Microsoft has announced the first testable version of DNS-Over-HTTPS (DoH) support, available for its Windows 10 operating system.
Support for the DoH protocol, which Microsoft first announced in November, is available in the Windows 10 Insider Preview Build 19628. This is accessible for members of Windows Insider, which is Microsoft’s open software-testing program that allows new features to be tested in pre-release, before they are widely rolled out.
“If you have been waiting to try DNS-Over-HTTPS (DoH) on Windows 10, you’re in luck: the first testable version is now available to Windows Insiders,” according to Microsoft on Wednesday. “If you haven’t been waiting for it, and are wondering what DoH is all about, then be aware this feature will change how your device connects to the internet and is in an early testing stage, so only proceed if you’re sure you’re ready.”
Microsoft’s DoH support allows the Windows OS to use encrypted domain name server (DNS) sessions (as opposed to DNS queries being sent in clear text).
DoH support thus attempts fix a long-standing privacy issue for internet browsers: Even if users are visiting a site using the secure HTTPS channel, if their DNS query is sent over an unencrypted connection, anyone can sniff out the packets being sent. This can open up victims to MiTM attacks where DNS responses can be manipulated to re-route users to phishing or malware sites. It can also allow intermediaries — such as Internet Service Providers (ISPs) or governments – to see which websites internet users are visiting.
At a closer level, without DoH, DNS queries are made from an app to a DNS server using the settings received from a local network provider (typically an ISP). DoH on the other hand encloses DNS requests in encrypted HTTPS packets and sends them to a DoH server (called a DoH resolver), which then processes the request and sends the encrypted response back. In Microsoft’s case, three servers are currently supported that are used as DoH resolvers – Cloudflare, Google and Quad9 (all three provide DoH as part of their public offerings). Microsoft said that Windows needs to be configured to use one of these as a DNS server in order for DoH to be implemented.
The feature will be off by default in the preview build; users need to first make sure their Microsoft account is part of the Windows Insider program and that they are in the Fast Ring (the Fast Ring allows a certain number of Insiders who opted in to receive super-early builds for the next feature update of Windows 10). Then, they can verify that they’re running Build 19628 or higher, by running Windows Update and rebooting (by going to the Settings app > System > About).
To activate DoH, users can then:
- Open the Registry Editor
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
- Create a new DWORD value named “EnableAutoDoh”
- Set its value to 2
Since it was first proposed as a standard in 2018, DoH continues to gain traction, but it has been controversial. While organizations like the Electronic Frontier Foundation (EFF) have voiced support for encrypted DNS, some worry that the method swaps one privacy issue with another. Detractors argue that by routing traffic through a content distribution network management system (such as Cloudflare and others), new central repositories for DNS queries are being created that could be hacked or used to mine personal identifiable information (PII) data.
Despite these worries, in March 2018 both Google and the Mozilla Foundation had started testing versions of DoH: Google announced general availability of its Public DNS-over-HTTPS service last June, while the Mozilla Foundation in 2020 rolled out DNS-over-HTTPS by default for U.S.-based Firefox users.
Microsoft, for its part, did not say when the functionality will be widely available beyond the Windows Insider pre-release.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.