Windows 10 Previews DNS Over HTTPS

An anonymous reader quotes a report from Paul Thurrott: With the new build of Windows 10 [19628], Microsoft is starting to test DNS over HTTPS. The new build comes with Microsoft's initial support for DNS over HTTPS on Windows, and Insiders will have to manually enable the new feature. If you would like to enable DNS over HTTPS in Windows 10, you will have to first install the latest Insider build. After that, you will have to go into the registry and tweak an entry to first enable the new DNS over HTTPS client, and then update the DNS servers your computer is using. It's not as easy as ticking a checkbox, but Microsoft has shared the instructions to enable the feature in detail, so make sure to check it out here. What is DNS over HTTPS and why is it important? "DNS, to put simply, is the process where an easy-to-read and write domain address is translated into an actual IP address for where a web resource is located," writes Thurrott. "Although most websites already use HTTPS for added privacy, your computer is still making DNS requests and resolving addresses without any encryption. With DNS over HTTPS, your device will perform all the required DNS requests over a secured HTTPS connection, which improves security thanks to the encrypted connection."

Solving the wrong problem

[Mononymous]

Because Microsoft (and whatever partner they use) is so much more trustworthy than my ISP.

Re:

[lessSockMorePuppet]

But, but if you just use Verified Service from Trusted Provider, you'll be Safe!

Re:

[Lost Race]

You can tell the Provider is Trustworthy, bacause they are Certified. With a Certificate!

Re:

[DontBeAMoran]

But is it a Trustificate?

Re:

[kalpol]

or my local resolver. Everyone wants a piece of that sweet sweet browsing history.

Where's that guy when you need him

[lessSockMorePuppet]

What? No you just need a hosts file engine...

DNSSEC

[johnjones]

exactly the endpoint/workstation needs to actually validate the answers cryptographically...

the standard is DNSSEC and most root's support it, please Microsoft engineers... do the right thing here rather than a quick patch

John Jones

Re:DNSSEC

[AleRunner]

DNSSSEC is not for the same thing as DNS over HTTP, in fact they are complementary. With DNSSEC you get no privacy from your ISP, which is normally the company you are most afraid of spying on you and the one that's got the most incentive to do it since they can match your internet usage with your billing details. DNS over HTTP provides that. With DNS over HTTP you get no guarantee that the DNS record provided to you is the same one as the one you asked for - just that it's the one that your DNS provider wants to give you. If you have both then you get privacy and authentication.

Re:

[complete loony]

Of course DNS over HTTP still gives your upstream resolver access to your DNS requests, which could still be your ISP.

Re:DNSSEC

[thereddaikon]

Not the same thing. DNSSEC is about making sure nobody tampers with DNS traffic. DoH is about making sure nobody can read your DNS traffic.

And OS level implementation is the correct implementation. Not sure why everyone here is acting like Microsoft is adding a mandatory service that uses their DNS servers or something. They are adding support for the technology. Set it up to use whatever servers you want. Or don't. Whatever.

Re:

[thegarbz]

DNSSEC and DNS over HTTPS solve two very *very* different problems. And you want to hope that whatever server you are connecting to via DoH also supposed DNSSEC.

Re:

[BeerFartMoron]

DNSCrypt [wikipedia.org] is the standard, but nobody supports it.

Re:

[Anonymous Coward]

It's really ridiculous to insist we trust one or the other.

We should be secure because we put our trust in math and physics, and the design of protocols--not services, not tools (look how corruptible Mozilla/humans are), but protocols-- that are simple, and can be used independently of any third party "provider".

Can't use Windows without trusting Microsoft

[raymorris]

> It's really ridiculous to insist we trust one or the other.
> We should be secure because we put our trust in math and physics, and the design of protocols --not services, not tools (look how corruptible Mozilla/humans are),

If you use Windows and especially Edge / IE, Microsoft controls the "random" numbers used in the math. The math can't protect you if you don't trust your operating system and browser.

That's the concept of the trusted computing base - you HAVE to trust your OS, it can see all of your keystrokes. So you might want to make sure it's trustworthy.

(Note it's trustED computing base, not trustWORTHY computing base.)

Re:

[Anonymous Coward]

I've said for years that we need host-proof computing with fully homomorphic encryption.

I stand by my argument, without compromise. Because I've written the code to prove it possible, and IBM has hardware to do it faster.

Re:

[Weekend Triathlete]

Now all you need to make that time investment worthwhile is provable hardware. Good luck with that!

Re:

[thereddaikon]

It says they are just introducing support for it, which you will then need to configure yourself. What's wrong about that? Building DoH into the OS is the correct implementation, not the fragmenting browser solution that Mozilla and Google are doing.

This is a good thing.

Re:

[lessSockMorePuppet]

No, it belongs in systemd.

No, seriously, isn't that the claim that systemd makes? A service layer?

Re: Solving the wrong problem

[BAReFO0t]

"They said they introduced support for injecting cyanide into your bloodstream when you hold your phone! You still have to enable it yourself. What's wrong with that?"

Re:

[thegarbz]

Because Microsoft (and whatever partner they use) is so much more trustworthy than my ISP.

Errr, yet they absolutely are. ISPs have demonstrated a willingness to simply sell their entire database of customer data to whoever is paying. Many other companies have not.

You're mad if you are privacy focused and you trust your ISP.
You're slightly less mad if you trust an advertising company (at least they keep your data to themselves in order to make a profit).
You're significantly less mad using some random service on the internet.
And you're completely sane if you run your own DNS server.

Re:

[thegarbz]

Toootally unlinke Microsoft

Yes. Microsoft is selling eyes and access to you, not selling you outright.

Also, *deliberate* false dichtotmy.

Only if you're ignorant.

Set your own DNS. Use DNSSEC. Done.

DNSSEC and DoH are two very different solutions to two very different problems. Also you can set your own DoH server. I don't expect Slashdot's most ignorant poster to understand the differences.

Even better: Add a (non-forwarding, self-resolving) DNS server daemon to Windows and use that.
If MS was about privacy, they'd do that.

Holy shit talk about a fucking retarded idea that doesn't solve any of the problems either DNSSEC or DoH address.

Learn to write, you illiterate.

Just learn... anything. I'm sorry English is my 4th language and I only learned it in my teens, but serio

Re:

[Pentium100]

Someone still knows what you want to resolve.

1. Using ISP DNS server
The ISP can have logs of what you want to resolve
2. Using some other DNS server
The ISP can still find out what you are resolving (tcpdump), the DNS server company also knows.
3. Using your own DNS server
Your ISP knows, the root and tld servers may know and the server of the domain you are resolving knows.
4. Using DNS over HTTPS
The DoH provider knows.

I guess one way would be to run own DNS server, but have it use TOR to resolve the IPs.

Re:

[the_B0fh]

Google (Chrome) and Firefox use *YOUR* DNS provider (if your DOH provider supports it).

Reading the actual article, Edge will do the same thing but only if your DNS provider is one of 3 providers. Looks like a good way to beta test.

Re:

[jddimarco]

You're already trusting Microsoft by running Windows.

Real blocking incoming

[Luckyo]

Right now, most of the "legal blocks" across many nations with semi-free internet (example: UK) are enforced by ISP's on their DNS servers. This is usually considered sufficient by governments, so technically minded people can easily circumvent them by switching to DNS servers that are free from such interference.

If this goes through, ISPs will likely be mandated to actually start running proper "known ip range blocklists", making circumventing government mandated blocks much harder. So this change is liable to make blocking of things like porn, wrongthink and pirate bay much more invasive and hard to circumvent without a dedicated VPN tunnel.

Comment removed

[account_deleted]

Comment removed based on user account deletion

s/differend/different/; s/awrness/awareness/

[BAReFO0t]

I should have fixed that before posting ...

Re:

[AmiMoJo]

IP address blocks don't work thanks to CDNs. Any given IP address in the CDN will be serving innumerable sites, constantly shifting and changing. The collateral damage would be immense.

Re:

[kalpol]

then you just require the CDN to block the site.

Re:

[amorsen]

That is the first thing they do. The blocklists are because it is difficult for e.g. a UK court to order a US ISP to remove material that is legal in the UK.

Re:

[AmiMoJo]

That's what they have been trying to do. Suing CDNs to stop them providing services to sites they don't like. So far Cloudflare seems to be resisting.

Re:

[thegarbz]

If this goes through, ISPs will likely be mandated to actually start running proper "known ip range blocklists"

Don't be silly. There's nothing preventing a mandate that actually works against changing DNS server as it is. Also thanks to IP reuse it's not actually possible to block a website or service by IP address without significant collateral damage.

Re:

[Anonymous Coward]

Well, no. Presently in order to block DNS resolution of a domain name, the Fascist Government must coerce hundreds of thousands of DNS operators to tamper with the responses those DNS resolvers provide. This requires *lots* of enforcement thugs with lots of guns and lots of prisons in order to coerce compliance. It is very expensive and does not work very well.

With DoH, that same Fascist Government only needs one or two enforcement thugs, a couple of guns, and maybe one or two public executions to achiev

Re:

[shutdown -p now]

You can change your DNS-over-HTTP resolvers, exactly the same as with regular DNS.

Future plan?

[Train0987]

If they push this as enabled by default in an upcoming patch they're going to reek havoc on millions of domains. Surely they know that right?

fuck off

[redback]

can DNS over HTTPS fuck off and die already?

Re:

[rickb928]

It works. It's not the best, nor the likely permanent 'solution', since security rarely has a permanent solution.

And I'm using it now, Insider Preview ring, and it works with HTTPS, common HTTP, self-signed certs, and a flaky cert I won't bore you with.

How about you stifle a little? Jon Postel would not answer your text.

Re: fuck off

[BAReFO0t]

It's idiotc and pointless NIHing!
It is a "solution" for a problem that would not even exist without already going in the insane direction before!

Jeez, were you all born after 2000 and think "browser = Internet" or what??
There is no point for the extra layers in there! You could just change your DNS server and be done with it! (DNSSEC implied.) So DNS directly over TLS!
HTTP ONLY exists in there because certain morons apparently are physically unable to think outside of the "web" (aka WWW aka "browser content

Re: fuck off

[rickb928]

Sheesh. I was using internet before browsers. Condescending git.

Re:

[amorsen]

It is no use arguing with BAReFO0t. He does not know the first thing about anything he comments on.

In this particular case he does not know the differences between DNSSEC, DNS-over-TLS, and DNS-over-HTTPS.

Re:

[Zak3056]

HTTP ONLY exists in there because certain morons apparently are physically unable to think outside of the "web"

Alternately, x over HTTPS tends to solve the problem of "nefarious actors want to block/intercept/rewrite packets they have no business tampering with" (i.e. Comcast wants to rewrite your DNS reponses with "our ad server" rather than NXDOMAIN, or the PRC only wants you to use approved DNS servers so they can censor your content). Unless you're using some DPI-SSL technology and the client trusts your certificate, it's effectively impossible to tell this traffic apart from the rest of the vast glut of https

Re:

[gweihir]

can DNS over HTTPS fuck off and die already?

MS wants it! Hence it will be sickly and have mental issues forever, but it will not die.

Re:

[thegarbz]

can DNS over HTTPS fuck off and die already?

Why? Do you have something against the problems it is solving?

Re:

[Train0987]

Attempting to address one problem by introducing five worse problems is not a solution.

Re:

[thegarbz]

Attempting to address one problem by introducing five worse problems is not a solution.

Can you list the 5? And before you start talking about inability to intercept DNS as a problem remember why this is a solution in the first place.

Re: fuck off

[BAReFO0t]

What problems does HTTP solve in there? Hm?

What problem that changing your DNS server in the settings and using DNSSEC cannot solve.

You literally cannot think outsite of youw browser window, can you, WhatWG idiot.

Re:

[thegarbz]

HTTP? None. Fortunately DoH doesn't use HTTP, otherwise it would defeat the one problem it is trying to solve.

Now it does use HTTPS. I'll leave it as an exercise to you as to why the S is significant. Although for some reason you seem to think that DNSSEC has something to do with encryption, so I suggest while you're googling DoH you also Google DNSSEC since you seem to no nothing about either.

DNSSEC and DoH solve two different problems with zero percent overlap to the root server. You better hope your DoH

Re:

[warkda rrior]

can DNS over HTTPS fuck off and die already?

Not yet. Only once Google implements in their chat apps we can consider it truly dead.

What a scam

[OneHundredAndTen]

People are being sold a bridge with DNS over HTTPS, based on pretend privacy. Your ISP will not be able to see your DNS queries all right but, short of using a VPN, they will still be able to see where you are going. On the other hand, your DoH server will be able to see all your queries. And who is going to control that server? Google, Cloudflare, Microsoft. Are they more trustworthy than your ISP? Finally, adding insult to injury, by using am effectively non-blockable port (443) DoH is an invaluable gift for parties keen on disseminating malware through DNS tunnels..

Thanks, Google, Cloudflare, Microsoft, and, especially, Mozilla.

Re:What a scam

[rho]

Firefox turned DoH on with an update, apparently, and it broke my internal network. Behind my firewall, my DNS practices are my own business.

I don't trust any of these fucks.

Re:

[kalpol]

It gave you a popup allowing you to choose whether to enable or disable it. I chose disable, no issues.

Re:

[AmiMoJo]

So when asked did you accept the change of DNS server and that someone broke your *network*, or are you saying that merely trying to connect to your local DNS resolver over HTTPS to see if it supports DoH is enough to crash it?

In either case it sounds like your network was already very broken if it is that fraglie.

Re:

[rho]

I use Brave. It was other people who clicked through who use Firefox. My internal network has it's own DNS that works just fine resolving internal requests to private IPs that doesn't work so well if applications make their own decisions to use transports and services outside of the firewall. Sounds like you don't know what you're talking about, Judgy McJudgerson.

Re:

[AmiMoJo]

Your ISP will not be able to see your DNS queries all right but, short of using a VPN, they will still be able to see where you are going.

Not true. If they can't see the DNS request all they can see is the IP address you connect to, which is very likely to be a CDN serving hundreds or thousands of unrelated sites.

While it's still not perfect it does greatly increase the cost of surveillance, which is always the goal. The more effort required the less practical mass surveillance becomes.

And if you can still use your ISP's unencrypted DNS server on port 53 if you really want to, it's not going away. All this does is upgrade you to DoH if is available from your preferred server.

Re:

[thegarbz]

they will still be able to see where you are going.

Yep. The'll see I'm going to a CDN and from there they'll know that I watched Netflix, of downloaded illegal snuff videos, or watched a church sermon. IP addresses are absolutely useless for telling you anything about what someone is doing on the internet.

That bridge for privacy is not "pretend" in the slightest, especially when that bridge goes over a roadblock that otherwise wouldn't let you pass.

And who is going to control that server? Google, Cloudflare, Microsoft.

On I'm counting on that. I really hope my data actually goes to a company that will look after it in the name

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jddimarco]

The use of 443 for this is port abuse: 443 is for SSL-encrypted HTTP, not SSL-encrypted DNS. This is simply broken. DNS has its own ports. DNS over TLS, which uses its own port, 853, is the right approach.

Re:

[shutdown -p now]

It is SSL-encrypted HTTP. And the body of HTTP response has DNS info in it.

Re:

[shutdown -p now]

So just run your own DoH server that does things the way you want?

DNS could be better..

[Junta]

So this is at least a step in a better direction compared to the browsers deciding to skip the OS entirely in name resolution. The OS providing a consistent name resolution experience solution is far better than the browsers giving up on it.

I still cringe a bit at the 'the only network protocol that exists is HTTP' facet of it. DTLS probably would have been a more minimal amendment to the DNS strategy and maybe SCTP or TCP I could be convinced, but HTTP seems a bit silly. It's not particularly unworkable or

Re:

[kalpol]

> What I would like is a more reasonable OS handling of disaggregated DNS Let the OS handle OS stuff. Let the DNS resolver handle DNS. Tinydns used to do this just fine, and while I never messed with BIND I'm sure setting up zones is exactly the same, and the firewall does it by VLAN too. No reason to put it somewhere invisible in the OS.

Re:

[Junta]

As far as my home DNS server is concerned, my corporate DNS server does not exist (in fact, it cannot reach it due to private network). Conversely, while my corporate DNS server does have internet address resolution, I don't want to use it when I don't have to and it can't possibly resolve local addresses.

Already I have to set up dnsmasq or similar on my computer that has to reach both, but I have to frequently fight various things on the OS to keep that working, because generally a manually managed localho

This is gonna get tricky

[the_skywise]

web browser runs through their proxy or the OS runs through its proxy or the router runs through its proxy. Meanwhile you can't self-activate a modem on your cable service because the DNS you hit isn't theirs and doesn't expose their validation service...

While I prefer it in the router most people aren't going to understand that concept to properly set it up so having it in the OS is probably the best rather than have each browser do its own thing. (then again, they're not going to know how to set it up in

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[thereddaikon]

That only really applies to Mozilla's and Google's terrible in-browser implementation though. Supporting it in the OS is just the same as the IP stack supporting any other network protocol. Its there to use and assuming PiHole has been updated to support DoH on its end then you can specify your device as your DoH server.

Not sure why everyone is assuming MS is making this a mandatory service. It isn't. They are adding protocol support. You have to configure it yourself.

DoH on its own is just a way to prevent

Re:

[Train0987]

The question is whether this is being made opt-in or opt-out. If they turn this on by default instead of allowing those who want it to turn it on themselves then we know there's an ulterior motive. And if that motive is strong enough that they'd be willing to break every internal domain in existence then that should scare the shit out of you.

Re:

[The-Ixian]

1. If you don't want to use DoH, turn it off and use the regular method instead. This is just an additional option for those that want their DNS queries encrypted in transit to their chosen resolver. Right now the list of DoH resolvers is limited, but that will change over time. You could even set up your own DoH resolver and then forward your queries to your regular DNS servers.
2. Don't let perfect be the enemy of good. This is a step in the right direction. It isn't perfect, but few things are.

Re:

[thegarbz]

- DOH renders things like PiHole and domestic control of DNS useless. malware and applications are free to serve dedicated advertisements in-app with impunity.

So block known DoH servers. There's not many of them. PiHole doesn't help you.

- If you forgot Verizon once injected ads in SRVFAIL records until hackers pushed back and basically coded the practice out, you can be forgiven.

Noone forgot that. But that's nothing compared to Verizon wholesale selling customer data to 3rd parties. Why do you think DoH became a topic in the first place? It was a response to a need after ISPs have been identified as abusive shits.

- despotic regimes dont need to care about DOH

Indeed for despotic regimes you want to be VPNing anyway, this isn't relevant there.

Re:

[what2123]

I thought the browser was still going to allow you to choose the DNS host for DOH. Is that not the case? Or is it semi-allowed in that they offer you a few providers to choose from but not your own custom hosts? If I can choose any DNS server then why couldn't I point my browser to PiHole?

It's utterly pointless too!

[BAReFO0t]

Don't forget that.

It has exactly zero advantages over just changing your freaking DNS server and maybe port in the settings and using DNSSEC.

It only adds HTTPS for some WhatWGdiotic reason and strongly hints you should have your browser or OS maker spy on you instead of your ISP like that makes a difference to the ad company buying it or the law enforcer abusing his national security letter.

Re: for those looking for the downside.

[kamaaina]

you can use bind, pihole, with DoH, you can even maintain an Internal dns. I use the cloudflared in DNS proxy mode and use that as the forwarding server. Internal DNS registration still works, and it is not avahi, broadcasts, or WINS.

Also a curious thing happened when I went away from UDP 53 resolution to TCP 443 resolution, queries got faster whether I used 1.1.1.1, 8.8.8.8, or my local ISP dns. I thought it would be slower using TCP

Hahaha, fooled you!

[gweihir]

My DNS servers do not support HTTPS. Hence even if the resolution is indirect, the last call will be open.

Re:

[kamaaina]

You can, one software I know of is cloudflared, there may be others, but this was a simple RPM to install

cloudflared-stable-linux-amd64.rpm

If you want it to configure is a daemon you can, but you can have it listen to local host on a different port /usr/local/bin/cloudflared proxy-dns --port 5353 then set bind, pihole, dnsmasq or whatever to use localhost:5353 as a forwarder. Running MS DNS or does your DNS server not work with a non port 53 server? Then have it listen on its interface

Re:

[gweihir]

Oh, yes, I can, but I chose not to. DNS is not secure anyways. That is not really going to change anytime soon and I prefer to just make that obvious instead of giving a false sense of security.

Re:

[kamaaina]

I agree with that may induce a false sense of security and there is a point along the chain that can be taken advantage of. But it protects the other parts of DNS also it was faster for me over using DoH than unencrypted DNS. The tinfoil hat in me suspects that somewhere along the line somebody is stopping and looking and possible looking at my DNS traffic, maybe because I contracted for an ISP once and they had Sandvine equipment and figure they all mess with traffic.

Re:

[Brianwa]

Wait, really? It can't handle a CNAME? If so, that's strange. I guess I have some reading to do.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Generic User Account]

First of all, I think you'll find that most people are not "weekend car repairers". When it comes to computers, they're more like people who buy a new car when the tires are worn out. Secondly, DOH is a bad design not because it encrypts DNS but due to the way it centralizes control. DNSSEC exists and provides authenticity. Privacy could be achieved in a decentralized fashion. A key distribution mechanism for that already exists: DNSSEC. It is no surprise that web browsers do not support DANE but favor anot

Ye olde "average idiot" bullshit argument.

[BAReFO0t]

1. Nowadays, average people care a lot about their privacy.
2. If you had friends, you'd know that they do not know, but they know they do not know, and ask their competent friend to do it for them. Clueless does not mean stupid.
3. The stupid meme you just parroted probably did more work to push clueless people to be careless (because it was just expected from them to be like that) than it was ever the case naturally.

Also, again, MS could just set a different DNS server by default and use DNSSEC. HTTP serves

DOH means going full retard.

[BAReFO0t]

DNS over TLS would have made sense.
Running your own nameserver would have even more sense. (Any RPi can do it in its spare time, so it's really not necessary to have a separate server. Put in on every PC and be done with it.)

* over HTTP(S) is just another case of the WhatWG insanity: Replace ALL the things with a web version with pointless layers over useless layers of inner platforms, because when you were born after the invention of the wheel, obviously you need to re-invent one. One that still uses the o

Re:

[thegarbz]

DNS over TLS would have made sense.

Solves a different problem than DoH.

Running your own nameserver would have even more sense.

Solves nothing.

Oh man I'm not even going to bother reading the rest of your ignorance. I'm amazed you less you seem to know about a topic the more you seem to post on Slashdot about it. An you have posted A LOT on this story.

Another ignorant post brought to us by BAReFO0t

Paul Vixie

[pacija]

I had the pleasure to listen to Paul Vixie's talk about DNS over HTTPS on last years' EuroBSDCon in person. Some nice people recorded it and uploaded it to youtube so you can watch it as well.
Paul Vixie talk about DNS over HTTPS

Re: Paul Vixie

[pacija]

Wanted to make clickable link but it appears slashdot strips a href tags :( https://m.youtube.com/watch?v=... [youtube.com]