Microsoft, future encrypted DNS request on Windows

In a very hedgeed post, Microsoft promises support for DoH and other schemes.

Microsoft technical community blog, Microsoft Windows Core Networking team members Tommy Jensen, Ivan Pashov, Gabrielle Montenegro announced Microsoft plans to adopt support for encrypted domain name system queries last few days left in the last few days of common text traffic from common web traffic Name transfer. “

This support first takes the form of integration with DNS over HTTPS (DoH), a standard proposed by the Internet Engineering Task Force and supported by Mozilla, Google, and Cloudflare. Jensen, Pashov and Montenegro say, “As a platform, Windows Core Networking is working to make the protocols you need available, so there are other options available in the future, such as DNS over TLS.” “At the moment, we are prioritizing DoH support as the most likely to deliver instant value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.”

However, Microsoft is paying attention to how Internet service providers who are concerned that they will lose profitable customer behavior data sources will deploy this compatibility given the current political battle against DoH.

ISPs offer several reasons for opposing DoH. Because you do not see plain text DNS requests, the UK prevents some content from being filtered and blocked, such as applying content filtering requirements under UK law. Because of the adoption of DoH as part of the Firefox web browser, the UK’s Internet Services Providers Association called Mozilla “Internet Villain.”

ISP lobbyists in the US have pressed Congress to prevent Google from distributing DoH on Chrome for antitrust reasons. Some of the lobbying activities in Google’s letter to Comcast members at Comcast argue that “we centralize most of the world’s DNS data with Google,” and “grant Internet routing and control over a vast amount of one provider.” Based on “A lot of new data about consumers and competitors”

Administrator’s Choice
According to the author of the Microsoft post, the implementation of DoH support in Windows does not change the status of corporate users or many ISP customers. Jensen et al. “We will not change the server that the DNS server is configured for use by users or the network.

[W] e seeks to encrypt Windows DNS traffic without changing the configured DNS resolver set by the user and system administrator.

Today, users and administrators decide which DNS server to use, either by selecting a network to join or by specifying a server on their own. This milestone doesn’t change anything about it. Many people use ISPs or public DNS content filtering to do things like block aggressive websites. Automatic changes to trusted DNS servers for Windows resolution can bypass these controls and disappoint users. We believe that device administrators have the right to control where DNS traffic goes.

However, Microsoft’s implementation doesn’t “take” applications that use DoH or other encrypted DNS requests themselves. And you need to provide fallback when DoH request fails. Core networking team members said, “DoH usage will be enforced so that servers that have confirmed that Windows supports DoH will not be referenced via classic DNS. “We’ll catch it early if there’s an interruption in common web scenarios because of our preference for privacy over features.”

But all this is for the future. Microsoft is now announcing its intentions before allowing Windows Insiders to use the features of earlier versions. “Because I thought it was important for encrypted DNS to get more attention and clarify intent as soon as possible.” “I don’t want customers wondering if a trusted platform will adopt the latest privacy standards.”

Microsoft also appears to be in a familiar position for both ISPs and businesses. Being able to hide in encrypted DNS traffic on individual computers can be a security issue.