Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Encryption Security

Windows 10 Previews DNS Over HTTPS (thurrott.com) 90

An anonymous reader quotes a report from Paul Thurrott: With the new build of Windows 10 [19628], Microsoft is starting to test DNS over HTTPS. The new build comes with Microsoft's initial support for DNS over HTTPS on Windows, and Insiders will have to manually enable the new feature. If you would like to enable DNS over HTTPS in Windows 10, you will have to first install the latest Insider build. After that, you will have to go into the registry and tweak an entry to first enable the new DNS over HTTPS client, and then update the DNS servers your computer is using. It's not as easy as ticking a checkbox, but Microsoft has shared the instructions to enable the feature in detail, so make sure to check it out here. What is DNS over HTTPS and why is it important? "DNS, to put simply, is the process where an easy-to-read and write domain address is translated into an actual IP address for where a web resource is located," writes Thurrott. "Although most websites already use HTTPS for added privacy, your computer is still making DNS requests and resolving addresses without any encryption. With DNS over HTTPS, your device will perform all the required DNS requests over a secured HTTPS connection, which improves security thanks to the encrypted connection."
This discussion has been archived. No new comments can be posted.

Windows 10 Previews DNS Over HTTPS

Comments Filter:
  • by Mononymous ( 6156676 ) on Thursday May 14, 2020 @08:03AM (#60059200)

    Because Microsoft (and whatever partner they use) is so much more trustworthy than my ISP.

    • But, but if you just use Verified Service from Trusted Provider, you'll be Safe!

    • Re: (Score:3, Insightful)

      by kalpol ( 714519 )
      or my local resolver. Everyone wants a piece of that sweet sweet browsing history.
    • DNSSEC (Score:5, Insightful)

      by johnjones ( 14274 ) on Thursday May 14, 2020 @08:13AM (#60059230) Homepage Journal

      exactly the endpoint/workstation needs to actually validate the answers cryptographically...

      the standard is DNSSEC and most root's support it, please Microsoft engineers... do the right thing here rather than a quick patch

      John Jones

      • Re:DNSSEC (Score:4, Informative)

        by AleRunner ( 4556245 ) on Thursday May 14, 2020 @08:28AM (#60059272)
        DNSSSEC is not for the same thing as DNS over HTTP, in fact they are complementary. With DNSSEC you get no privacy from your ISP, which is normally the company you are most afraid of spying on you and the one that's got the most incentive to do it since they can match your internet usage with your billing details. DNS over HTTP provides that. With DNS over HTTP you get no guarantee that the DNS record provided to you is the same one as the one you asked for - just that it's the one that your DNS provider wants to give you. If you have both then you get privacy and authentication.
        • Of course DNS over HTTP still gives your upstream resolver access to your DNS requests, which could still be your ISP.
      • Re:DNSSEC (Score:5, Informative)

        by thereddaikon ( 5795246 ) on Thursday May 14, 2020 @09:31AM (#60059478)

        Not the same thing. DNSSEC is about making sure nobody tampers with DNS traffic. DoH is about making sure nobody can read your DNS traffic.

        And OS level implementation is the correct implementation. Not sure why everyone here is acting like Microsoft is adding a mandatory service that uses their DNS servers or something. They are adding support for the technology. Set it up to use whatever servers you want. Or don't. Whatever.

      • DNSSEC and DNS over HTTPS solve two very *very* different problems. And you want to hope that whatever server you are connecting to via DoH also supposed DNSSEC.

      • DNSCrypt [wikipedia.org] is the standard, but nobody supports it.
    • by Anonymous Coward

      It's really ridiculous to insist we trust one or the other.

      We should be secure because we put our trust in math and physics, and the design of protocols--not services, not tools (look how corruptible Mozilla/humans are), but protocols-- that are simple, and can be used independently of any third party "provider".

      • by raymorris ( 2726007 ) on Thursday May 14, 2020 @09:15AM (#60059412) Journal

        > It's really ridiculous to insist we trust one or the other.
        > We should be secure because we put our trust in math and physics, and the design of protocols --not services, not tools (look how corruptible Mozilla/humans are),

        If you use Windows and especially Edge / IE, Microsoft controls the "random" numbers used in the math. The math can't protect you if you don't trust your operating system and browser.

        That's the concept of the trusted computing base - you HAVE to trust your OS, it can see all of your keystrokes. So you might want to make sure it's trustworthy.

        (Note it's trustED computing base, not trustWORTHY computing base.)

        • by Anonymous Coward

          I've said for years that we need host-proof computing with fully homomorphic encryption.

          I stand by my argument, without compromise. Because I've written the code to prove it possible, and IBM has hardware to do it faster.

    • It says they are just introducing support for it, which you will then need to configure yourself. What's wrong about that? Building DoH into the OS is the correct implementation, not the fragmenting browser solution that Mozilla and Google are doing.

      This is a good thing.

    • Because Microsoft (and whatever partner they use) is so much more trustworthy than my ISP.

      Errr, yet they absolutely are. ISPs have demonstrated a willingness to simply sell their entire database of customer data to whoever is paying. Many other companies have not.

      You're mad if you are privacy focused and you trust your ISP.
      You're slightly less mad if you trust an advertising company (at least they keep your data to themselves in order to make a profit).
      You're significantly less mad using some random service on the internet.
      And you're completely sane if you run your own DNS server.

      • Someone still knows what you want to resolve.

        1. Using ISP DNS server
        The ISP can have logs of what you want to resolve
        2. Using some other DNS server
        The ISP can still find out what you are resolving (tcpdump), the DNS server company also knows.
        3. Using your own DNS server
        Your ISP knows, the root and tld servers may know and the server of the domain you are resolving knows.
        4. Using DNS over HTTPS
        The DoH provider knows.

        I guess one way would be to run own DNS server, but have it use TOR to resolve the IPs.

    • Google (Chrome) and Firefox use *YOUR* DNS provider (if your DOH provider supports it).

      Reading the actual article, Edge will do the same thing but only if your DNS provider is one of 3 providers. Looks like a good way to beta test.

    • You're already trusting Microsoft by running Windows.
  • by Luckyo ( 1726890 ) on Thursday May 14, 2020 @08:13AM (#60059232)

    Right now, most of the "legal blocks" across many nations with semi-free internet (example: UK) are enforced by ISP's on their DNS servers. This is usually considered sufficient by governments, so technically minded people can easily circumvent them by switching to DNS servers that are free from such interference.

    If this goes through, ISPs will likely be mandated to actually start running proper "known ip range blocklists", making circumventing government mandated blocks much harder. So this change is liable to make blocking of things like porn, wrongthink and pirate bay much more invasive and hard to circumvent without a dedicated VPN tunnel.

    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Thursday May 14, 2020 @08:24AM (#60059264)
      Comment removed based on user account deletion
    • by AmiMoJo ( 196126 )

      IP address blocks don't work thanks to CDNs. Any given IP address in the CDN will be serving innumerable sites, constantly shifting and changing. The collateral damage would be immense.

      • by kalpol ( 714519 )
        then you just require the CDN to block the site.
        • by amorsen ( 7485 )

          That is the first thing they do. The blocklists are because it is difficult for e.g. a UK court to order a US ISP to remove material that is legal in the UK.

        • by AmiMoJo ( 196126 )

          That's what they have been trying to do. Suing CDNs to stop them providing services to sites they don't like. So far Cloudflare seems to be resisting.

    • If this goes through, ISPs will likely be mandated to actually start running proper "known ip range blocklists"

      Don't be silly. There's nothing preventing a mandate that actually works against changing DNS server as it is. Also thanks to IP reuse it's not actually possible to block a website or service by IP address without significant collateral damage.

    • by Anonymous Coward

      Well, no. Presently in order to block DNS resolution of a domain name, the Fascist Government must coerce hundreds of thousands of DNS operators to tamper with the responses those DNS resolvers provide. This requires *lots* of enforcement thugs with lots of guns and lots of prisons in order to coerce compliance. It is very expensive and does not work very well.

      With DoH, that same Fascist Government only needs one or two enforcement thugs, a couple of guns, and maybe one or two public executions to achiev

    • You can change your DNS-over-HTTP resolvers, exactly the same as with regular DNS.

  • If they push this as enabled by default in an upcoming patch they're going to reek havoc on millions of domains. Surely they know that right?

  • fuck off (Score:4, Funny)

    by redback ( 15527 ) on Thursday May 14, 2020 @08:20AM (#60059250)

    can DNS over HTTPS fuck off and die already?

    • It works. It's not the best, nor the likely permanent 'solution', since security rarely has a permanent solution.

      And I'm using it now, Insider Preview ring, and it works with HTTPS, common HTTP, self-signed certs, and a flaky cert I won't bore you with.

      How about you stifle a little? Jon Postel would not answer your text.

      • Re: fuck off (Score:2, Insightful)

        by BAReFO0t ( 6240524 )

        It's idiotc and pointless NIHing!
        It is a "solution" for a problem that would not even exist without already going in the insane direction before!

        Jeez, were you all born after 2000 and think "browser = Internet" or what??
        There is no point for the extra layers in there! You could just change your DNS server and be done with it! (DNSSEC implied.) So DNS directly over TLS!
        HTTP ONLY exists in there because certain morons apparently are physically unable to think outside of the "web" (aka WWW aka "browser content

        • Sheesh. I was using internet before browsers. Condescending git.

          • by amorsen ( 7485 )

            It is no use arguing with BAReFO0t. He does not know the first thing about anything he comments on.

            In this particular case he does not know the differences between DNSSEC, DNS-over-TLS, and DNS-over-HTTPS.

        • by Zak3056 ( 69287 )

          HTTP ONLY exists in there because certain morons apparently are physically unable to think outside of the "web"

          Alternately, x over HTTPS tends to solve the problem of "nefarious actors want to block/intercept/rewrite packets they have no business tampering with" (i.e. Comcast wants to rewrite your DNS reponses with "our ad server" rather than NXDOMAIN, or the PRC only wants you to use approved DNS servers so they can censor your content). Unless you're using some DPI-SSL technology and the client trusts your certificate, it's effectively impossible to tell this traffic apart from the rest of the vast glut of https

    • by gweihir ( 88907 )

      can DNS over HTTPS fuck off and die already?

      MS wants it! Hence it will be sickly and have mental issues forever, but it will not die.

    • can DNS over HTTPS fuck off and die already?

      Why? Do you have something against the problems it is solving?

      • Attempting to address one problem by introducing five worse problems is not a solution.

        • Attempting to address one problem by introducing five worse problems is not a solution.

          Can you list the 5? And before you start talking about inability to intercept DNS as a problem remember why this is a solution in the first place.

      • What problems does HTTP solve in there? Hm?

        What problem that changing your DNS server in the settings and using DNSSEC cannot solve.

        You literally cannot think outsite of youw browser window, can you, WhatWG idiot.

        • HTTP? None. Fortunately DoH doesn't use HTTP, otherwise it would defeat the one problem it is trying to solve.

          Now it does use HTTPS. I'll leave it as an exercise to you as to why the S is significant. Although for some reason you seem to think that DNSSEC has something to do with encryption, so I suggest while you're googling DoH you also Google DNSSEC since you seem to no nothing about either.

          DNSSEC and DoH solve two different problems with zero percent overlap to the root server. You better hope your DoH

    • can DNS over HTTPS fuck off and die already?

      Not yet. Only once Google implements in their chat apps we can consider it truly dead.

  • What a scam (Score:5, Insightful)

    by OneHundredAndTen ( 1523865 ) on Thursday May 14, 2020 @08:23AM (#60059256)

    People are being sold a bridge with DNS over HTTPS, based on pretend privacy. Your ISP will not be able to see your DNS queries all right but, short of using a VPN, they will still be able to see where you are going. On the other hand, your DoH server will be able to see all your queries. And who is going to control that server? Google, Cloudflare, Microsoft. Are they more trustworthy than your ISP? Finally, adding insult to injury, by using am effectively non-blockable port (443) DoH is an invaluable gift for parties keen on disseminating malware through DNS tunnels..

    Thanks, Google, Cloudflare, Microsoft, and, especially, Mozilla.

    • Re:What a scam (Score:5, Interesting)

      by rho ( 6063 ) on Thursday May 14, 2020 @09:06AM (#60059380) Journal

      Firefox turned DoH on with an update, apparently, and it broke my internal network. Behind my firewall, my DNS practices are my own business.

      I don't trust any of these fucks.

      • by kalpol ( 714519 )
        It gave you a popup allowing you to choose whether to enable or disable it. I chose disable, no issues.
      • by AmiMoJo ( 196126 )

        So when asked did you accept the change of DNS server and that someone broke your *network*, or are you saying that merely trying to connect to your local DNS resolver over HTTPS to see if it supports DoH is enough to crash it?

        In either case it sounds like your network was already very broken if it is that fraglie.

        • by rho ( 6063 )

          I use Brave. It was other people who clicked through who use Firefox. My internal network has it's own DNS that works just fine resolving internal requests to private IPs that doesn't work so well if applications make their own decisions to use transports and services outside of the firewall. Sounds like you don't know what you're talking about, Judgy McJudgerson.

    • by AmiMoJo ( 196126 )

      Your ISP will not be able to see your DNS queries all right but, short of using a VPN, they will still be able to see where you are going.

      Not true. If they can't see the DNS request all they can see is the IP address you connect to, which is very likely to be a CDN serving hundreds or thousands of unrelated sites.

      While it's still not perfect it does greatly increase the cost of surveillance, which is always the goal. The more effort required the less practical mass surveillance becomes.

      And if you can still use your ISP's unencrypted DNS server on port 53 if you really want to, it's not going away. All this does is upgrade you to DoH if is available from your preferred server.

    • they will still be able to see where you are going.

      Yep. The'll see I'm going to a CDN and from there they'll know that I watched Netflix, of downloaded illegal snuff videos, or watched a church sermon. IP addresses are absolutely useless for telling you anything about what someone is doing on the internet.

      That bridge for privacy is not "pretend" in the slightest, especially when that bridge goes over a roadblock that otherwise wouldn't let you pass.

      And who is going to control that server? Google, Cloudflare, Microsoft.

      On I'm counting on that. I really hope my data actually goes to a company that will look after it in the name

    • The use of 443 for this is port abuse: 443 is for SSL-encrypted HTTP, not SSL-encrypted DNS. This is simply broken. DNS has its own ports. DNS over TLS, which uses its own port, 853, is the right approach.
    • So just run your own DoH server that does things the way you want?

  • So this is at least a step in a better direction compared to the browsers deciding to skip the OS entirely in name resolution. The OS providing a consistent name resolution experience solution is far better than the browsers giving up on it.

    I still cringe a bit at the 'the only network protocol that exists is HTTP' facet of it. DTLS probably would have been a more minimal amendment to the DNS strategy and maybe SCTP or TCP I could be convinced, but HTTP seems a bit silly. It's not particularly unworkable or

    • by kalpol ( 714519 )
      > What I would like is a more reasonable OS handling of disaggregated DNS Let the OS handle OS stuff. Let the DNS resolver handle DNS. Tinydns used to do this just fine, and while I never messed with BIND I'm sure setting up zones is exactly the same, and the firewall does it by VLAN too. No reason to put it somewhere invisible in the OS.
      • by Junta ( 36770 )

        As far as my home DNS server is concerned, my corporate DNS server does not exist (in fact, it cannot reach it due to private network). Conversely, while my corporate DNS server does have internet address resolution, I don't want to use it when I don't have to and it can't possibly resolve local addresses.

        Already I have to set up dnsmasq or similar on my computer that has to reach both, but I have to frequently fight various things on the OS to keep that working, because generally a manually managed localho

  • web browser runs through their proxy or the OS runs through its proxy or the router runs through its proxy. Meanwhile you can't self-activate a modem on your cable service because the DNS you hit isn't theirs and doesn't expose their validation service...

    While I prefer it in the router most people aren't going to understand that concept to properly set it up so having it in the OS is probably the best rather than have each browser do its own thing. (then again, they're not going to know how to set it up in

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Thursday May 14, 2020 @08:59AM (#60059350)
    Comment removed based on user account deletion
    • That only really applies to Mozilla's and Google's terrible in-browser implementation though. Supporting it in the OS is just the same as the IP stack supporting any other network protocol. Its there to use and assuming PiHole has been updated to support DoH on its end then you can specify your device as your DoH server.

      Not sure why everyone is assuming MS is making this a mandatory service. It isn't. They are adding protocol support. You have to configure it yourself.

      DoH on its own is just a way to prevent

      • The question is whether this is being made opt-in or opt-out. If they turn this on by default instead of allowing those who want it to turn it on themselves then we know there's an ulterior motive. And if that motive is strong enough that they'd be willing to break every internal domain in existence then that should scare the shit out of you.

      1. If you don't want to use DoH, turn it off and use the regular method instead. This is just an additional option for those that want their DNS queries encrypted in transit to their chosen resolver. Right now the list of DoH resolvers is limited, but that will change over time. You could even set up your own DoH resolver and then forward your queries to your regular DNS servers.
      2. Don't let perfect be the enemy of good. This is a step in the right direction. It isn't perfect, but few things are.
    • - DOH renders things like PiHole and domestic control of DNS useless. malware and applications are free to serve dedicated advertisements in-app with impunity.

      So block known DoH servers. There's not many of them. PiHole doesn't help you.

      - If you forgot Verizon once injected ads in SRVFAIL records until hackers pushed back and basically coded the practice out, you can be forgiven.

      Noone forgot that. But that's nothing compared to Verizon wholesale selling customer data to 3rd parties. Why do you think DoH became a topic in the first place? It was a response to a need after ISPs have been identified as abusive shits.

      - despotic regimes dont need to care about DOH

      Indeed for despotic regimes you want to be VPNing anyway, this isn't relevant there.

    • I thought the browser was still going to allow you to choose the DNS host for DOH. Is that not the case? Or is it semi-allowed in that they offer you a few providers to choose from but not your own custom hosts? If I can choose any DNS server then why couldn't I point my browser to PiHole?
    • Don't forget that.

      It has exactly zero advantages over just changing your freaking DNS server and maybe port in the settings and using DNSSEC.

      It only adds HTTPS for some WhatWGdiotic reason and strongly hints you should have your browser or OS maker spy on you instead of your ISP like that makes a difference to the ad company buying it or the law enforcer abusing his national security letter.

    • you can use bind, pihole, with DoH, you can even maintain an Internal dns. I use the cloudflared in DNS proxy mode and use that as the forwarding server. Internal DNS registration still works, and it is not avahi, broadcasts, or WINS.

      Also a curious thing happened when I went away from UDP 53 resolution to TCP 443 resolution, queries got faster whether I used 1.1.1.1, 8.8.8.8, or my local ISP dns. I thought it would be slower using TCP

  • My DNS servers do not support HTTPS. Hence even if the resolution is indirect, the last call will be open.

    • You can, one software I know of is cloudflared, there may be others, but this was a simple RPM to install

      cloudflared-stable-linux-amd64.rpm

      If you want it to configure is a daemon you can, but you can have it listen to local host on a different port /usr/local/bin/cloudflared proxy-dns --port 5353 then set bind, pihole, dnsmasq or whatever to use localhost:5353 as a forwarder. Running MS DNS or does your DNS server not work with a non port 53 server? Then have it listen on its interface

      • by gweihir ( 88907 )

        Oh, yes, I can, but I chose not to. DNS is not secure anyways. That is not really going to change anytime soon and I prefer to just make that obvious instead of giving a false sense of security.

        • I agree with that may induce a false sense of security and there is a point along the chain that can be taken advantage of. But it protects the other parts of DNS also it was faster for me over using DoH than unencrypted DNS. The tinfoil hat in me suspects that somewhere along the line somebody is stopping and looking and possible looking at my DNS traffic, maybe because I contracted for an ISP once and they had Sandvine equipment and figure they all mess with traffic.

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Thursday May 14, 2020 @09:13AM (#60059402)
    Comment removed based on user account deletion
    • First of all, I think you'll find that most people are not "weekend car repairers". When it comes to computers, they're more like people who buy a new car when the tires are worn out. Secondly, DOH is a bad design not because it encrypts DNS but due to the way it centralizes control. DNSSEC exists and provides authenticity. Privacy could be achieved in a decentralized fashion. A key distribution mechanism for that already exists: DNSSEC. It is no surprise that web browsers do not support DANE but favor anot
    • 1. Nowadays, average people care a lot about their privacy.
      2. If you had friends, you'd know that they do not know, but they know they do not know, and ask their competent friend to do it for them. Clueless does not mean stupid.
      3. The stupid meme you just parroted probably did more work to push clueless people to be careless (because it was just expected from them to be like that) than it was ever the case naturally.

      Also, again, MS could just set a different DNS server by default and use DNSSEC. HTTP serves

  • DNS over TLS would have made sense.
    Running your own nameserver would have even more sense. (Any RPi can do it in its spare time, so it's really not necessary to have a separate server. Put in on every PC and be done with it.)

    * over HTTP(S) is just another case of the WhatWG insanity: Replace ALL the things with a web version with pointless layers over useless layers of inner platforms, because when you were born after the invention of the wheel, obviously you need to re-invent one. One that still uses the o

    • DNS over TLS would have made sense.

      Solves a different problem than DoH.

      Running your own nameserver would have even more sense.

      Solves nothing.

      Oh man I'm not even going to bother reading the rest of your ignorance. I'm amazed you less you seem to know about a topic the more you seem to post on Slashdot about it. An you have posted A LOT on this story.

      Another ignorant post brought to us by BAReFO0t

  • I had the pleasure to listen to Paul Vixie's talk about DNS over HTTPS on last years' EuroBSDCon in person. Some nice people recorded it and uploaded it to youtube so you can watch it as well.
    Paul Vixie talk about DNS over HTTPS

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson

Working...