Microsoft Moves Toward DNS Over HTTPSMicrosoft Emphasizes DNS Configurations Will Be in Admins' Hands
Microsoft has outlined its plans for supporting the encryption of Domain Name System queries, which allows for more private internet browsing.
The feature, known as DNS over HTTPS, or DoH, encrypts the requests that translate a domain name into an IP address. The Internet Engineering Task Force is developing a specification, although it has yet to become a standard.
In a blog post, Microsoft outlines the first step it will take to implement DoH in Windows, which it says "will close one of the last remaining plain-text domain name transmissions in common web traffic."
Until recently, DNS requests were largely unencrypted and visible to network service providers. Enterprises could configure their own DNS servers, and consumers typically used the DNS services provided by their ISP.
Because the requests were unencrypted, they leave a log of websites sought out by a user. Also, DNS requests are vulnerable to third-party interception, which could put vulnerable groups, such as dissidents and activists, at risk.
The Electronic Frontier Foundation, which supports DoH, also points out that unencrypted DNS requests could be altered, putting a user at risk.
"Malicious DNS resolvers or on-path routers can also tamper with your DNS request, blocking you from accessing sites or even routing you to fake versions of the sites you requested," the foundation wrote in a recent blog post. "Malicious DNS resolvers or on-path routers can also tamper with your DNS request, blocking you from accessing sites or even routing you to fake versions of the sites you requested."
DNS requests remained a large privacy hole even as a movement over the last few years has led to most websites using SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates, which encrypt data exchanged between a web browser and a server.
Some ISPs, however, have opposed DoH because the encryption of DNS would mean they lose enormous insight into their customers' browsing habits that potentially could be monetized. Nevertheless, browser makers, including Mozilla and Google, have moved to enable DoH.
Encrypted DNS also has a security implication in that it hampers blocking browsing to malicious domains at a DNS level. There's also a concern about centralization of DNS if only a handful of DoH service providers emerge, concentrating their power and influence.
In October, the Electronic Frontier Foundation sent a letter to 12 members of Congress urging them to support DoH despite opposition from some ISPs. It noted that countries such as China and Turkey use DNS to enable censorship, which would be much more difficult if DoH was widely used.
Microsoft: Admins Have Control
Microsoft is aiming to allow for DoH but also allow Windows administrators to maintain configuration control, write Tommy Jensen, Ivan Pashov and Gabriel Montenegro, who work in Microsoft's Core Networking Team. They say it won't be easy.
But they outlined a series of principles Microsoft intends to follow. "We will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators," they write. "Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back on unencrypted DNS is forbidden."
The first change is that admins can upgrade to using DoH if that is available on the DNS servers already in use, they write. That way, an organization can get the benefit of using DoH but without interference from Microsoft over where those DNS queries go.
"Many people use ISP or public DNS content filtering to do things like block offensive websites," the write. "Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes."
Eventually, Microsoft plans to modify how DNS settings are presented in Windows and make those settings more DoH aware, they write. "This will give users, device admins and enterprise admins the ability to configure DoH servers explicitly," they say.
Mozilla has implemented DoH in its Firefox browser, which drew of the ire of the U.K.'s Internet Service Providers' Association. In July, the association labelled it an "internet villain" for the move, arguing that it enables users to circumvent parental controls and U.K. government filtering mandates (see: Mozilla Nominated for 'Internet Villain' by Angry ISPs).
Mozilla is using Cloudflare as its provider for encrypted DNS requests. Cloudflare discards the DNS logs after a day and has pledged not to transfer any of the data to third parties.
Google also supports DoH. It has set up two public DoH APIs for DNS requests. Even before Microsoft's announcement, Google said it would take a conservative approach, upgrading connections to DoH if possible but not fiddling with DNS settings.
Google also wrote that its approach wouldn't affect content filtering. "It's also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering," the company writes.