Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1014229%22%20slang%3D%22en-US%22%3EWindows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014229%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EBrought%20to%20you%20by%20Tommy%20Jensen%2C%20Ivan%20Pashov%2C%20and%20Gabriel%20Montenegro%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20in%20Windows%20Core%20Networking%2C%20we%E2%80%99re%20interested%20in%20keeping%20your%20traffic%20as%20private%20as%20possible%2C%20as%20well%20as%20fast%20and%20reliable.%20While%20there%20are%20many%20ways%20we%20can%20and%20do%20approach%20user%20privacy%20on%20the%20wire%2C%20today%20we%E2%80%99d%20like%20to%20talk%20about%20encrypted%20DNS.%20Why%3F%20Basically%2C%20because%20supporting%20encrypted%20DNS%20queries%20in%20Windows%20will%20close%20one%20of%20the%20last%20remaining%20plain-text%20domain%20name%20transmissions%20in%20common%20web%20traffic.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EProviding%20encrypted%20DNS%20support%20without%20breaking%20existing%20Windows%20device%20admin%20configuration%20won't%20be%20easy.%20However%2C%20%3CA%20href%3D%22https%3A%2F%2Fnews.microsoft.com%2Fspeeches%2Fsatya-nadella-microsoft-inspire-2019%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eat%20Microsoft%20we%20believe%20that%3C%2FA%3E%20%22we%20have%20to%20treat%20privacy%20as%20a%20human%20right.%20We%20have%20to%20have%20end-to-end%20cybersecurity%20built%20into%20technology.%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20also%20believe%20Windows%20adoption%20of%20encrypted%20DNS%20will%20help%20make%20the%20overall%20Internet%20ecosystem%20healthier.%20There%20is%20an%20assumption%20by%20many%20that%20DNS%20encryption%20requires%20DNS%20centralization.%20This%20is%20only%20true%20if%20encrypted%20DNS%20adoption%20isn%E2%80%99t%20universal.%20To%20keep%20the%20DNS%20decentralized%2C%20it%20will%20be%20important%20for%20client%20operating%20systems%20(such%20as%20Windows)%20and%20Internet%20service%20providers%20alike%20to%20%3CA%20href%3D%22https%3A%2F%2Fwww.eff.org%2Fdeeplinks%2F2019%2F09%2Fencrypted-dns-could-help-close-biggest-privacy-gap-internet-why-are-some-groups%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewidely%20adopt%20encrypted%20DNS%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20decision%20made%20to%20build%20support%20for%20encrypted%20DNS%2C%20the%20next%20step%20is%20to%20figure%20out%20what%20kind%20of%20DNS%20encryption%20Windows%20will%20support%20and%20how%20it%20will%20be%20configured.%20Here%20are%20our%20team's%20guiding%20principles%20on%20making%20those%20decisions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EWindows%20DNS%20needs%20to%20be%20as%20private%20and%20functional%20as%20possible%20by%20default%20without%20the%20need%20for%20user%20or%20admin%20configuration%20because%20Windows%20DNS%20traffic%20represents%20a%20snapshot%20of%20the%20user%E2%80%99s%20browsing%20history.%3C%2FSTRONG%3E%20To%20Windows%20users%2C%20this%20means%20their%20experience%20will%20be%20made%20as%20private%20as%20possible%20by%20Windows%20out%20of%20the%20box.%20For%20Microsoft%2C%20this%20means%20we%20will%20look%20for%20opportunities%20to%20encrypt%20Windows%20DNS%20traffic%20without%20changing%20the%20configured%20DNS%20resolvers%20set%20by%20users%20and%20system%20administrators.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EPrivacy-minded%20Windows%20users%20and%20administrators%20need%20to%20be%20guided%20to%20DNS%20settings%20even%20if%20they%20don't%20know%20what%20DNS%20is%20yet.%3C%2FSTRONG%3E%20Many%20users%20are%20interested%20in%20controlling%20their%20privacy%20and%20go%20looking%20for%20privacy-centric%20settings%20such%20as%20app%20permissions%20to%20camera%20and%20location%20but%20may%20not%20be%20aware%20of%20or%20know%20about%20DNS%20settings%20or%20understand%20why%20they%20matter%20and%20may%20not%20look%20for%20them%20in%20the%20device%20settings.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EWindows%20users%20and%20administrators%20need%20to%20be%20able%20to%20improve%20their%20DNS%20configuration%20with%20as%20few%20simple%20actions%20as%20possible.%3C%2FSTRONG%3E%20We%20must%20ensure%20we%20don't%20require%20specialized%20knowledge%20or%20effort%20on%20the%20part%20of%20Windows%20users%20to%20benefit%20from%20encrypted%20DNS.%20Enterprise%20policies%20and%20UI%20actions%20alike%20should%20be%20something%20you%20only%20have%20to%20do%20once%20rather%20than%20need%20to%20maintain.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EWindows%20users%20and%20administrators%20need%20to%20explicitly%20allow%20fallback%20from%20encrypted%20DNS%20once%20configured.%3C%2FSTRONG%3E%20Once%20Windows%20has%20been%20configured%20to%20use%20encrypted%20DNS%2C%20if%20it%20gets%20no%20other%20instructions%20from%20Windows%20users%20or%20administrators%2C%20it%20should%20assume%20falling%20back%20to%20unencrypted%20DNS%20is%20forbidden.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBased%20on%20these%20principles%2C%20we%20are%20making%20plans%20to%20adopt%20%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8484%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDNS%20over%20HTTPS%3C%2FA%3E%20(or%20DoH)%20in%20the%20Windows%20DNS%20client.%20As%20a%20platform%2C%20Windows%20Core%20Networking%20seeks%20to%20enable%20users%20to%20use%20whatever%20protocols%20they%20need%2C%20so%20we%E2%80%99re%20open%20to%20having%20other%20options%20such%20as%20DNS%20over%20TLS%20(DoT)%20in%20the%20future.%20For%20now%2C%20we're%20prioritizing%20DoH%20support%20as%20the%20most%20likely%20to%20provide%20immediate%20value%20to%20everyone.%20For%20example%2C%20DoH%20allows%20us%20to%20reuse%20our%20existing%20HTTPS%20infrastructure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20our%20first%20milestone%2C%20we'll%20start%20with%20a%20simple%20change%3A%20use%20DoH%20for%20DNS%20servers%20Windows%20is%20already%20configured%20to%20use.%20There%20are%20now%20several%20public%20DNS%20servers%20that%20support%20DoH%2C%20and%20if%20a%20Windows%20user%20or%20device%20admin%20configures%20one%20of%20them%20today%2C%20Windows%20will%20just%20use%20classic%20DNS%20(without%20encryption)%20to%20that%20server.%20However%2C%20since%20these%20servers%20and%20their%20DoH%20configurations%20are%20well%20known%2C%20Windows%20can%20automatically%20upgrade%20to%20DoH%20while%20using%20the%20same%20server.%20We%20feel%20this%20milestone%20has%20the%20following%20benefits%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EWe%20will%20not%20be%20making%20any%20changes%20to%20which%20DNS%20server%20Windows%20was%20configured%20to%20use%20by%20the%20user%20or%20network.%3C%2FSTRONG%3E%20Today%2C%20users%20and%20admins%20decide%20what%20DNS%20server%20to%20use%20by%20picking%20the%20network%20they%20join%20or%20specifying%20the%20server%20directly%3B%20this%20milestone%20won%E2%80%99t%20change%20anything%20about%20that.%20Many%20people%20use%20ISP%20or%20public%20DNS%20content%20filtering%20to%20do%20things%20like%20block%20offensive%20websites.%20Silently%20changing%20the%20DNS%20servers%20trusted%20to%20do%20Windows%20resolutions%20could%20inadvertently%20bypass%20these%20controls%20and%20frustrate%20our%20users.%20We%20believe%20device%20administrators%20have%20the%20right%20to%20control%20where%20their%20DNS%20traffic%20goes.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMany%20users%20and%20applications%20that%20want%20privacy%20will%20start%20getting%20the%20benefits%20without%20having%20to%20know%20about%20DNS.%20%3C%2FSTRONG%3EIn%20line%20with%20principle%201%2C%20the%20DNS%20queries%20become%20more%20private%20with%20no%20action%20from%20either%20apps%20or%20users.%20When%20both%20endpoints%20support%20encryption%2C%20there%E2%80%99s%20no%20reason%20to%20wait%20around%20for%20permission%20to%20use%20encryption!%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EWe%20can%20start%20seeing%20the%20challenges%20in%20enforcing%20the%20line%20on%20preferring%20resolution%20failure%20to%20unencrypted%20fallback.%20%3C%2FSTRONG%3EIn%20line%20with%20principle%204%2C%20this%20DoH%20use%20will%20be%20enforced%20so%20that%20a%20server%20confirmed%20by%20Windows%20to%20support%20DoH%20will%20not%20be%20consulted%20via%20classic%20DNS.%20If%20this%20preference%20for%20privacy%20over%20functionality%20causes%20any%20disruption%20in%20common%20web%20scenarios%2C%20we%E2%80%99ll%20find%20out%20early.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20future%20milestones%2C%20we'll%20need%20to%20create%20more%20privacy-friendly%20ways%20for%20our%20users%20to%20discover%20their%20DNS%20settings%20in%20Windows%20as%20well%20as%20make%20those%20settings%20DoH-aware.%20This%20will%20give%20users%2C%20device%20admins%2C%20and%20enterprise%20admins%20the%20ability%20to%20configure%20DoH%20servers%20explicitly.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhy%20announce%20our%20intentions%20in%20advance%20of%20DoH%20being%20available%20to%20Windows%20Insiders%3F%20With%20encrypted%20DNS%20gaining%20more%20attention%2C%20we%20felt%20it%20was%20important%20to%20make%20our%20intentions%20clear%20as%20early%20as%20possible.%20We%20don%E2%80%99t%20want%20our%20customers%20wondering%20if%20their%20trusted%20platform%20will%20adopt%20modern%20privacy%20standards%20or%20not.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20interested%20in%20joining%20the%20larger%20industry%20conversation%20about%20encrypting%20the%20DNS%2C%20check%20out%20one%20of%20the%20IETF%20working%20groups%20working%20with%20DNS%20(%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fabcd%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EABCD%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fadd%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EApps%20Doing%20DNS%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fdnsop%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDNSOP%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fdprive%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDPRIVE%3C%2FA%3E)%20or%20the%20new%20%3CA%20href%3D%22https%3A%2F%2Fwww.encrypted-dns.org%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEncrypted%20DNS%20Deployment%20Initiative%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20questions%20or%20feedback%20for%20us%20regarding%20the%20Windows%20plan%20to%20adopt%20encrypted%20DNS%3F%20We%E2%80%99d%20love%20to%20hear%20from%20you!%20Feel%20free%20to%20comment%20below.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1014229%22%20slang%3D%22en-US%22%3E%3CP%3EAnnouncing%20and%20explaining%20our%20intention%20to%20support%20DNS%20over%20HTTPS%20in%20future%20versions%20of%20Windows%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015634%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015634%22%20slang%3D%22en-US%22%3E%3CP%3EDoH%20is%20a%20good%20start.%20We%20will%20wait%20for%20DoT%20as%20its%20a%20better%20route.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016129%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016129%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20Support%20%3CSTRONG%3EDNSSEC%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(you%20only%20support%20it%20in%20the%20server%20deployed%20on%20site%20and%20it%20needs%20to%20be%20on%20the%20client%2C%20office365%20and%20azure)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20can%20be%20done%20regardless%20of%20DoH%20or%20DoT%20it%20verifies%20the%20answers%20are%20correct%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20documentation%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn593670(v%253Dws.11)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn593670(v%253Dws.11)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eadministrators%20requesting%20this%20for%20office365%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F32360299-dnssec-support-in-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F32360299-dnssec-support-in-office-365%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eazure%20networking%20request%20%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F217313-networking%2Fsuggestions%2F13284393-azure-dns-needs-dnssec-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F217313-networking%2Fsuggestions%2F13284393-azure-dns-needs-dnssec-support%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%26nbsp%3BTommy%20Jensen%2C%20Ivan%20Pashov%2C%20and%20Gabriel%20Montenegro.%20trust%20but%20verify%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emicrosoft%20windows%20platform%20deserves%20better%2C%20%3CSTRONG%3Ewindows%2010%20needs%20DNSSEC%3C%2FSTRONG%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016174%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016174%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20your%20future%20plans%20include%20allowing%20Windows%20DNS%20Server%20to%20communicate%20to%20upstream%20DNS%20servers%20using%20DNS%20over%20HTTPS%2FTLS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInternally%20you'd%20have%20clients%20making%20unencrypted%20DNS%20queries%20to%20their%20local%20DNS%20server%20(53)%2C%20then%20said%20DNS%20server%20would%20forward%20queries%20upstream%20-%20over%20HTTPS%2FTLS%20(443).%20Or%20-%20even%20better%2C%20allowing%20Windows%20DNS%20Server%20to%20answer%20queries%20over%20HTTPS%20for%20a%20true%20end-to-end%20encrypted%20flow.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20echoing%20the%20need%20for%20DNSSEC%20on%20Windows%20Client!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016823%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016823%22%20slang%3D%22en-US%22%3E%3CP%3EI'll%20be%20the%20stick%20in%20the%20mud%20here.%3C%2FP%3E%3CP%3EWe%20don't%20only%20need%20DOT%20and%20DOH%2C%20we%20need%20granular%20control%20over%20what%20is%20and%20what%20is%20not%20allowed%20through%20those%20DNS%20servers%2C%20or%20our%20clients%20are%20going%20to%20be%20inundated%20by%20new%20forms%20of%20malware%2C%20spyware%2C%20etc%20from%20advertisers%20and%20hacking%20groups%20who%20simply%20buy%20a%20SSL%20cert%20for%20.00000001%20bitcoins%2C%20and%20flood%20the%20%22secure%22%20DNS%20with%20the%20same%20intrusive%20ads%20and%20garbage%20that%20make%20the%20internet%20a%20virtual%20nightmare%20of%20scams%2C%20garbage%20and%20malicious%20links.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1017520%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1017520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461760%22%20target%3D%22_blank%22%3E%40cpuprohky%3C%2FA%3E%26nbsp%3Byou%20seem%20to%20have%20a%20serious%20misunderstanding%20of%20what%20DNS-over-HTTPS%20is%20and%20what%20is%20happening%20here.%26nbsp%3B%20This%20change%20will%20not%20override%20your%20own%20manually%20configured%20local%20DNS%20servers%2C%20it%20will%20only%20matter%20if%20a%20client%20is%20configured%20to%20use%20a%20well-known%20DNS%20server%20that%20support%20DoH%2C%20for%20example%20Cloudflare's%201.1.1.1%20or%20Google's%208.8.8.8.%26nbsp%3B%20Clients%20configured%20to%20use%20those%20or%20other%20similar%20public%20DNS%20servers%20will%20be%20automatically%20upgraded%20to%20DoH%2C%20those%20set%20to%20private%20servers%20or%20public%20services%20not%20known%20to%20support%20DoH%20will%20not%20be%20changed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20if%20you%20want%20to%20run%20your%20own%20DNS%20server%20that%20monitors%20and%2For%20modifies%20traffic%20you%20can%20still%20do%20so%20with%20DoH.%26nbsp%3B%20It's%20just%20a%20different%20protocol%20between%20the%20client%20and%20the%20chosen%20resolver%2C%20everything%20else%20works%20the%20same%20as%20it%20always%20has.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20thing%20this%20actually%20affects%20is%20transparently%20intercepting%20DNS%20traffic%20and%20redirecting%20it%20to%20somewhere%20the%20client%20did%20not%20want.%26nbsp%3B%20Protecting%20against%20this%20is%20a%20good%20thing.%26nbsp%3B%20Those%20who%20legitimately%20control%20the%20machines%20they're%20monitoring%20can%20configure%20them%20appropriately%20for%20their%20needs%20rather%20than%20relying%20on%20dirty%20tricks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20won't%20change%20a%20thing%20as%20far%20as%20malware%20or%20ads%20are%20concerned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020049%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020049%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.reddit.com%2Fr%2Fpihole%2Fcomments%2Fdy4b3b%2Fwindows_will_improve_user_privacy_with_dns_over%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.reddit.com%2Fr%2Fpihole%2Fcomments%2Fdy4b3b%2Fwindows_will_improve_user_privacy_with_dns_over%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yhxs7%20_1z5rdmX8TDr6mqwNv7A70U%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EHow%20does%20this%20impact%20the%20use%20of%20a%20PiHole%3F%20Do%20you%20lose%20some%20control%20on%20some%20closed%20source%20devices%3F%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yj2hf%20%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_1S45SPAIb30fsXtEcKPSdt%20%20_3ezOJqKdLbgkHsXcfvS5SA%20%22%3E%3CDIV%20class%3D%22_2LeW9tc_6Fs1n7Ou8uD-70%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIf%20a%20device%20or%20computer%20is%20using%20DNS%20over%20HTTPS%2C%20their%20DNS%20lookups%20will%20look%20like%20regular%20HTTPS%20requests%2C%20so%20they%20won't%20even%20hit%20the%20pihole%20at%20all.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIt%20will%20be%20a%20'good'%20way%20for%20systems%20to%20bypass%20ad%20filters%20or%20tracking%20filters%20like%20the%20pihole.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yjftc%20%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAs%20long%20as%20you%20point%20devices%20you%20control%20to%20the%20pihole%20as%20a%20dns%20server%20then%20the%20endpoint%20will%20still%20be%20there%2C%20right%3F%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EThis%20will%20be%20a%20problem%20for%20devices%20like%20the%20chrome%20cast%20that%20have%20servers%20hard%20coded%20and%20don't%20allow%20the%20end%20user%20to%20modify%20them.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22_1DooEIX-1Nj5rweIc5cw_E%22%3E%3CDIV%20class%3D%22_36AIN2ppxy_z-XSDxTvYj5%20t1_f7yjftc%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yk6o7%20%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ENot%20necessarily.%20If%20the%20device%20or%20computer%20or%20the%20browser%2C%20for%20example%2C%20are%20configured%20to%20use%20DNS%20over%20HTTPS%20then%20your%20pihole%20is%20completely%20out%20of%20the%20loop.%20Some%20will%20allow%20you%20to%20turn%20off%20DoH%20(for%20now)%20but%20some%20won't.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020660%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020660%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20guidance%20up%20now%20on%20the%20PiHole%20site%20for%20the%20integration%20of%20the%20%22cloudflared%22%20service%20on%20a%20PiHole.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20interested%20in%20seeing%20the%20low-level%20flow%20of%20the%20nameserver%20selection%20logic.%20It%20sounds%20like%20MS%20is%20making%20some%20reasonable%20choices%20with%20respect%20to%20not%20arbitrarily%20undoing%20user%20configurations%20for%20client%20nameservers.%26nbsp%3B%20That%20having%20been%20said%2C%20the%20interoperability%20is%20in%20the%20details.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1022383%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1022383%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461760%22%20target%3D%22_blank%22%3E%40cpuprohky%3C%2FA%3EYou%20are%20correct%20that%20something%20like%20a%20Chromecast%20where%20you%20might%20by%20redirecting%20DNS%20traffic%20via%20your%20router%20to%20the%20PiHole%20would%20no%20longer%20be%20possible.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20thing%20is%20though%2C%20Google%20could%20do%20this%20today%20as%20Google%20DNS%20already%20supports%20DoH%20and%20Chromecast%20has%20nothing%20to%20do%20with%20Windows.%26nbsp%3B%20So%20I'm%20not%20sure%20why%20you%20are%20posting%20about%20it%20on%20here%20as%20its%20nothing%20to%20do%20with%20what%20Microsoft%20are%20doing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1039120%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1039120%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20agree%20that%20privacy%20is%20something%20that%20is%20VERY%20important%2C%20especially%20in%20our%20modern%20age.%26nbsp%3B%20However%20Privacy%20from%20our%20ISP%20is%20nice%2C%20but%20Microsoft%20still%20has%20their%20own%20tracking%20in%20windows%2C%20As%20I%20(and%20others)%20have%20asked%20for%20in%20many%20places%2C%20PLEASE%20LET%20US%20DISABLE%20ALL%20MICROSOFT%20SPYWARE%2C%20AND%20CRAPWARE%20IN%20WINDOWS%2010.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461760%22%20target%3D%22_blank%22%3E%40cpuprohky%3C%2FA%3E%2C%20good%20point%2C%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F463661%22%20target%3D%22_blank%22%3E%40alexatkinuk%3C%2FA%3E%26nbsp%3B%20Pihole%20is%20a%20DNS%20server%20based%20adblocker%2C%20and%20this%20article%20is%20directly%20about%20DNS.%20as%20for%20Chromecast%2C%20people%20like%20ME%2C%20use%20Google%20Chromecasts%20with%20our%20windows%20PC's.%26nbsp%3B%20As%20DNS%20is%20one%20of%20the%20backbones%20of%20the%20Internet%2C%20It%20does%20directly%20effect%20the%20use%20of%20devices%20like%20PiHole%20and%20Chromecasts%2C%20furthermore%20it%20effects%20anything%20that%20needs%20to%20resolve%20a%20name%20to%20IP.%26nbsp%3B%20As%20your%20statement%20indicates%20a%20lack%20of%20knowledge%20on%20what%20DNS%20is%2C%20and%20how%20the%20internet%20works%2C%20I%20would%20advice%20studying%20the%20topic.%26nbsp%3B%20If%20you%20would%20like%2C%20I%20can%20provide%20the%20names%20of%20some%20good%20resources.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20to%20answer%26nbsp%3B%40cpuprojky's%20question%3A%3C%2FP%3E%3CP%3Eas%20for%20PiHole%2C%20It%20already%20supports%20DNS%20over%20HTTPS%2C%20below%20is%20a%20link%20from%20PiHole%20explaining%20how%20to%20set%20it%20up.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.pi-hole.net%2Fguides%2Fdns-over-https%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.pi-hole.net%2Fguides%2Fdns-over-https%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChromecast's%20should%20not%20be%20affected%20(depending%20on%20what%20your%20doing)%20As%20screen%20casting%20is%20a%20intranet%20matter%2C%20and%20video%20streaming%20the%20chromecast%20connects%20to%20it's%20own%20DNS%20servers%2C%20(your%20computer%20functions%20only%20as%20the%20remote%2C%20the%20device%20works%20'mostly'%20on%20it's%20own).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1039337%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1039337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F472287%22%20target%3D%22_blank%22%3E%40GLaDOS%3C%2FA%3EI%20think%20it%20may%20be%20you%20who%20doesn't%20understand%20the%20potential%20issues%20with%20DoH.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20normal%20DNS%20we%20can%20easily%20redirect%20it%20at%20the%20router%20by%20catching%20all%20outgoing%20traffic%20on%20the%20DNS%20port%20and%20sending%20it%20to%20our%20PiHole.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20DoH%2C%20we%20would%20need%20a%20rule%20that%20catches%20the%20actual%20IP%20addresses%20of%20every%20single%20possible%20DoH%20server%20our%20clients%20might%20hit%2C%20as%20its%20indistinguishable%20from%20normal%20HTTPS%20traffic%20so%20cannot%20be%20simply%20redirected%20by%20port.%26nbsp%3B%20Either%20that%20or%20we'd%20need%20to%20redirect%20all%20HTTPS%20traffic%20via%20a%20proxy%20server%20and%20spoof%20it%20there%20somehow.%26nbsp%3B%20This%20would%20have%20the%20annoying%20drawback%20of%20having%20ALL%20HTTPS%20traffic%20going%20via%20the%20proxy%2C%20needing%20much%20beefier%20hardware%20and%20potential%20for%20problems%20occuring.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1060802%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1060802%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20consider%20DoH%20or%20DoT%20an%20upgrade%20as%20this%20is%20just%20a%20brand%20new%20attack%20vector%20for%20attackers%20that%20will%20be%20able%20to%20hide%20their%20DNS%20traffic%20from%20the%20prying%20eyes%20of%20enterprise%20security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1061093%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061093%22%20slang%3D%22en-US%22%3E%3CP%3EI%20somewhat%20agree%2C%20as%20the%20way%20I%20use%20it%20at%20home%20is%20to%20catch%20all%20DNS%20traffic%20at%20the%20router%2C%20forcing%20it%20to%20use%20my%20local%20DNS%20cache%20which%20THEN%20uses%20DoT%20to%20perform%20uncached%20lookups%20with%20Cloudflare.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20clients%20bypass%20this%2C%20they%20are%20exposed%20to%20all%20the%20security%20risks%20I'm%20blocking%20at%20the%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlus%20how%20do%20you%20handle%20Intranet%20DNS%20lookups%3F%26nbsp%3B%20Will%20this%20be%20something%20you%20can%20suddenly%20only%20do%20with%20Windows%20Enterprise%20editions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Brought to you by Tommy Jensen, Ivan Pashov, and Gabriel Montenegro

 

Here in Windows Core Networking, we’re interested in keeping your traffic as private as possible, as well as fast and reliable. While there are many ways we can and do approach user privacy on the wire, today we’d like to talk about encrypted DNS. Why? Basically, because supporting encrypted DNS queries in Windows will close one of the last remaining plain-text domain name transmissions in common web traffic.

Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology."

 

We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.

 

With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

 

  • Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user’s browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
  • Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
  • Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
  • Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

 

Based on these principles, we are making plans to adopt DNS over HTTPS (or DoH) in the Windows DNS client. As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future. For now, we're prioritizing DoH support as the most likely to provide immediate value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.

 

For our first milestone, we'll start with a simple change: use DoH for DNS servers Windows is already configured to use. There are now several public DNS servers that support DoH, and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server. However, since these servers and their DoH configurations are well known, Windows can automatically upgrade to DoH while using the same server. We feel this milestone has the following benefits:

 

  • We will not be making any changes to which DNS server Windows was configured to use by the user or network. Today, users and admins decide what DNS server to use by picking the network they join or specifying the server directly; this milestone won’t change anything about that. Many people use ISP or public DNS content filtering to do things like block offensive websites. Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes.
  • Many users and applications that want privacy will start getting the benefits without having to know about DNS. In line with principle 1, the DNS queries become more private with no action from either apps or users. When both endpoints support encryption, there’s no reason to wait around for permission to use encryption!
  • We can start seeing the challenges in enforcing the line on preferring resolution failure to unencrypted fallback. In line with principle 4, this DoH use will be enforced so that a server confirmed by Windows to support DoH will not be consulted via classic DNS. If this preference for privacy over functionality causes any disruption in common web scenarios, we’ll find out early.

 

In future milestones, we'll need to create more privacy-friendly ways for our users to discover their DNS settings in Windows as well as make those settings DoH-aware. This will give users, device admins, and enterprise admins the ability to configure DoH servers explicitly. 

 

Why announce our intentions in advance of DoH being available to Windows Insiders? With encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible. We don’t want our customers wondering if their trusted platform will adopt modern privacy standards or not.

 

If you are interested in joining the larger industry conversation about encrypting the DNS, check out one of the IETF working groups working with DNS (ABCD, Apps Doing DNS, DNSOP, DPRIVE) or the new Encrypted DNS Deployment Initiative.

 

Do you have questions or feedback for us regarding the Windows plan to adopt encrypted DNS? We’d love to hear from you! Feel free to comment below.

12 Comments
Occasional Visitor

DoH is a good start. We will wait for DoT as its a better route.

Occasional Visitor

Please Support DNSSEC 

 

(you only support it in the server deployed on site and it needs to be on the client, office365 and azure)

 

this can be done regardless of DoH or DoT it verifies the answers are correct 

 

Microsoft documentation:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn...

 

administrators requesting this for office365:

https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/32360299-dn...

 

azure networking request :

https://feedback.azure.com/forums/217313-networking/suggestions/13284393-azure-dns-needs-dnssec-supp...

 

please Tommy Jensen, Ivan Pashov, and Gabriel Montenegro. trust but verify  

 

microsoft windows platform deserves better, windows 10 needs DNSSEC  

Frequent Visitor

Do your future plans include allowing Windows DNS Server to communicate to upstream DNS servers using DNS over HTTPS/TLS?

 

Internally you'd have clients making unencrypted DNS queries to their local DNS server (53), then said DNS server would forward queries upstream - over HTTPS/TLS (443). Or - even better, allowing Windows DNS Server to answer queries over HTTPS for a true end-to-end encrypted flow.

 

Also, echoing the need for DNSSEC on Windows Client!

Occasional Visitor

I'll be the stick in the mud here.

We don't only need DOT and DOH, we need granular control over what is and what is not allowed through those DNS servers, or our clients are going to be inundated by new forms of malware, spyware, etc from advertisers and hacking groups who simply buy a SSL cert for .00000001 bitcoins, and flood the "secure" DNS with the same intrusive ads and garbage that make the internet a virtual nightmare of scams, garbage and malicious links.  

Occasional Visitor

@cpuprohky you seem to have a serious misunderstanding of what DNS-over-HTTPS is and what is happening here.  This change will not override your own manually configured local DNS servers, it will only matter if a client is configured to use a well-known DNS server that support DoH, for example Cloudflare's 1.1.1.1 or Google's 8.8.8.8.  Clients configured to use those or other similar public DNS servers will be automatically upgraded to DoH, those set to private servers or public services not known to support DoH will not be changed.

 

Also, if you want to run your own DNS server that monitors and/or modifies traffic you can still do so with DoH.  It's just a different protocol between the client and the chosen resolver, everything else works the same as it always has.

 

The only thing this actually affects is transparently intercepting DNS traffic and redirecting it to somewhere the client did not want.  Protecting against this is a good thing.  Those who legitimately control the machines they're monitoring can configure them appropriately for their needs rather than relying on dirty tricks.

 

It won't change a thing as far as malware or ads are concerned.

Occasional Visitor

https://www.reddit.com/r/pihole/comments/dy4b3b/windows_will_improve_user_privacy_with_dns_over/

 

How does this impact the use of a PiHole? Do you lose some control on some closed source devices?

 

If a device or computer is using DNS over HTTPS, their DNS lookups will look like regular HTTPS requests, so they won't even hit the pihole at all.

It will be a 'good' way for systems to bypass ad filters or tracking filters like the pihole.

As long as you point devices you control to the pihole as a dns server then the endpoint will still be there, right?

This will be a problem for devices like the chrome cast that have servers hard coded and don't allow the end user to modify them.

 

Not necessarily. If the device or computer or the browser, for example, are configured to use DNS over HTTPS then your pihole is completely out of the loop. Some will allow you to turn off DoH (for now) but some won't.

Occasional Visitor

There is guidance up now on the PiHole site for the integration of the "cloudflared" service on a PiHole. 

 

I am interested in seeing the low-level flow of the nameserver selection logic. It sounds like MS is making some reasonable choices with respect to not arbitrarily undoing user configurations for client nameservers.  That having been said, the interoperability is in the details. 

Occasional Visitor

@cpuprohkyYou are correct that something like a Chromecast where you might by redirecting DNS traffic via your router to the PiHole would no longer be possible.

The thing is though, Google could do this today as Google DNS already supports DoH and Chromecast has nothing to do with Windows.  So I'm not sure why you are posting about it on here as its nothing to do with what Microsoft are doing.

Occasional Visitor

Hello,

I agree that privacy is something that is VERY important, especially in our modern age.  However Privacy from our ISP is nice, but Microsoft still has their own tracking in windows, As I (and others) have asked for in many places, PLEASE LET US DISABLE ALL MICROSOFT SPYWARE, AND CRAPWARE IN WINDOWS 10.  

 

As for @cpuprohky, good point, and @alexatkinuk  Pihole is a DNS server based adblocker, and this article is directly about DNS. as for Chromecast, people like ME, use Google Chromecasts with our windows PC's.  As DNS is one of the backbones of the Internet, It does directly effect the use of devices like PiHole and Chromecasts, furthermore it effects anything that needs to resolve a name to IP.  As your statement indicates a lack of knowledge on what DNS is, and how the internet works, I would advice studying the topic.  If you would like, I can provide the names of some good resources.

 

Now to answer @cpuprojky's question:

as for PiHole, It already supports DNS over HTTPS, below is a link from PiHole explaining how to set it up.

https://docs.pi-hole.net/guides/dns-over-https/

 

Chromecast's should not be affected (depending on what your doing) As screen casting is a intranet matter, and video streaming the chromecast connects to it's own DNS servers, (your computer functions only as the remote, the device works 'mostly' on it's own).

 

 

Occasional Visitor

@GLaDOSI think it may be you who doesn't understand the potential issues with DoH.

 

With normal DNS we can easily redirect it at the router by catching all outgoing traffic on the DNS port and sending it to our PiHole.

 

With DoH, we would need a rule that catches the actual IP addresses of every single possible DoH server our clients might hit, as its indistinguishable from normal HTTPS traffic so cannot be simply redirected by port.  Either that or we'd need to redirect all HTTPS traffic via a proxy server and spoof it there somehow.  This would have the annoying drawback of having ALL HTTPS traffic going via the proxy, needing much beefier hardware and potential for problems occuring.

Occasional Visitor

I don't consider DoH or DoT an upgrade as this is just a brand new attack vector for attackers that will be able to hide their DNS traffic from the prying eyes of enterprise security.

Occasional Visitor

I somewhat agree, as the way I use it at home is to catch all DNS traffic at the router, forcing it to use my local DNS cache which THEN uses DoT to perform uncached lookups with Cloudflare.

 

If the clients bypass this, they are exposed to all the security risks I'm blocking at the firewall.

 

Plus how do you handle Intranet DNS lookups?  Will this be something you can suddenly only do with Windows Enterprise editions?