With.wants to encrypt DNS queries in Windows with DNS over HTTPS (DoH). This is shared by network developers Tommy Jensen, Ivan Pashov and Gabriel Montenegro in a joint blog post
The developers cite privacy protection as motivation: “Here in the Windows Core Networking Team, we are interested in keeping your traffic as private, fast and reliable as possible.” With support for encrypted DNS queries in Windows, Microsoft is closing one of the last remaining plaintext domain name transfers in general web traffic, the developers write.
Microsoft: Protecting Privacy is a Human Right
Microsoft admits that the implementation will not be without problems, but serves the higher goal of protecting users’ privacy. “Providing encrypted DNS support without disrupting the existing Windows device administration configuration will not be easy. At Microsoft, however, we believe that we need to treat privacy as a human right. We need to integrate end-to-end cybersecurity into technology.”
“We also believe that the introduction of encrypted DNS on Windows will help make the entire Internet ecosystem healthier. Many believe that DNS encryption requires DNS centralization. This only applies if the encrypted DNS introduction is not universal. To keep DNS decentralized, it will be equally important for client operating systems such as Windows and Internet Service Providers to take over encrypted DNS as much as possible.
When implementing DNS over HTTPS, Microsoft follows its own guidelines:
- “By default, Windows DNS must be as private and functional as possible without requiring a user or admin configuration, because Windows DNS traffic is a snapshot of the user’s browsing history. For Windows users, this means that Windows out of the box will make their experiences as private as possible. For Microsoft, this means that we will look for ways to encrypt Windows DNS traffic without changing the DNS resolvers set by users and system administrators.”
- “Privacy-conscious Windows users and administrators must be guided to DNS settings even if they don’t yet know what DNS is. Many users are interested in controlling their privacy and looking for privacy-oriented settings such as app permissions for camera and location, but may not be aware or know anything about DNS settings or don’t understand why they matter, and may not look for them in the device settings.”
- “Windows users and administrators must be able to improve their DNS configuration with as few simple actions as possible. We need to make sure that we don’t require special knowledge or effort from Windows users to benefit from encrypted DNS. Corporate policies and UI actions should be something you only need to do once.
- Windows users and administrators must explicitly allow the fallback of encrypted DNS after configuration. Once Windows is configured to use encrypted DNS and does not receive further instructions from Windows users or administrators, it should be assumed that the use of unencrypted DNS is prohibited.”
Open to DNS over TLS (DoT)
First, Microsoft wants to deploy DNS over HTTPS (DoH) in the Windows DNS client based on these principles. However, the Windows networking team aims to “allow users to use any protocol, so that we will be open to other options such as DNS via TLS (DoT) in the future. At the moment, we are prioritizing DoH support as the one that is most likely to provide immediate benefits for all. For example, DoH allows us to reuse our existing HTTPS infrastructure.”
If users in Windows have configured a DNS server that also provides DoH support, the first Insider version with DoH support will simply switch to DNS over HTPPS. “There are now several public DNS servers that support DoH, and if a Windows user or device configures one of them today, Windows simply uses classic DNS (without encryption) for that server. However, because these servers and their DoH configurations are known, Windows can automatically upgrade to DoH while using the same server.”
In any case, Microsoft does not want to change the user-set DNS server: “We will not make any changes to which DNS server is configured by Windows for use by the user or the network. Today, users and administrators decide which DNS server to use by selecting the network they are joining or specifying the server directly; Windows with DoH support won’t change that. … We believe that administrators have the right to control where their DNS traffic is going.”
As a result, Microsoft wants to improve the user interface for DNS configuration, making it easier for users to access DNS settings. “In future insider versions, we need to create more privacy-friendly ways for our users to determine their DNS settings on Windows and make those settings DoH-enabled. This allows users and administrators to explicitly configure DoH servers.
Assessment DoH for Windows
It is welcome that Microsoft is seeking system-wide encryption of DNS queries in Windows. Unlike browsers, which, like Firefox, can already encrypt a DNS query, a system-wide implementation at the operating system level is of course more useful, as this allows all traffic to run through an encrypted DNS server and not just the Request from the browser. Currently, there is no desktop operating system that supports DNS query encryption by default.
The situation with mobile operating systems is slightly different. Since9, there is the ability to encrypt DNS traffic. has opted for DNS over TLS (DoT).
Reasons to encrypt DNS queries
While many websites today support or even require secure HTTP (HTTPS), i.e. a TLS-encrypted HTTP connection, requests to the Domain Name System (DNS) usually do not require encryption. This not only allows you to spy on any DNS requests, but also to falsify or manipulate them.
As early as 2017, the computer scientist Dominik Herrmann in his dissertation “The Internet Address Book threatens our privacy” (Pdf) demonstrated how to determine the identity of an Internet user by means of unencrypted DNS queries. Herrmann sees a centralization of name resolution for which international corporations such as Google, OpenDNS and Smyantec are responsible. “In 2016, Google’s DNS servers alone answered more than 13 percent of all DNS requests per day.”
More information on the topic