Microsoft is set to start offering encrypted DNS resolution services (DNS-over-HTTPS, or “DoH”) joining Cloudflare and Google in introducing the service, which has drawn public policy maker ire for obfuscating/securing end-user traffic.
DoH encrypts DNS traffic and requires authentication of the server. As the Internet Engineering Task Force (IETF) notes, this mitigates both passive surveillance and active attacks that attempt to divert DNS traffic to rogue servers.
“We are making plans to adopt DNS over HTTPS (or DoH) in the Windows DNS client”, Microsoft said on Sunday. “As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future. For now, we’re prioritizing DoH support as the most likely to provide immediate value to everyone.”
The company did not specify when the service will be available.
The move comes six months after the Sunday Times reported that British government figures were in crisis talks over plans for the broad rollout of the technology by the leading DNS resolution service providers, which problematises the bulk surveillance allowed by the 2016 “Snooper’s Charter”, or Investigatory Powers Act, which requires ISPs to store their customers’ internet activity for 12 months.
Mozilla said in September that its Firefox browser would start defaulting to Cloudflare’s DoH service, although initially just in a small-scale pilot.
Currently, even if users are visiting a site using HTTPS, their DNS query is sent over an unencrypted connection: anyone listening to packets on the network knows which website an internet user is attempting visit.
In the UK, this includes all internet service providers (ISPs).
Microsoft Encrypted DNS to Start with a “Simple Change”…
Microsoft said: “We’ll start with a simple change: use DoH for DNS servers Windows is already configured to use. There are now several public DNS servers that support DoH, and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server.
“However, since these servers and their DoH configurations are well known, Windows can automatically upgrade to DoH while using the same server” the company’s Tommy Jensen, Ivan Pashov, and Gabriel Montenegro said in a blog.
Microsoft will “not be making any changes to which DNS server Windows was configured to use by the user or network” they added.
Paul Gagliardi, Director of Threat Intelligence at SecurityScorecard told Computer Business Review in an earlier comment in response to Mozilla’s move: “On one hand I don’t want ISPs selling my internet behavior or censoring it, on the other it is currently hard to implement basic censoring. Ultimately, content (DNS in this case) cannot be secured/monitored without having the ability to observe it.
“Just as companies/organizations inspect their HTTPS traffic, the same needs to happen with encrypted DNS/DoH. Decrypting DoH would be the exact same mechanism as observing HTTPS traffic, using a Man in the Middle proxy to decrypt traffic on the fly and implement security mechanisms. There are no shortage of commercial solutions for this, however, things get more complicated in BYOD environments.”
He added: “DoH forces the privacy vs security defense debate to be more localized. A company or organization can balance those decisions in their network differently than a private individual. Unfortunately for those organizations/companies, the ability to censor traffic is now more technical and requires more investment on their part. In short I think we’ll see more HTTPS MiTM and prohibition of BYoD.”
Microsoft’s networking team noted: “Providing encrypted DNS support without breaking existing Windows device admin configuration won’t be easy.
“However, at Microsoft we believe that “we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology.”