Microsoft Announces Plan To Support DoH In Windows (microsoft.com) 97
New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:
Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.
Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.
DoH? (Score:5, Funny)
What is DoH? Department of Hamburgers?
Re:DoH? (Score:5, Informative)
Re:DoH? (Score:5, Funny)
Doh! My bad.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Yah, I'm going to be _that_ guy. I know you're trolling but "HyperText Transfer Protocol Secure" and "Domain Name System".
Re: (Score:2)
I know you're trolling but "HyperText Transfer Protocol Secure" and "Domain Name System".
That's what they stand for, but that doesn't make it an acronym.
Acronyms are an abbreviation where the letters are pronounced as a single word.
Initialisms are an abbreviation where the letters are spoken individually.
We don't say "dense", we say "dee in ess"
We don't say "hit thubbbt pa", we say "aitch tee tee pee"
Or at least it's safe to say if you *are* speaking those abbreviations as acronyms, no one in person will understand what you're talking about, and in the case of HTTP you probably sound very silly
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Homer Simpson is now head of Microsoft development.
Support or Enforce? (Score:2)
Re:Support or Enforce? (Score:4, Interesting)
Yes, for certain hosts - all Microsoft infrastructure, various update servers, telemetry servers and things like onedrive and office365. The more charitable explanation is that this is to make it more difficult for malware to jam access to updates that could otherwise remove it. The more cynical explanation is that this is to make it more difficult for ordinary users to block the spying.
Re: (Score:2)
Most of their stuff is still DNS-based. Just look at Pi Hole records for the staggering amount of crap that Windows telemetry talks to, and which is blocked by the Pi Hole.
You can see why they'd want to use DoH, they don't want anyone DNS-blocking all of their phone-home telemetry.
Question: Why does DoH provide any more privacy (Score:2)
So you privately and secretly ask for the ip of porn4u.
Your isp knows absolutely nothing about what you asked for but then you instantly go to a.b.x.y -- seems they could know as much about you as if you had asked their DNS. Am I missing something?
Re:Question: Why does DoH provide any more privacy (Score:5, Informative)
Re: (Score:2)
Thanks! I always assumed it would be 50-50 cost forward or back.
Re: (Score:2)
The problem is that you're still using somebody's DNS. There should be no doubt that they keeps logs [the government will make them do it], and with DoH they'll have everybody's [that uses their service]. I don't see the benefit in that. In fact it only centralizes things even more, a juicier target for the bandits.
Re: (Score:3)
and with DoH they'll have everybody's [that uses their service].
Yes, that is how DNS works. If you set 8.8.8.8 as DNS server today, without DoH, Google will have all your DNS requests and answers. If you set it to 8.8.8.8 with DoH, Google will still have all your DNS requests.
The difference is that today, without DoH, everyone who happens to be in the path between you and Google will ALSO have your DNS requests. In particular, your ISP will have them. And they are likely to sell your data and/or mess with your requests and answers.
Re: (Score:1)
I'm not so sure.
Is a reverse DNS lookup really substantially more expensive to perform than a normal one? I've never gotten that impression. Which would mean:
Scenario 1: You look up BadThings.org through your ISPs DNS, with the resulting name-IP pair added to their local DNS cache. and your visit is logged
Scenario 2: You go to site a.b.x.y, so your ISP does a reverse-lookup of a.b.x.y, adding the resulting name-IP pair to their local DNS cache, and your visit is logged
The only situation where I could see
Re:Question: Why does DoH provide any more privacy (Score:4, Interesting)
Reverse DNS is useless, particularly for cloud-hosted sites or sites behind anti-DDoS. I.e. pretty much all the popular ones.
It is dirt cheap to do reverse DNS lookups, they just do not tell you anything. We also know positively that reverse DNS lookups are not widely used for surveillance, because those lookups would shop up in DNS server logs.
Re: (Score:2)
The amount of extra effort to do reverse dns lookups on customers compared to hosting their own DNS server and logging things there. The latter is cheap and easy, the former isn't.
Reverse lookup is not needed for HTTPS which uses SNI [wikipedia.org].
SNI addresses this issue by having the client send the name of the virtual domain as part of the TLS negotiation. ...
The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.
Anyone along the path can have a peek at where you're going. DoH doesn't ensure your privacy. This is just a ploy to wrestle control of DNS resolution from the network administrator.
Re:Question: Why does DoH provide any more privacy (Score:5, Informative)
In practice, you'll most likely hit the IP address of a popular CDN or cloud service, so no one can know which website you visited from that.
But the hostname of the website you try to reach with HTTPS isn't encrypted, so it's possible with deep packet inspection to figure out what you requested. For this, ESNI (Encrypted SNI) is a solution being deployed making all your communications private. See https://blog.cloudflare.com/en... [cloudflare.com] for more information.
Re: (Score:2)
I read the blog. Seems that until sni is encrypted our web browsing is open to "anyone on the line" like your isp or wifi host. I also think it says that this really isn't available, yet - waiting on Firefox. So right now we are all browsing in the open, fabonacci8 points out that it may be too expensive to reverse lookup (everything).
Re:Question: Why does DoH provide any more privacy (Score:5, Interesting)
If you are using Firefox, just toggle network.security.esni.enabled.
Either way, there are tons of privacy holes in browsing. They are getting plugged one by one.
Once we have TLS 1.3 everywhere and encrypted SNI and encrypted DNS, passive attacks on privacy will be very difficult.
Re: (Score:2)
Can't find it in my (up to date) Firefox. Looks like only on Nightly builds right now :-(
Re: (Score:2)
Which version?
I am on Firefox 70 which seems to be a perfectly normal release, not a beta or nightly.
Re: (Score:2)
I'm typing on Firefox 70.0 for Fedora 31. I cant find the setting you refer to, however I just tried the latest nightly - encrypted sni can be found in about:config. You have it in stock 70?
Re: (Score:2)
Ooh, a fellow Fedora user!
I am on firefox-70.0.1-4.fc31.x86_64
In about:config, the setting is the only hit when I search for esni. It works, I tested against CloudFlare.
Re: (Score:2)
Re: (Score:2)
Its worse, you send HTTPS request with Server Name Indication (SNI) http://en.wikipedia.org/wiki/S... [wikipedia.org] telling everyone in plain-text about your go4t fetish
Re: (Score:2)
Nope, you've got it in one. This is a feature by geeks, for geeks, to prove to other geeks how clever they are.
And, specifically in Microsoft's case, to bypass DNS-based blocking of all their phone-home telemetry with things like Pi Holes.
Re: (Score:2)
Creepy (Score:5, Insightful)
However, at Microsoft we believe that "we have to treat privacy as a human right.
Did anyone else get the creeps when they read this?
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
For context privacy is a human right in the EU.
https://en.wikipedia.org/wiki/... [wikipedia.org]
So they do have to treat it like a human right if they want access to the extremely lucrative EU market. It was a statement of fact, not of philosophical belief.
Re: (Score:2)
Nope, I laughed my ass off.
If Microsoft truly believes "we have to treat privacy as a human right" then they can take all of their telemetry services in Windows, SQL Server and wherever else they've shoved them and just fuck 'em right off.
It's sickening to see companies like Apple and Microsoft singing the "privacy is a human right" song. Newspeak it is.
Re: (Score:2)
However, at Microsoft we believe that "we have to treat privacy as a human right.
Did anyone else get the creeps when they read this?
No, because not all of us are naive enough to think privacy is an absolute. Privacy is the desire to not share information with specific people, so it's not illogical for Microsoft to support privacy while at the same time hoovering up data on you.
The problem I have is that there are some groups I trust with data, namely those who make it their business to deal with it (e.g. Google), and there are some I know will just sell it wholesale without de-anonymising from whom I tried to hide my information (e.g. m
Microsoft Privacy History (Score:1)
Re: (Score:1)
Arkanoid Revenge of DoH has worked in Win... (Score:2)
...dows for many years.
It originated in DOS, but thanks to Microsofts attention to backwards compatibility DoH was supported in Win 3.11, 9x, XP (32b), and 7(32b).
Of course, it does not run in Win10, nor in 64 bit machines no matter the version of windows....
So, again, the only news here is that Revenge of DoH will run on Win10 and in 64 bit machines.
Sorry, the lame joke was irresistible.
Privacy is a Profitable Right, not a Human one. (Score:2)
"However, at Microsoft we believe that "we have to treat privacy as a human right."
Go ahead. Say that shit again to anyone who has had the pleasure of actually using Microsoft Telemetry OS.
Microsoft treats privacy like every other mega-corp out there that's also Too Big To Fail; Privacy is a profitable right, not a human one.
Stop with the bullshit already.
Re: (Score:2)
I did my best to kill off the monitoring too. Never did manage to get it all. Most annoyingly, even if you set the privacy options to no-spying where you can, they often revert back again after windows updates - and a lot of the telemetry doesn't even have an option to turn it off. You can kill some with various registry edits, but even those keys eventually get disabled.
Re: (Score:2)
Tried opting out using their tools: http://init.sh/?p=331 [init.sh]
Re: (Score:2)
I did my best to kill off the monitoring too. Never did manage to get it all. Most annoyingly, even if you set the privacy options to no-spying where you can, they often revert back again after windows updates - and a lot of the telemetry doesn't even have an option to turn it off. You can kill some with various registry edits, but even those keys eventually get disabled.
Watchdog processes in Windows 10 that monitor for changes Microsoft doesn't like is certainly an amusing evolution for a company that claims privacy is a human right.
Re: (Score:2)
This is nothing compared to the built-in Windows Firewall crap that will keep on changing your settings to prohibit incoming unsolicited connections from from reaching crappy Microsoft software to the preferred Microsoft setting of letting every little crappy bit of Microsoft shit software accept unsolicited incoming connections without restraint. What things like Calculator, the Screen Saver/Lock Screen, or anything else in Windows needs to receive incoming connections I have absolutely no idea.
At least t
Re: (Score:2)
From my experiments, the firewall doesn't do anything - you can rip out every rule and replace them with just a firm 'deny everything' and default deny, both directions, and still all the Windows services get through fine. I'm not sure if it's a hardcoded exception for certain processes, or a blanket exception for all things running as SYSTEM. Either way, tried it, didn't work.
Right and wrong (Score:3, Interesting)
Right way to secure DNS:
https://techcommunity.microsof... [microsoft.com]
Wrong way to secure DNS:
https://support.google.com/chr... [google.com]
Absolute wrongest way imaginable to secure DNS:
https://support.mozilla.org/en... [mozilla.org]
What is this world coming to when Mozilla is doing something more evil than goddamn Microsoft and Google?
Re:Right and wrong (Score:4, Informative)
For those of us who are less intimately familiar with this topic, care to justify these judgments?
Microsoft does NOT override administrative policy and DoH is applied at the operating systems naming layer where all applications benefit from enhancements to naming system not just browser.
Google does NOT override administrative policy yet DoH is applied at the browser level meaning only the browser and no other applications are subjected to or benefit from enhancements to naming.
Mozilla overrides both administrative policy and DoH is applied at the browser level meaning only the browser and no other applications are subjected to or benefit from enhancements to naming.
The consequences of bypassing administrative policy are vast and varied. Filtering systems used to protect end users sensibilities, security, privacy and corporate interests in a business setting are bypassed. In the case of Mozilla a secondary consequence of the override is aggregation of DNS queries for hundreds of millions of users into the hands of a single publically traded corporation.
NONE of the software VERIFIES (Score:2)
none of the software mentioned will help you if you have a Monster In The Middle ( MITM )
Why not verify the answers that you get from your "trusted" DNS provider ?
oh yeah that means actually doing engineering....
Re: (Score:2)
Why not verify the answers that you get from your "trusted" DNS provider ?
Because that's not the issue we're trying to solve.
Re: (Score:2)
Mozilla overrides both administrative policy
This is utter bullshit. [mozilla.org]
Respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration
Additionally, it is not Mozilla's prerogative to force OS makers to do shit with resolution, but it is their prerogative to give end users of their product what they believe is right. Finally, if the OS does DoH resolution then there isn't any need for Firefox's DoH.
The consequences of bypassing administrative policy are vast and varied.
I'm not arguing that and it's important that you understand that. However, what I am saying is that your argument makes more sense in a business environment only of which Mozilla is providing a method for admins to shu
Re: (Score:2)
Re: (Score:1)
To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.
Good luck with that.
Probably the only safe DNS is one you run yourself, on a Pi or anything else that can be left on all the time
Re: (Score:2)
To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.
Good luck with that.
Probably the only safe DNS is one you run yourself, on a Pi or anything else that can be left on all the time
That doesn't help much. If the lookup is already cached, then it helps, but if otherwise (and caches expire fairly quickly, for good reason), the Pi or whatever is just going to issue the DNS query in plaintext so your ISP can see it.
Re: (Score:3)
Google's way of securing DNS is identical to Microsoft's way of securing DNS except for the fact that it is done only in Chrome rather than as an OS-wide setting. The flip from ordinary-DNS to same-provider DoH-type DNS is essentially identical.
Google's way is only wrong if the underlying OS supports DoH. Otherwise Google's way mitigates a majority of the problem without waiting for the OS ven
Re: (Score:2)
Except MS will respect existing DNS settings and not fuck everything by ignoring them.
Re: (Score:2)
Microsoft
Re: (Score:2)
Not seeing any major differences between the Microsoft and Google positions. Neither are changing your DNS settings, merely upgrading to DoH if the server happens to support it.
Mozilla will ask if it can change your browser's DNS server. The problem is that most people won't be able to make an informed choice because they don't know what DNS is.
Re: (Score:2)
Not seeing any major differences between the Microsoft and Google positions. Neither are changing your DNS settings, merely upgrading to DoH if the server happens to support it.
Microsoft's approach applies to all software accessing name resolution. Google's applies only to the Chrome web browser.
Re: (Score:2)
Chrome is cross platform and usually uses each platform's features, e.g. Windows and Mac OS have APIs for managing secrets. So I'd expect Chrome to use the Windows DNS resolver once it supports DoH, and use its own on systems that don't. Of course in either case it will use the server configured at the OS level.
Privacy human right...but... (Score:1)
Re: (Score:2)
It's not much use to encrypt everything, when it has been sent beforehand is it, eh?
On the one hand, you are quite correct.
On the other, just because microsoft is getting a bunch of telemetry from you, it still represents a real improvement that your DNS queries are only visible to your chosen DoH DNS provider and not ALSO available to the operator of the starbucks Wifi operator, whatever ISP services it, and who ever runs the DNS service they feed you via DHCP.
Re: (Score:2)
Sure it is...
It means three-leter agencies and other criminals need to pay Microsoft for access to that data instead of your ISP. How is that not useful?
Disappointed. (Score:3)
Homer Simpson [Re:Disappointed.] (Score:1)
DoH!
User configuration (Score:2)
We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS
What, you mean we won't have to either A) use intune, or B) fire up a powershell, create a WMI session, bridge WMI objects to CIMv2 objects, pull the current configuration out of the object, re-escape the XML, jam it back into the object and commit the object?
Where's the fun in that?
Public DNS Servers (Score:2)
There are now several public DNS servers that support DoH
So if you point your resolver at a public DNS server like Google's 8.8.8.8 or 8.8.4.4, what difference does it make whether your connection is encrypted? The operator of the DNS server can still harvest all the same information about what website you visit, etc. They'll still see your traffic when they decrypt it at their end.
Re: (Score:2)
The difference is that your ISP can't. And the 3-letter agencies with their (not so) lawful interception cannot either.
Re: (Score:3)
Re: (Score:3)
The analogy is more like if the shower has clear glass on all sides but I am offered a shower curtain that isn't quite large enough. On the upside I can decide which direction the missing bit of curtain should face. Absolutely, that will be useful.
Even if we stick with your analogy, if the solution blocks the view of the known stalker with the camera in the building across the road, why would I reject it?
I do not understand your kind of argument at all. We cannot all switch to Tor for all browsing, at least
Re: (Score:2)
if the solution blocks the view of the known stalker with the camera in the building across the road, why would I reject it?
You have it backwards. The question is: If the solution does not block the view of the known stalker with the camera in the building across the road, why would I accept it?
In this analogy, 8.8.8.8 is the "known stalker with a camera", (or whatever other public DNS provider you care to substitute).
Re: (Score:2)
If you don't like 8.8.8.8, just pick another one. You have not lost anything by switching to DoH.
Personally I believe the promises of CloudFlare, but I have a reasonably trustworthy ISP, so I still use their DNS servers. Just over HTTPS instead of old-fashioned DNS. What exactly is it I have lost by moving to a better protocol?
It was a mistake in DNS to use the same protocol for client-server and server-server communications. Finally we get a decent connection-based encrypted alternative on a separate port.
Re: (Score:2)
What exactly is it I have lost by moving to a better protocol?
I'm not arguing that you're losing anything. Rather that you're not gaining. Microsoft handling the DNS encryption in Windows means they have exclusive ability for data harvesting. Google handling DNS resolution in Chrome means they have exclusive access. Sending your queries to Cloudflare (or whoever) means they can harvest your data. I just don't see that getting to choose who spies on me is worth getting excited about.
It was a mistake in DNS to use the same protocol for client-server and server-server communications. Finally we get a decent connection-based encrypted alternative on a separate port.
You're overlooking the fact that client-server communications only need UDP, and ser
Re: (Score:2)
I'm not arguing that you're losing anything. Rather that you're not gaining. Microsoft handling the DNS encryption in Windows means they have exclusive ability for data harvesting.
If Microsoft sent copies of DNS requests to a central server there would be widespread outrage. Windows has intrusive telemetry, but that level would lead to a ban of Windows in many large enterprises.
I just don't see that getting to choose who spies on me is worth getting excited about.
You do not believe there is any difference between NSA, Microsoft, Google, Cloudflare, OpenDNS, various ISPs, and so on?
You're overlooking the fact that client-server communications only need UDP, and server-server uses TCP. They're easy to separate, as UDP 53 and TCP 53 are already on a separate port.
Err no. Client to server and server to server are both UDP, with fallback to TCP if the message is large and EDNS0 is unavailable. Blocking TCP port 53 used to be a common mistake, leading t
Re: (Score:2)
Sure they can. They just ask Google. Google is happy to comply, and they have in the past.
Is there a certification for that? (Score:2)
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet.
An "administrator" who doesn't know what DNS is?
At least they stated they are open to DNS over TLS (Score:2)
Re: (Score:2)
Personally I fail to see what benefit wrapping DNS in HTTP adds to the equation. I mean other than letting novice coders who never did a TLS connection other than through an HTTP client library write DNS handling code... do we want those people writing DNS handling code?
Revenge of DoH (Score:2)
Next annoucment (Score:1)
Re: (Score:2)
Microsoft does not need a Homer server for DoH. DNS resolution requests are a part of the "Telemetry Data" sent back to Microsoft. They already know every DNS name that the resolver is asked to resolve. Adding redundant redundancies is not required.