the traffic at all.

    The real question is not the confidentiality of DNS requests, but confidentiality of where you go. But the ISP, to route your traffic, has to know where you are going. Until https is rewritten, they always know the domain name you are requesting, even without looking at DNS queries. This is a solution in search of a problem, and considering who has been advocating it (various organizations that often make money by such), I am not convinced their motives are altruistic.

    1. mark l 2 Silver badge

      Re: Anti-privacy under privacy name

      TLS 1.3 which more websites are now using is setup to use encrypted SNI so your ISP won't be able to view the website you are connecting to only the IP. If the website is behind a CDN like cloudflare that could be 1000s of website being hosted on one IP address and your ISP won't be possible to narrow down which exact website you are connecting to just from the IP address and an encrypted SNI

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022