Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Windows Encryption Network Networking Privacy The Internet Technology

Microsoft Announces Plan To Support DoH In Windows (microsoft.com) 97

New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

This discussion has been archived. No new comments can be posted.

Microsoft Announces Plan To Support DoH In Windows

Comments Filter:
  • DoH? (Score:5, Funny)

    by 110010001000 ( 697113 ) on Monday November 18, 2019 @02:40PM (#59427524) Homepage Journal

    What is DoH? Department of Hamburgers?

  • Didn't Windows 10 get caught ignoring the hosts file?
    • by SuricouRaven ( 1897204 ) on Monday November 18, 2019 @03:43PM (#59427740)

      Yes, for certain hosts - all Microsoft infrastructure, various update servers, telemetry servers and things like onedrive and office365. The more charitable explanation is that this is to make it more difficult for malware to jam access to updates that could otherwise remove it. The more cynical explanation is that this is to make it more difficult for ordinary users to block the spying.

  • So you privately and secretly ask for the ip of porn4u.
    Your isp knows absolutely nothing about what you asked for but then you instantly go to a.b.x.y -- seems they could know as much about you as if you had asked their DNS. Am I missing something?

    • by fibonacci8 ( 260615 ) on Monday November 18, 2019 @02:56PM (#59427578)
      The amount of extra effort to do reverse dns lookups on customers compared to hosting their own DNS server and logging things there. The latter is cheap and easy, the former isn't.
      • Thanks! I always assumed it would be 50-50 cost forward or back.

      • The problem is that you're still using somebody's DNS. There should be no doubt that they keeps logs [the government will make them do it], and with DoH they'll have everybody's [that uses their service]. I don't see the benefit in that. In fact it only centralizes things even more, a juicier target for the bandits.

        • by amorsen ( 7485 )

          and with DoH they'll have everybody's [that uses their service].

          Yes, that is how DNS works. If you set 8.8.8.8 as DNS server today, without DoH, Google will have all your DNS requests and answers. If you set it to 8.8.8.8 with DoH, Google will still have all your DNS requests.

          The difference is that today, without DoH, everyone who happens to be in the path between you and Google will ALSO have your DNS requests. In particular, your ISP will have them. And they are likely to sell your data and/or mess with your requests and answers.

      • I'm not so sure.
        Is a reverse DNS lookup really substantially more expensive to perform than a normal one? I've never gotten that impression. Which would mean:
        Scenario 1: You look up BadThings.org through your ISPs DNS, with the resulting name-IP pair added to their local DNS cache. and your visit is logged
        Scenario 2: You go to site a.b.x.y, so your ISP does a reverse-lookup of a.b.x.y, adding the resulting name-IP pair to their local DNS cache, and your visit is logged

        The only situation where I could see

      • The amount of extra effort to do reverse dns lookups on customers compared to hosting their own DNS server and logging things there. The latter is cheap and easy, the former isn't.

        Reverse lookup is not needed for HTTPS which uses SNI [wikipedia.org].

        SNI addresses this issue by having the client send the name of the virtual domain as part of the TLS negotiation. ...
        The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.

        Anyone along the path can have a peek at where you're going. DoH doesn't ensure your privacy. This is just a ploy to wrestle control of DNS resolution from the network administrator.

    • by Orphis ( 1356561 ) on Monday November 18, 2019 @02:58PM (#59427586)

      In practice, you'll most likely hit the IP address of a popular CDN or cloud service, so no one can know which website you visited from that.

      But the hostname of the website you try to reach with HTTPS isn't encrypted, so it's possible with deep packet inspection to figure out what you requested. For this, ESNI (Encrypted SNI) is a solution being deployed making all your communications private. See https://blog.cloudflare.com/en... [cloudflare.com] for more information.

      • I read the blog. Seems that until sni is encrypted our web browsing is open to "anyone on the line" like your isp or wifi host. I also think it says that this really isn't available, yet - waiting on Firefox. So right now we are all browsing in the open, fabonacci8 points out that it may be too expensive to reverse lookup (everything).

    • You could have 50 different names pointing to that IP, incluing IlovePuppies.com, cookies.com, and myfavoriterecipes.com.
    • Its worse, you send HTTPS request with Server Name Indication (SNI) http://en.wikipedia.org/wiki/S... [wikipedia.org] telling everyone in plain-text about your go4t fetish

    • Nope, you've got it in one. This is a feature by geeks, for geeks, to prove to other geeks how clever they are.

      And, specifically in Microsoft's case, to bypass DNS-based blocking of all their phone-home telemetry with things like Pi Holes.

    • Combine SNI with DoH and all they have is an IP address at that. For many systems that are fronted by cloudflare and other protection mechanisms combined with shared hosting you will quickly find that the IP address is significantly less revealing.
  • Creepy (Score:5, Insightful)

    by Delicious Pun ( 3864033 ) on Monday November 18, 2019 @03:02PM (#59427596)

    However, at Microsoft we believe that "we have to treat privacy as a human right.

    Did anyone else get the creeps when they read this?

    • Microsoft does not want to explain why their products are inferior to Google's nor do they want to admit they are lacking in the brains department. Falling behind is a bad look, especially when other apps are used to bypass corporate snooping. Lets have a press release! However their press release is an oxymoron of misleading claims for regular users. Their admin tools include man-in-the-middle interceptions with a tick box. Their vision is to encrypt things after the HR and SJW have read and recorded YOUR
    • Thanks to the numerous court orders "we have to treat privacy as a human right."
    • by AmiMoJo ( 196126 )

      For context privacy is a human right in the EU.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      So they do have to treat it like a human right if they want access to the extremely lucrative EU market. It was a statement of fact, not of philosophical belief.

    • Nope, I laughed my ass off.

      If Microsoft truly believes "we have to treat privacy as a human right" then they can take all of their telemetry services in Windows, SQL Server and wherever else they've shoved them and just fuck 'em right off.

      It's sickening to see companies like Apple and Microsoft singing the "privacy is a human right" song. Newspeak it is.

    • However, at Microsoft we believe that "we have to treat privacy as a human right.

      Did anyone else get the creeps when they read this?

      No, because not all of us are naive enough to think privacy is an absolute. Privacy is the desire to not share information with specific people, so it's not illogical for Microsoft to support privacy while at the same time hoovering up data on you.

      The problem I have is that there are some groups I trust with data, namely those who make it their business to deal with it (e.g. Google), and there are some I know will just sell it wholesale without de-anonymising from whom I tried to hide my information (e.g. m

  • Seeing how my computer uses 50% of it's CPU every boot up compressing and uploading windows telemetry I have concerns about how privacy focused Microsoft actually is
  • ...dows for many years.

    It originated in DOS, but thanks to Microsofts attention to backwards compatibility DoH was supported in Win 3.11, 9x, XP (32b), and 7(32b).

    Of course, it does not run in Win10, nor in 64 bit machines no matter the version of windows....

    So, again, the only news here is that Revenge of DoH will run on Win10 and in 64 bit machines.

    Sorry, the lame joke was irresistible.

  • "However, at Microsoft we believe that "we have to treat privacy as a human right."

    Go ahead. Say that shit again to anyone who has had the pleasure of actually using Microsoft Telemetry OS.

    Microsoft treats privacy like every other mega-corp out there that's also Too Big To Fail; Privacy is a profitable right, not a human one.

    Stop with the bullshit already.

    • I did my best to kill off the monitoring too. Never did manage to get it all. Most annoyingly, even if you set the privacy options to no-spying where you can, they often revert back again after windows updates - and a lot of the telemetry doesn't even have an option to turn it off. You can kill some with various registry edits, but even those keys eventually get disabled.

      • by Pikoro ( 844299 )

        Tried opting out using their tools: http://init.sh/?p=331 [init.sh]

      • I did my best to kill off the monitoring too. Never did manage to get it all. Most annoyingly, even if you set the privacy options to no-spying where you can, they often revert back again after windows updates - and a lot of the telemetry doesn't even have an option to turn it off. You can kill some with various registry edits, but even those keys eventually get disabled.

        Watchdog processes in Windows 10 that monitor for changes Microsoft doesn't like is certainly an amusing evolution for a company that claims privacy is a human right.

      • This is nothing compared to the built-in Windows Firewall crap that will keep on changing your settings to prohibit incoming unsolicited connections from from reaching crappy Microsoft software to the preferred Microsoft setting of letting every little crappy bit of Microsoft shit software accept unsolicited incoming connections without restraint. What things like Calculator, the Screen Saver/Lock Screen, or anything else in Windows needs to receive incoming connections I have absolutely no idea.

        At least t

        • From my experiments, the firewall doesn't do anything - you can rip out every rule and replace them with just a firm 'deny everything' and default deny, both directions, and still all the Windows services get through fine. I'm not sure if it's a hardcoded exception for certain processes, or a blanket exception for all things running as SYSTEM. Either way, tried it, didn't work.

  • Right and wrong (Score:3, Interesting)

    by WaffleMonster ( 969671 ) on Monday November 18, 2019 @03:19PM (#59427650)

    Right way to secure DNS:
    https://techcommunity.microsof... [microsoft.com]

    Wrong way to secure DNS:
    https://support.google.com/chr... [google.com]

    Absolute wrongest way imaginable to secure DNS:
    https://support.mozilla.org/en... [mozilla.org]

    What is this world coming to when Mozilla is doing something more evil than goddamn Microsoft and Google?

    • Comment removed based on user account deletion
    • To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.

      Good luck with that.

      Probably the only safe DNS is one you run yourself, on a Pi or anything else that can be left on all the time

      • To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.

        Good luck with that.

        Probably the only safe DNS is one you run yourself, on a Pi or anything else that can be left on all the time

        That doesn't help much. If the lookup is already cached, then it helps, but if otherwise (and caches expire fairly quickly, for good reason), the Pi or whatever is just going to issue the DNS query in plaintext so your ISP can see it.

    • by DRJlaw ( 946416 )

      Right way to secure DNS:
      https://techcommunity.microsof... [techcommun...icrosof...]

      Wrong way to secure DNS:
      https://support.google.com/chr [google.com]...

      Google's way of securing DNS is identical to Microsoft's way of securing DNS except for the fact that it is done only in Chrome rather than as an OS-wide setting. The flip from ordinary-DNS to same-provider DoH-type DNS is essentially identical.

      Google's way is only wrong if the underlying OS supports DoH. Otherwise Google's way mitigates a majority of the problem without waiting for the OS ven

      • Except MS will respect existing DNS settings and not fuck everything by ignoring them.

        • by DRJlaw ( 946416 )

          Except MS will respect existing DNS settings and not fuck everything by ignoring them.

          Microsoft

          For our first milestone, we'll start with a simple change: use DoH for DNS servers Windows is already configured to use.... There are now several public DNS servers that support DoH,
          and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server. However, since these servers and their DoH configurations are well known, Windows can automatic

    • by AmiMoJo ( 196126 )

      Not seeing any major differences between the Microsoft and Google positions. Neither are changing your DNS settings, merely upgrading to DoH if the server happens to support it.

      Mozilla will ask if it can change your browser's DNS server. The problem is that most people won't be able to make an informed choice because they don't know what DNS is.

      • Not seeing any major differences between the Microsoft and Google positions. Neither are changing your DNS settings, merely upgrading to DoH if the server happens to support it.

        Microsoft's approach applies to all software accessing name resolution. Google's applies only to the Chrome web browser.

        • by AmiMoJo ( 196126 )

          Chrome is cross platform and usually uses each platform's features, e.g. Windows and Mac OS have APIs for managing secrets. So I'd expect Chrome to use the Windows DNS resolver once it supports DoH, and use its own on systems that don't. Of course in either case it will use the server configured at the OS level.

  • Wake me up when they remove the telemetry in Windows or how to disable it 100%. It's not much use to encrypt everything, when it has been sent beforehand is it, eh?
    • by vux984 ( 928602 )

      It's not much use to encrypt everything, when it has been sent beforehand is it, eh?

      On the one hand, you are quite correct.

      On the other, just because microsoft is getting a bunch of telemetry from you, it still represents a real improvement that your DNS queries are only visible to your chosen DoH DNS provider and not ALSO available to the operator of the starbucks Wifi operator, whatever ISP services it, and who ever runs the DNS service they feed you via DHCP.

    • Sure it is...

      It means three-leter agencies and other criminals need to pay Microsoft for access to that data instead of your ISP. How is that not useful?

  • by pslytely psycho ( 1699190 ) on Monday November 18, 2019 @03:40PM (#59427736) Journal
    Came for the Homer Simpson jokes, was very disappointed....
  • We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS

    What, you mean we won't have to either A) use intune, or B) fire up a powershell, create a WMI session, bridge WMI objects to CIMv2 objects, pull the current configuration out of the object, re-escape the XML, jam it back into the object and commit the object?

    Where's the fun in that?

  • FTA...

    There are now several public DNS servers that support DoH

    So if you point your resolver at a public DNS server like Google's 8.8.8.8 or 8.8.4.4, what difference does it make whether your connection is encrypted? The operator of the DNS server can still harvest all the same information about what website you visit, etc. They'll still see your traffic when they decrypt it at their end.

    • by amorsen ( 7485 )

      The difference is that your ISP can't. And the 3-letter agencies with their (not so) lawful interception cannot either.

      • Let's imagine a hypothetical privacy conundrum: You live in an apartment where your shower enclosure is on the corner of the building, and has glass walls facing south and west. The building happens to have parking lots on the south and west sides, from either of which you are clearly visible as you stand in your shower. When you point out to the building manager that you feel uncomfortable showering in plain view of both parking lots, you are offered a solution that can block the view from either the south
        • by amorsen ( 7485 )

          The analogy is more like if the shower has clear glass on all sides but I am offered a shower curtain that isn't quite large enough. On the upside I can decide which direction the missing bit of curtain should face. Absolutely, that will be useful.

          Even if we stick with your analogy, if the solution blocks the view of the known stalker with the camera in the building across the road, why would I reject it?

          I do not understand your kind of argument at all. We cannot all switch to Tor for all browsing, at least

          • if the solution blocks the view of the known stalker with the camera in the building across the road, why would I reject it?

            You have it backwards. The question is: If the solution does not block the view of the known stalker with the camera in the building across the road, why would I accept it?

            In this analogy, 8.8.8.8 is the "known stalker with a camera", (or whatever other public DNS provider you care to substitute).

            • by amorsen ( 7485 )

              If you don't like 8.8.8.8, just pick another one. You have not lost anything by switching to DoH.

              Personally I believe the promises of CloudFlare, but I have a reasonably trustworthy ISP, so I still use their DNS servers. Just over HTTPS instead of old-fashioned DNS. What exactly is it I have lost by moving to a better protocol?

              It was a mistake in DNS to use the same protocol for client-server and server-server communications. Finally we get a decent connection-based encrypted alternative on a separate port.

              • What exactly is it I have lost by moving to a better protocol?

                I'm not arguing that you're losing anything. Rather that you're not gaining. Microsoft handling the DNS encryption in Windows means they have exclusive ability for data harvesting. Google handling DNS resolution in Chrome means they have exclusive access. Sending your queries to Cloudflare (or whoever) means they can harvest your data. I just don't see that getting to choose who spies on me is worth getting excited about.

                It was a mistake in DNS to use the same protocol for client-server and server-server communications. Finally we get a decent connection-based encrypted alternative on a separate port.

                You're overlooking the fact that client-server communications only need UDP, and ser

                • by amorsen ( 7485 )

                  I'm not arguing that you're losing anything. Rather that you're not gaining. Microsoft handling the DNS encryption in Windows means they have exclusive ability for data harvesting.

                  If Microsoft sent copies of DNS requests to a central server there would be widespread outrage. Windows has intrusive telemetry, but that level would lead to a ban of Windows in many large enterprises.

                  I just don't see that getting to choose who spies on me is worth getting excited about.

                  You do not believe there is any difference between NSA, Microsoft, Google, Cloudflare, OpenDNS, various ISPs, and so on?

                  You're overlooking the fact that client-server communications only need UDP, and server-server uses TCP. They're easy to separate, as UDP 53 and TCP 53 are already on a separate port.

                  Err no. Client to server and server to server are both UDP, with fallback to TCP if the message is large and EDNS0 is unavailable. Blocking TCP port 53 used to be a common mistake, leading t

      • Sure they can. They just ask Google. Google is happy to comply, and they have in the past.

  • Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet.

    An "administrator" who doesn't know what DNS is?

  • HTTPS standard includes cookies, so this could potentially be used in DoH. DNS over TLS has no allowance for cookies.
    • by skids ( 119237 )

      Personally I fail to see what benefit wrapping DNS in HTTP adds to the equation. I mean other than letting novice coders who never did a TLS connection other than through an HTTP client library write DNS handling code... do we want those people writing DNS handling code?

  • imagine... the name of the game.
  • Obvious next step is missing of course.. Microsoft is announcing it's own DoH service like google ( 8.8.8.8) or cloudflare (1.1.1.1). Because microsoft wants to have a peek at your DNS as well of course. Security? Privacy..nope they are not interested in that. Like google and friends they just want your DNS records, just like starbucks and all the others because that is where the money is.
    • Microsoft does not need a Homer server for DoH. DNS resolution requests are a part of the "Telemetry Data" sent back to Microsoft. They already know every DNS name that the resolver is asked to resolve. Adding redundant redundancies is not required.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...