DNS Firewall: What do Canada and New Zealand have in common?

The last point may not be one of the more common ways to compare two countries, but this isn’t a tourist blog so you’ll have to bear with me. The kind folks at InternetNZ invited me to contribute some content on the Canadian experience with a DNS firewall service similar to the one they recently launched, called Defenz.

The Canadian Internet Registration Authority (CIRA) plays a similar role to InternetNZ in that we are non-profit organisations with a mandate to run the ccTLD and improve the lives of our online citizens through various programs. We have been operating a DNS Firewall service for just over four years now and currently have over 1.8 million users on the service at organisations ranging from the smallest retail shop up to a university with 80,000 students.

Throughout this time, we always knew that running infrastructure in Canada provided a core benefit of the service because we heard it from our customers. For instance, one concern was the growing corporatisation of the DNS in the hands of large multinational corporations. Locating the nameservers in Canada and operating it from a non-profit organisation helped to ensure fast local performance, deliver better data sovereignty in the post-Snowden world, and improve the privacy of potentially sensitive and valuable DNS information. The Defenz platform delivers the same benefits for New Zealand.

Let’s also be fair and not over-state the importance of privacy. Very few organisations in Canada were going to add a cloud layer for cybersecurity based only on data privacy and server location. It also had to deliver defence-in-depth to what they already had in place. This is where we did two critical things to deliver a high quality service.

First, we partnered with Akamai, a company with recursive resolvers at ISPs all over the world. With this footprint they could detect new malicious domains and update the feed within 14-minutes of them being seen for the very first time, anywhere in the world. This speed is critical and not always possible at other layers of security that may require patches or similar. Our data shows that of those who are going to click on a malicious link, 80% do so within a typical working day and minutes can have a huge impact on security.

The faster you can identify and block a threat, the faster you mitigate risk.

The second thing we did was to incorporate some feeds not generally available to the open source community. This included, for instance, paid threat feeds, feeds from Canadian organisations, and those provided by the Canadian government via the Canadian Center for Cybersecurity.  Again, here Defenz is doing the same thing for New Zealanders with its local feeds. 

So, with the who, what, where, why and how of the service covered off, what have we seen in Canada over this time?

Firstly, CIRA has a very large share of the educational community. The benefits of adding cybersecurity to administrative and student networks is pretty strong since, in effect, schools act kind of like a mini-ISP to their students. That means they don’t have control over the devices on the public networks but they still have some responsibility since those devices may need resources from the network. What’s more, it is just good public policy to help students. What we can say is that the malicious activity on school networks is many times worse than corporate ones. This comes in the form of large amounts of botnet traffic from infected devices and from the fact that a student is just simply more likely to click on malicious content (about 5x more according to our data).

One month at a large university during COVID-19 Shutdowns.

When you take students out of the picture by looking only at network traffic from non-public networks we are seeing about 0.2 blocked threats per user per day. Put another way, if a company has 100 employees with connected devices and computers and you exclude 4 weeks of time off per year then our average suggests about 4,800 threats blocked per year. This is in addition to what is stopped at the other layers in the network such as email security, anti-virus software, and traditional network firewalls.

We don’t see this kind of volume from every network. Some run clean for a while then spike for a short time due to a security incident and for these it operates kind of like insurance. For others we see a regular pattern of blocking activity and for these it is more like a security blanket. Either way, if a customer avoids a disastrous ransomware incident or data privacy breach (that in Canada could be subject to fines under our PIPEDA legislation) then it has served its purpose.  

In the image below we are looking at the pattern in a city with a similar number of connected employees to the University referenced above, so it is more-or-less a fair representation of the difference student traffic makes. Notably, neither organisation is doing any content filtering using the DNS.

One month at a mid-sized city during COVID-19 shut down.

In conclusion, based on the Canadian experience with the CIRA DNS Firewall that has a lot of the same features as Defenz, we can categorically say that, in our experience, it has delivered improved defence to existing security stacks and has the added benefit of improving performance and privacy.

So with a nationally-focused DNS security layer designed to blanket organisations with sovereign, private, and most importantly, effective security, Canada and New Zealand now have even more in common – now if only Canada got something as cool as your glow worm caves!