Jump to content

Microsoft will integrate DNS over HTTPS in Windows 10


Recommended Posts

Microsoft will integrate DNS over HTTPS in Windows 10

Microsoft revealed plans to integrate native support for DNS over HTTPS in the company's Windows 10 operating system in November 2019.

 

The announcement was made on Microsoft's Networking blog on November 17, 2019. DNS over HTTPS is designed to improve privacy, security and the reliability by encrypting DNS queries that are handled in plaintext currently.

 

DNS over HTTPS has been on the rise lately. Mozilla, Google, Opera as as well as several public DNS providers announced support for the standard. Support in programs, e.g. a web browser, means that the DNS queries that originate from that program are encrypted. Other queries, e.g. from another browser that does not support DNS over HTTPS or is configured not to use it, won't benefit from that integration however.

 

Microsoft's announcement brings DNS over HTTPS support to the Windows operating system. The company plans to introduce it to preview builds of Windows 10 in the future before it releases it in a final version of the operating system.

 

windows 10 dns settings

 

Microsoft plans to follow Google's implementation, at least initially. Google revealed some time ago that it will roll out DNS over HTTPS in Chrome, but only on systems that use a DNS service that supports DNS over HTTPS. In other words: Google won't alter the DNS provider of the system. Mozilla and Opera decided to pick a provider, at least initially, and that means that the local DNS provider may be overridden in the browser.

 

Microsoft notes that it won't be making changes to the DNS server configuration of the Windows machine. Administrators (and users) are in control when it comes to the selection of the DNS provider on Windows and the introduction of support for DNS over HTTPS on Windows won't change that.

 

The change may benefit users without them knowing about it. If a system is configured to use a DNS provider that supports DNS over HTTPS, that system will automatically use the new standard so that DNS data is encrypted.

 

The company plans to introduce "more privacy-friendly ways" for its customers to discover DNS settings in Windows and raise awareness for DNS over HTTPS in the operating system.

 

Microsoft revealed four guiding principles for the implementation:

  • Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user’s browsing history.
  • Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet.
  • Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible.
  • Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured.

Closing words

Microsoft did not reveal a schedule for the integration but it is clear that it will land in a future Insider build for Windows 10 first. Integration in Windows -- and other client operating systems -- makes more sense than integrating the functionality into individual programs. Users who want to use DNS over HTTPS may simply pick a DNS provider that supports it to enable the feature for all applications that run on the system.

 

 

Source: Microsoft will integrate DNS over HTTPS in Windows 10 (gHacks - Martin Brinkmann)

Link to post
Share on other sites
13 hours ago, Nastrahl said:

why not over TLS?

I believe there are advantages to the TCP port 443 being used for regular HTTPS traffic and DoH..But further, below explains a possible issue with DNS over TLS..

 

DNSSEC, the DNS Security Extensions, add authentication and data integrity checking to DNS, usually misses DNS client: the local DNS server performs DNSSEC validation and establishes the authenticity and integrity of the data, and then passes the result to the DNS client. That last leg of the communication, however, can be spoofed.

Link to post
Share on other sites

Windows 10 is bad for leaking DNS in general  so i wouldnt trust it .

 

 1. Terrible Windows features (for your privacy)

 

In short: Newer Windows operating systems have a built-in feature called “Smart Multi-Homed Name Resolution” (SMHNR for short). It makes it very easy for DNS leaks to appear.

Caused by: Uncontrollable DNS requests sent to multiple DNS servers, thanks to SMHNR.

 

Fixed by: Disabling SMHNR on Windows 8/8.1; OpenVPN plugin on Windows 10.

 

“Smart Multi-Homed Name Resolution” isn’t just a pain to pronounce. This feature is also such a big security risk, the United States Computer Emergency Readiness Team (US-CERT) released an alert about it in 2015.

 

This same feature is now baked into Windows 10 after making its debut on Windows 8. Needless to say, it creates many problems for VPN users running the Microsoft OS.

 

Here’s why: SMHNR is the ultimate shortcut for DNS leaks. Its purpose is to enhance browsing speeds by sending DNS requests in bulk to all currently available DNS servers. This obviously results in a glaring privacy risk, but there’s more.

 

On Windows 8 and 8.1, SMHNR would fall back to other DNS addresses only if your preferred ones couldn’t be reached. However, Microsoft decided that wasn’t enough, so Windows 10 machines now accept the fastest DNS response by default. This opens you up not only to the threat of DNS leaks, but DNS spoofing as well.

 

In short, you’ll want to get rid of SMHNR as soon as possible. Sadly, this feature is impossible to disable on Windows 10. The only real way to stop the DNS leaks is to get on Github and find yourself a trusted plugin (like this one). Keep in mind that this solution applies only if you’re using the OpenVPN protocol.

 

Fortunately, users still running the older Windows 8 and 8.1 systems have the option to disable the “Smart multi-homed name resolution” feature.

Source: https://www.vpnmentor.com/blog/vpn-leak-check-how-to-diagnose-and-repair-dns-leaks/

 

2. Microsoft’s networking team noted: “Providing encrypted DNS support without breaking existing Windows device admin configuration won’t be easy.

source: https://www.cbronline.com/news/microsoft-encrypted-dns

 

3. DoH doesn't actually prevent ISPs user tracking

One of the main points that DoH supporters have been blabbing about in the past year is that DoH prevents ISPs from tracking users' DNS requests, and hence prevents them from tracking users' web traffic habits.

 

Yes. DoH prevents the ISP from viewing a user's DNS requests.

 

However, DNS is not the only protocol involved in web browsing. There are still countless other data points that ISPs could track to know where a user is going. Anyone saying that DoH prevents ISPs from tracking users is either lying or doesn't understand how web traffic works.

 

If a user is accessing a website loaded via HTTP, using DoH is pointless, as the ISP will still know what URL the user is accessing by simply looking at the plaintext HTTP requests.

But this is also true even if users are accessing HTTPS websites. The ISPs will know to what site the user is connecting because the HTTPS protocol isn't perfect, and some parts of the HTTPS connection are not encrypted.

 

Experts say that ISPs won't be inconvenienced by DoH, at all, because they can easily look at these HTTPS portions that are not encrypted -- such as SNI fields and OCSP connections.

 

Furthermore, ISPs know everything about everyone's traffic anyway. By design, they can see to what IP address the user is connecting when accessing a website.

This IP address can't be hidden. Knowing the final IP destination reveals to what website a user is connecting, even if everything about his traffic is encrypted. Research published this August showed that a third-party can identify with 95% accuracy to which websites users were connecting just by looking at IP addresses.

 

Any claims that DoH prevents ISPs from tracking users are disingenuous and misleading, experts argue. DoH merely inconveniences ISPs by blinding them to one vector, but they still have plenty of others.

 

source: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/

 

 

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...