The Canadian Internet Registration Authority (CIRA) operates on a mandate to run a safe, secure, and reliable .CA domain for all Canadians. Established in the year 2000, it has more than 2.8 million domains under management.
A few years ago, CIRA saw the opportunity to complement its registry revenue with new services. In 2015, CIRA first moved into DNS cybersecurity with the introduction of D-Zone Anycast DNS, a service now used by some ISPs, the Canadian government, and many educational institutions. After the release of this comprehensive Canadian secondary DNS service, many of CIRA’s customers requested a recursive DNS Service. Organizations in the education sector were particularly interested in a service with content filtering.
“Once we came up with the concept of a cloud-based cybersecurity service that protects organizations from malware, ransomware, and phishing attacks, we started exploring our options,” explains Mark Gaudet, Business Development and Product Manager at CIRA.
CIRA considered building a recursive DNS service solution in house. “We could have implemented such a solution using DNS RPZ but we saw the real value was in a threat feed, and we couldn’t develop our own,” says Gaudet.
So CIRA turned to Nominum (now part of Akamai), then the market leader of DNS-based security solutions with recursive servers in large ISPs. “We knew Nominum had access to global DNS data and could develop a real-time threat feed,” continues Gaudet.
Through this partnership, CIRA was able to launch a trial of its D-Zone DNS Firewall within six months, and go live three months later. The solution uses smart resolvers deployed across Canada that evaluate more than 100 billion DNS queries each day to determine whether they're malicious. Threat coverage is continuously and automatically updated through a cloud service in order to deter highly dynamic exploits.
By taking advantage of its infrastructure in Canada to deploy a cloud-based service powered by Akamai, CIRA is able to bring on customers without a huge capital investment. Just as important, it allowed CIRA to build a Canadian-focused service that keeps all DNS query data in Canada for data sovereignty purposes. “DNS services that are globally hosted cannot guarantee that data is kept in Canada, but we can do so and honor our mandate to help Canadian organizations navigate this requirement,” explains Gaudet.
Moreover, now that CIRA is using Akamai's SPS Secure Business solution, it gains global scale and capacity without a performance impact. Plus, since the protections are network-based, customers don’t need to install software or updates as required by traditional client-based security products. There’s also no need for any on-premises customer technical expertise. The service is essentially a turnkey solution, enabled by pointing customer DNS resolvers at the CIRA cloud.
Since its launch in 2017, the D-Zone DNS Firewall has been protecting more than 1.5 million Canadians in everything from small businesses to large universities. CIRA has seen particular success in the municipal sector, where the D-Zone DNS Firewall has protected more than 70 Canadian municipalities to date.
“With D-Zone DNS Firewall, we provide a foundational layer of security to a wide range of organizations that might otherwise be underserved because they cannot afford security protections, or lack the technical resources to take advantage of them,” says Gaudet. Moreover, the service has driven a 90% reduction in desktops impacted by spear phishing attacks. In fact, one of CIRA’s academic customers used the service to quickly block new attacks, significantly reducing time and effort for its IT department. “These kinds of stories make us feel really good about what we’re doing for the Canadian market,” continues Gaudet.
CIRA also uses Akamai DNSi Big Data Connector to integrate all DNS query data and bot and phishing blocked data gathered from Akamai resolvers into an Elastic stack. This stack also includes a search and analytics engine, a data-collection and log-parsing engine, and an analytics and visualization platform that enables CIRA to search and display all kinds of DNS and security-related data collected across its network. This makes it easy for CIRA to conduct research and debug customer issues.
While CIRA started with the Akamai customer portal, it ultimately built its own customer portal atop the D-Zone DNS Firewall service. Using this portal, CIRA customers with multiple locations can configure and apply their policies from a centralized location with granular control. CIRA also exposed its API to customers and partners. Customers use it, for example, to retrieve and block queries into their security information and event management solutions to correlate issues with specific users and devices. Security vendors and ISPs can integrate with the service to add DNS protection for their customers in Canada.
By the end of 2019, CIRA expects its DZone DNS Firewall service to account for 50% of its new product revenue. CIRA’s next strategic plan will revolve around a strong cybersecurity focus.
“Launching DZone DNS Firewall enabled us to enter the cybersecurity market fairly quickly and easily with an easy-to-support product. This has given our business a new direction and access to a different market. Going forward, we plan to offer complementary services and products,” concludes Gaudet.
The Canadian Internet Registration Authority (CIRA) is a member-based not-for-profit organization, best known for managing the .CA internet domain on behalf of all Canadians, developing and implementing policies that support Canada’s internet community and representing the .CA registry internationally. We are building programs, products and services that leverage all the internet has to offer to help build a better online Canada, while providing a safe, secure and trusted online experience to all Canadians. For more information, visit https://cira.ca/.