Table of Contents
Users can access the Internet in privacy with DNS-over-HTTPS, a feature of Windows 11 that enables them to avoid censorship and Internet activity by encrypting DNS queries.
In order to access a website or other host on the Internet, the computer must first locate the IP address associated with the host’s name by querying the domain name servers (DNS).
With this method, DoH clients and the DoH-based DNS resolver use the HTTPS protocol to encrypt data between them to reduce eavesdropping and the possibility of DNS data modification by man-in-the-middle attacks.
Google and the Mozilla Foundation have tested a DNS over the HTTPS version since March 2018.
By the end of February 2020, Firefox will default to DNS over HTTPS for US users.
A proposed standard for DoH was published by the IETF in RFC 8484 (October 2018).
The software supports HTTP/2 and HTTPS, and it accepts DNS response data returned by UDP in wire format into HTTPS payloads with the MIME type application/DNS-message.
Using HTTP/2 server push, the server can also provide items that it predicts the client will find valuable in advance.
Governments monitor DNS traffic
Some governments and Internet service providers prevent users from accessing websites by monitoring their DNS traffic.
DoH will make it more difficult for governments and ISPs to track users’ DNS requests, which will help users avoid censorship, reduce spoofing attacks, and increase privacy.
Users that are currently using Cloudflare, Google, or Quad9’s DNS servers can begin testing again now that Microsoft has re-enabled the DoH capability in Windows 11.
Tommy Jensen, a Program Manager on the Windows team, said:
“It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could be established, we would have to first send a plain-text DNS query to bootstrap it. This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates.”
In the future, Microsoft aims to learn about DoH server configurations from a DNS server by using the Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR) protocols it has submitted to the IETF ADD WG.