Magnify / Microsoft supports (ultimately) secure DNS requests via the DoH protocol, and perhaps at some point via some others.
Yuichiro Chino via Getty Images
In a post yesterday on the Microsoft Tech Community blog, Tommy Windows Microsoft Windows Core Networking team members Tommy Jensen, Ivan Pashov and Gabriel Montenegro announced that Microsoft plans to support encrypted Domain Name System searches for one of the last remaining Shipments of domain names in plain text with normal web traffic. “
This support will first take the form of integration with DNS via HTTPS (DoH), a standard proposed by the Internet Engineering Task Force and supported by, among others, Mozilla, Google and Cloudflare. “As a platform, Windows Core Networking is trying to enable users to use whatever protocols they need, so we are open to other options such as DNS via TLS (DoT) in the future,” wrote Jensen, Pashov and Montenegro. “For now, we give DoH support priority as the most likely value for everyone. With DoH, for example, we can reuse our existing HTTPS infrastructure.”
But Microsoft is paying close attention to how it implements this compatibility, given the current political struggle for DoH being waged by concerned internet providers that they are losing a lucrative source of customer behavior data.
ISPs give a number of reasons for their opposition to DoH. Because it prevents them from viewing unsolicited DNS requests with text, filtering and blocking of certain content, including in the UK, prevents the enforcement of content filtering requirements imposed by UK law. Due to the approval of DoH as part of the Firefox web browser, the British Internet Services Providers Association called Mozilla an “internet villain.”
In the US, ISP lobbyists have put pressure on Congress to prevent Google from implementing DoH on Chrome based on antitrust laws. Part of that lobby is based on claims that Google, as stated by a letter from Comcast to members of Congress, “centraliz (e) a majority of worldwide DNS data with Google” and “one provider control over internet traffic routing and extensive amounts new data about consumers and competitors. “
Choice of the manager
According to the authors of the Microsoft post, the Windows implementation of DoH support will not change the status quo for business users or many ISP customers. “We will not make any changes to the DNS server that Windows is configured to use by the user or the network,” wrote Jensen et al:
… (W) e will look for ways to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Nowadays, users and administrators decide which DNS server to use by choosing the network they join or by specifying the server directly; this milestone will not change that. Many people use ISP or public DNS content filtering to block things like offensive websites. Tacitly changing the DNS servers that are familiar with Windows resolutions can inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to determine where their DNS traffic is going.
However, the implementation of Microsoft will not “stand in the way” of applications that themselves use DoH or other encrypted DNS requests. And it will have to provide for fallbacks when DoH requests fail. “The use of DoH will be enforced, so that a server confirmed by Windows that supports DoH will not be consulted via traditional DNS,” wrote the members of the Core Networking team. “If this preference for privacy over functionality causes any disruption in general web scenarios, we will discover this early.”
However, all this is for the future. Microsoft is now announcing its intention before early versions of the capability are made available to Windows Insiders because, as the three wrote: “Because encrypted DNS received more attention, we thought it was important to make our intentions clear as quickly as possible. We don We do not want our customers to wonder whether their trusted platform will adopt modern privacy standards or not. “
It also seems that Microsoft is finding a position that is friendly to ISPs – and also to companies, where what might hide in encrypted DNS traffic from individual computers can be a security issue.
