More

    Microsoft announces plans to support encrypted DNS requests—eventually

    Array

    DoH! —

    In highly hedged post, Microsoft pledges support for DoH and other schemes, eventually.

    Sean Gallagher

    Enlarge / Microsoft will (eventually) support secure DNS requests over the DoH protocol, and maybe over some others at some point.

    Yuichiro Chino via Getty Images

    In a post yesterday to the Microsoft Tech Community blog, Microsoft Windows Core Networking team members Tommy Jensen, Ivan Pashov, and Gabriel Montenegro announced that Microsoft is planning to adopt support for encrypted Domain Name System queries in order to “close one of the last remaining plain-text domain name transmissions in common web traffic.”

    That support will first take the form of integration with DNS over HTTPS (DoH), a standard proposed by the Internet Engineering Task Force and supported by Mozilla, Google, and Cloudflare, among others. “As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future,” wrote Jensen, Pashov, and Montenegro. “For now, we’re prioritizing DoH support as the most likely to provide immediate value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.”

    But Microsoft is being careful about how it deploys this compatibility given the current political fight over DoH being waged by Internet service providers concerned that they’ll lose a lucrative source of customer behavior data.

    ISPs give a number of reasons for their opposition to DoH. Since it prevents them from viewing plain-text DNS requests, it prevents filtering and blocking of some content—including, in the United Kingdom, the enforcement of content-filtering requirements placed on them by UK law. Because of its adoption of DoH as part of the Firefox Web browser, the UK’s Internet Services Providers Association named Mozilla an “Internet Villain.”

    In the US, ISP lobbyists have pressed Congress to prevent Google from deploying DoH on Chrome on antitrust grounds. Part of that lobbying is based on claims that Google would, as a letter from Comcast to members of Congress put it, “centraliz[e] a majority of worldwide DNS data with Google” and “give one provider control of Internet traffic routing and vast amounts of new data about consumers and competitors.”

    Administrator’s choice

    According to the authors of the Microsoft post, the Windows implementation of DoH support will not change the status quo for corporate users or many ISP customers. “We will not be making any changes to which DNS server Windows was configured to use by the user or network,” Jensen et al wrote:

    …[W]e will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.

    Today, users and admins decide what DNS server to use by picking the network they join or specifying the server directly; this milestone won’t change anything about that. Many people use ISP or public DNS content filtering to do things like block offensive websites. Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes.

    However, Microsoft’s implementation will also not “get in the way” of applications that use DoH or other encrypted DNS requests themselves. And it will have to provide for fallbacks when DoH requests fail. “DoH use will be enforced so that a server confirmed by Windows to support DoH will not be consulted via classic DNS,” the Core Networking team members wrote. “If this preference for privacy over functionality causes any disruption in common Web scenarios, we’ll find out early.”

    All of this is for the future, however. Microsoft is announcing its intent now before making early versions of the capability available to Windows Insiders, because, as the three wrote, “With encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible. We don’t want our customers wondering if their trusted platform will adopt modern privacy standards or not.”

    It also seems that Microsoft is staking out a position friendly to ISPs—and to enterprises as well, where what might be hiding in encrypted DNS traffic from individual computers might be a security concern.

    %%

    - Advertisement -

    RELATED ARTICLES

    Recent Articles

    Amanda Bynes Looking For A Place To Stay After Checking Out of Inpatient Facility By Herself, Insider Says

    %%item_media%% One insider report claims to know that last week, Amanda Bynes willingly checked out of a sober living facility! That being said, the actress...

    Beau Clark Reveals Details About His Wedding To VPR Star Stassi Schroeder — Here’s Why Their First Choice Venue Turned Them Down!

    %%item_media%% Beau Clark is one of the latest Vanderpump Rules significant others to earn an official spot on the cast. He recently revealed in an...

    Snooki Claims That She Was ‘Forcing’ Herself To Be Happy While Being On Jersey Shore Family Vacation

    %%item_media%% Snooki is getting real about her departure from Jersey Shore Family Vacation. It sounds like she has been wanting out for much longer than...

    Ryan Reynolds Finally Dishes On Name Of Baby Number Three With Blake Lively

    %%item_media%% Privacy is a big thing for Ryan Reynolds and Blake Lively, especially when it comes to their children. The couple never makes pregnancy or...

    Selena Gomez Is Chic In Pink Patou Suit — See The Stylish Photos

    %%item_media%% Selena Gomez is in London and dazzling in a series of fashionable outfits, the latest of which is going viral. The “Lose You To...