Microsoft announced that it’s working on adding support for the privacy-focused DNS over HTTPS (DoH) protocol in a future Windows 10 release, while also keeping the addition of DNS over TLS (DoT) on the table.
DoH is designed to allow DNS resolution over encrypted HTTPS connections, while DoT encrypts and wraps DNS queries via the Transport Layer Security (TLS) protocol instead of using plain text DNS lookups.
By adding DoH to the Windows 10 Core Networking, Microsoft wants to boost its customers’ security and privacy on the Internet by encrypting all the DNS queries they make and thus removing the plain-text domain names normally appearing in unsecured web traffic.
“There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal,” Microsoft said.
“To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.”
Microsoft DoH adoption principles
Redmond is currently prioritizing the adoption of DoH in Windows 10 since it considers it the choice that will “provide immediate value to everyone,” while it will also make it possible for the company to make use of already existing HTTPS infrastructure for faster DNS encryption rollout.
“As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future,” Microsoft added.
The company also highlighted the following principles it used to decide exactly what DNS encryption protocol support to built within Windows 10 as well as the way to configure it:
• Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don’t require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
• Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.
The first milestone
As part of the first step to implementing DoH in Windows 10, Microsoft will automatically encrypt DNS queries for users if the DNS resolvers they use come with support for encryption over HTTPS.
However, Redmond also says that it will not change the DNS servers on any Windows 10 devices, leaving it to the users and the device or enterprise administrators to choose the DNS servers they want to use to resolve their DNS queries.
“Many people use ISP or public DNS content filtering to do things like block offensive websites,” Microsoft says while listing the benefits behind their chosen pathway to implementing Windows 10 DoH support.
“Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes.”
They list the following advantages users and admins will get after the initial DoH support milestone is reached:
• Many users and applications that want privacy will start getting the benefits without having to know about DNS. In line with principle 1, the DNS queries become more private with no action from either apps or users. When both endpoints support encryption, there’s no reason to wait around for permission to use encryption!
• We can start seeing the challenges in enforcing the line on preferring resolution failure to unencrypted fallback. In line with principle 4, this DoH use will be enforced so that a server confirmed by Windows to support DoH will not be consulted via classic DNS. If this preference for privacy over functionality causes any disruption in common web scenarios, we’ll find out early.
As part of future milestones, Windows 10 users and admins will also be able to set up DoH servers explicitly using a dedicated interface within the Windows DNS settings.
“Why announce our intentions in advance of DoH being available to Windows Insiders? With encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible,” Microsoft concluded.
“We don’t want our customers wondering if their trusted platform will adopt modern privacy standards or not.”
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.