Windows will improve user privacy with DNS over HTTPS - Microsoft Tech Community... - JOYK Joy of Geek, Geek News, Link all geek

Windows will improve user privacy with DNS over HTTPS%3CLINGO-SUB%20id%3D%22lingo-sub-1014229%22%20slang%3D%22en-US%22%3EWindows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014229%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EBrought%20to%20you%20by%20Tommy%20Jensen%2C%20Ivan%20Pashov%2C%20and%20Gabriel%20Montenegro%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20in%20Windows%20Core%20Networking%2C%20we%E2%80%99re%20interested%20in%20keeping%20your%20traffic%20as%20private%20as%20possible%2C%20as%20well%20as%20fast%20and%20reliable.%20While%20there%20are%20many%20ways%20we%20can%20and%20do%20approach%20user%20privacy%20on%20the%20wire%2C%20today%20we%E2%80%99d%20like%20to%20talk%20about%20encrypted%20DNS.%20Why%3F%20Basically%2C%20because%20supporting%20encrypted%20DNS%20queries%20in%20Windows%20will%20close%20one%20of%20the%20last%20remaining%20plain-text%20domain%20name%20transmissions%20in%20common%20web%20traffic.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EProviding%20encrypted%20DNS%20support%20without%20breaking%20existing%20Windows%20device%20admin%20configuration%20won't%20be%20easy.%20However%2C%20%3CA%20href%3D%22https%3A%2F%2Fnews.microsoft.com%2Fspeeches%2Fsatya-nadella-microsoft-inspire-2019%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eat%20Microsoft%20we%20believe%20that%3C%2FA%3E%20%22we%20have%20to%20treat%20privacy%20as%20a%20human%20right.%20We%20have%20to%20have%20end-to-end%20cybersecurity%20built%20into%20technology.%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20also%20believe%20Windows%20adoption%20of%20encrypted%20DNS%20will%20help%20make%20the%20overall%20Internet%20ecosystem%20healthier.%20There%20is%20an%20assumption%20by%20many%20that%20DNS%20encryption%20requires%20DNS%20centralization.%20This%20is%20only%20true%20if%20encrypted%20DNS%20adoption%20isn%E2%80%99t%20universal.%20To%20keep%20the%20DNS%20decentralized%2C%20it%20will%20be%20important%20for%20client%20operating%20systems%20(such%20as%20Windows)%20and%20Internet%20service%20providers%20alike%20to%20%3CA%20href%3D%22https%3A%2F%2Fwww.eff.org%2Fdeeplinks%2F2019%2F09%2Fencrypted-dns-could-help-close-biggest-privacy-gap-internet-why-are-some-groups%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewidely%20adopt%20encrypted%20DNS%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20decision%20made%20to%20build%20support%20for%20encrypted%20DNS%2C%20the%20next%20step%20is%20to%20figure%20out%20what%20kind%20of%20DNS%20encryption%20Windows%20will%20support%20and%20how%20it%20will%20be%20configured.%20Here%20are%20our%20team's%20guiding%20principles%20on%20making%20those%20decisions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EWindows%20DNS%20needs%20to%20be%20as%20private%20and%20functional%20as%20possible%20by%20default%20without%20the%20need%20for%20user%20or%20admin%20configuration%20because%20Windows%20DNS%20traffic%20represents%20a%20snapshot%20of%20the%20user%E2%80%99s%20browsing%20history.%3C%2FSTRONG%3E%20To%20Windows%20users%2C%20this%20means%20their%20experience%20will%20be%20made%20as%20private%20as%20possible%20by%20Windows%20out%20of%20the%20box.%20For%20Microsoft%2C%20this%20means%20we%20will%20look%20for%20opportunities%20to%20encrypt%20Windows%20DNS%20traffic%20without%20changing%20the%20configured%20DNS%20resolvers%20set%20by%20users%20and%20system%20administrators.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EPrivacy-minded%20Windows%20users%20and%20administrators%20need%20to%20be%20guided%20to%20DNS%20settings%20even%20if%20they%20don't%20know%20what%20DNS%20is%20yet.%3C%2FSTRONG%3E%20Many%20users%20are%20interested%20in%20controlling%20their%20privacy%20and%20go%20looking%20for%20privacy-centric%20settings%20such%20as%20app%20permissions%20to%20camera%20and%20location%20but%20may%20not%20be%20aware%20of%20or%20know%20about%20DNS%20settings%20or%20understand%20why%20they%20matter%20and%20may%20not%20look%20for%20them%20in%20the%20device%20settings.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EWindows%20users%20and%20administrators%20need%20to%20be%20able%20to%20improve%20their%20DNS%20configuration%20with%20as%20few%20simple%20actions%20as%20possible.%3C%2FSTRONG%3E%20We%20must%20ensure%20we%20don't%20require%20specialized%20knowledge%20or%20effort%20on%20the%20part%20of%20Windows%20users%20to%20benefit%20from%20encrypted%20DNS.%20Enterprise%20policies%20and%20UI%20actions%20alike%20should%20be%20something%20you%20only%20have%20to%20do%20once%20rather%20than%20need%20to%20maintain.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EWindows%20users%20and%20administrators%20need%20to%20explicitly%20allow%20fallback%20from%20encrypted%20DNS%20once%20configured.%3C%2FSTRONG%3E%20Once%20Windows%20has%20been%20configured%20to%20use%20encrypted%20DNS%2C%20if%20it%20gets%20no%20other%20instructions%20from%20Windows%20users%20or%20administrators%2C%20it%20should%20assume%20falling%20back%20to%20unencrypted%20DNS%20is%20forbidden.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBased%20on%20these%20principles%2C%20we%20are%20making%20plans%20to%20adopt%20%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8484%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDNS%20over%20HTTPS%3C%2FA%3E%20(or%20DoH)%20in%20the%20Windows%20DNS%20client.%20As%20a%20platform%2C%20Windows%20Core%20Networking%20seeks%20to%20enable%20users%20to%20use%20whatever%20protocols%20they%20need%2C%20so%20we%E2%80%99re%20open%20to%20having%20other%20options%20such%20as%20DNS%20over%20TLS%20(DoT)%20in%20the%20future.%20For%20now%2C%20we're%20prioritizing%20DoH%20support%20as%20the%20most%20likely%20to%20provide%20immediate%20value%20to%20everyone.%20For%20example%2C%20DoH%20allows%20us%20to%20reuse%20our%20existing%20HTTPS%20infrastructure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20our%20first%20milestone%2C%20we'll%20start%20with%20a%20simple%20change%3A%20use%20DoH%20for%20DNS%20servers%20Windows%20is%20already%20configured%20to%20use.%20There%20are%20now%20several%20public%20DNS%20servers%20that%20support%20DoH%2C%20and%20if%20a%20Windows%20user%20or%20device%20admin%20configures%20one%20of%20them%20today%2C%20Windows%20will%20just%20use%20classic%20DNS%20(without%20encryption)%20to%20that%20server.%20However%2C%20since%20these%20servers%20and%20their%20DoH%20configurations%20are%20well%20known%2C%20Windows%20can%20automatically%20upgrade%20to%20DoH%20while%20using%20the%20same%20server.%20We%20feel%20this%20milestone%20has%20the%20following%20benefits%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EWe%20will%20not%20be%20making%20any%20changes%20to%20which%20DNS%20server%20Windows%20was%20configured%20to%20use%20by%20the%20user%20or%20network.%3C%2FSTRONG%3E%20Today%2C%20users%20and%20admins%20decide%20what%20DNS%20server%20to%20use%20by%20picking%20the%20network%20they%20join%20or%20specifying%20the%20server%20directly%3B%20this%20milestone%20won%E2%80%99t%20change%20anything%20about%20that.%20Many%20people%20use%20ISP%20or%20public%20DNS%20content%20filtering%20to%20do%20things%20like%20block%20offensive%20websites.%20Silently%20changing%20the%20DNS%20servers%20trusted%20to%20do%20Windows%20resolutions%20could%20inadvertently%20bypass%20these%20controls%20and%20frustrate%20our%20users.%20We%20believe%20device%20administrators%20have%20the%20right%20to%20control%20where%20their%20DNS%20traffic%20goes.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMany%20users%20and%20applications%20that%20want%20privacy%20will%20start%20getting%20the%20benefits%20without%20having%20to%20know%20about%20DNS.%20%3C%2FSTRONG%3EIn%20line%20with%20principle%201%2C%20the%20DNS%20queries%20become%20more%20private%20with%20no%20action%20from%20either%20apps%20or%20users.%20When%20both%20endpoints%20support%20encryption%2C%20there%E2%80%99s%20no%20reason%20to%20wait%20around%20for%20permission%20to%20use%20encryption!%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EWe%20can%20start%20seeing%20the%20challenges%20in%20enforcing%20the%20line%20on%20preferring%20resolution%20failure%20to%20unencrypted%20fallback.%20%3C%2FSTRONG%3EIn%20line%20with%20principle%204%2C%20this%20DoH%20use%20will%20be%20enforced%20so%20that%20a%20server%20confirmed%20by%20Windows%20to%20support%20DoH%20will%20not%20be%20consulted%20via%20classic%20DNS.%20If%20this%20preference%20for%20privacy%20over%20functionality%20causes%20any%20disruption%20in%20common%20web%20scenarios%2C%20we%E2%80%99ll%20find%20out%20early.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20future%20milestones%2C%20we'll%20need%20to%20create%20more%20privacy-friendly%20ways%20for%20our%20users%20to%20discover%20their%20DNS%20settings%20in%20Windows%20as%20well%20as%20make%20those%20settings%20DoH-aware.%20This%20will%20give%20users%2C%20device%20admins%2C%20and%20enterprise%20admins%20the%20ability%20to%20configure%20DoH%20servers%20explicitly.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhy%20announce%20our%20intentions%20in%20advance%20of%20DoH%20being%20available%20to%20Windows%20Insiders%3F%20With%20encrypted%20DNS%20gaining%20more%20attention%2C%20we%20felt%20it%20was%20important%20to%20make%20our%20intentions%20clear%20as%20early%20as%20possible.%20We%20don%E2%80%99t%20want%20our%20customers%20wondering%20if%20their%20trusted%20platform%20will%20adopt%20modern%20privacy%20standards%20or%20not.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20interested%20in%20joining%20the%20larger%20industry%20conversation%20about%20encrypting%20the%20DNS%2C%20check%20out%20one%20of%20the%20IETF%20working%20groups%20working%20with%20DNS%20(%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fabcd%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EABCD%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fadd%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EApps%20Doing%20DNS%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fdnsop%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDNSOP%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fdprive%2Fabout%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDPRIVE%3C%2FA%3E)%20or%20the%20new%20%3CA%20href%3D%22https%3A%2F%2Fwww.encrypted-dns.org%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEncrypted%20DNS%20Deployment%20Initiative%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20questions%20or%20feedback%20for%20us%20regarding%20the%20Windows%20plan%20to%20adopt%20encrypted%20DNS%3F%20We%E2%80%99d%20love%20to%20hear%20from%20you!%20Feel%20free%20to%20comment%20below.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1014229%22%20slang%3D%22en-US%22%3E%3CP%3EAnnouncing%20and%20explaining%20our%20intention%20to%20support%20DNS%20over%20HTTPS%20in%20future%20versions%20of%20Windows%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015634%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015634%22%20slang%3D%22en-US%22%3E%3CP%3EDoH%20is%20a%20good%20start.%20We%20will%20wait%20for%20DoT%20as%20its%20a%20better%20route.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016129%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016129%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20Support%20%3CSTRONG%3EDNSSEC%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(you%20only%20support%20it%20in%20the%20server%20deployed%20on%20site%20and%20it%20needs%20to%20be%20on%20the%20client%2C%20office365%20and%20azure)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20can%20be%20done%20regardless%20of%20DoH%20or%20DoT%20it%20verifies%20the%20answers%20are%20correct%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20documentation%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn593670(v%253Dws.11)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn593670(v%253Dws.11)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eadministrators%20requesting%20this%20for%20office365%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F32360299-dnssec-support-in-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F32360299-dnssec-support-in-office-365%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eazure%20networking%20request%20%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F217313-networking%2Fsuggestions%2F13284393-azure-dns-needs-dnssec-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F217313-networking%2Fsuggestions%2F13284393-azure-dns-needs-dnssec-support%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%26nbsp%3BTommy%20Jensen%2C%20Ivan%20Pashov%2C%20and%20Gabriel%20Montenegro.%20trust%20but%20verify%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emicrosoft%20windows%20platform%20deserves%20better%2C%20%3CSTRONG%3Ewindows%2010%20needs%20DNSSEC%3C%2FSTRONG%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016174%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016174%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20your%20future%20plans%20include%20allowing%20Windows%20DNS%20Server%20to%20communicate%20to%20upstream%20DNS%20servers%20using%20DNS%20over%20HTTPS%2FTLS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInternally%20you'd%20have%20clients%20making%20unencrypted%20DNS%20queries%20to%20their%20local%20DNS%20server%20(53)%2C%20then%20said%20DNS%20server%20would%20forward%20queries%20upstream%20-%20over%20HTTPS%2FTLS%20(443).%20Or%20-%20even%20better%2C%20allowing%20Windows%20DNS%20Server%20to%20answer%20queries%20over%20HTTPS%20for%20a%20true%20end-to-end%20encrypted%20flow.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20echoing%20the%20need%20for%20DNSSEC%20on%20Windows%20Client!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016823%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016823%22%20slang%3D%22en-US%22%3E%3CP%3EI'll%20be%20the%20stick%20in%20the%20mud%20here.%3C%2FP%3E%3CP%3EWe%20don't%20only%20need%20DOT%20and%20DOH%2C%20we%20need%20granular%20control%20over%20what%20is%20and%20what%20is%20not%20allowed%20through%20those%20DNS%20servers%2C%20or%20our%20clients%20are%20going%20to%20be%20inundated%20by%20new%20forms%20of%20malware%2C%20spyware%2C%20etc%20from%20advertisers%20and%20hacking%20groups%20who%20simply%20buy%20a%20SSL%20cert%20for%20.00000001%20bitcoins%2C%20and%20flood%20the%20%22secure%22%20DNS%20with%20the%20same%20intrusive%20ads%20and%20garbage%20that%20make%20the%20internet%20a%20virtual%20nightmare%20of%20scams%2C%20garbage%20and%20malicious%20links.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1017520%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1017520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461760%22%20target%3D%22_blank%22%3E%40cpuprohky%3C%2FA%3E%26nbsp%3Byou%20seem%20to%20have%20a%20serious%20misunderstanding%20of%20what%20DNS-over-HTTPS%20is%20and%20what%20is%20happening%20here.%26nbsp%3B%20This%20change%20will%20not%20override%20your%20own%20manually%20configured%20local%20DNS%20servers%2C%20it%20will%20only%20matter%20if%20a%20client%20is%20configured%20to%20use%20a%20well-known%20DNS%20server%20that%20support%20DoH%2C%20for%20example%20Cloudflare's%201.1.1.1%20or%20Google's%208.8.8.8.%26nbsp%3B%20Clients%20configured%20to%20use%20those%20or%20other%20similar%20public%20DNS%20servers%20will%20be%20automatically%20upgraded%20to%20DoH%2C%20those%20set%20to%20private%20servers%20or%20public%20services%20not%20known%20to%20support%20DoH%20will%20not%20be%20changed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20if%20you%20want%20to%20run%20your%20own%20DNS%20server%20that%20monitors%20and%2For%20modifies%20traffic%20you%20can%20still%20do%20so%20with%20DoH.%26nbsp%3B%20It's%20just%20a%20different%20protocol%20between%20the%20client%20and%20the%20chosen%20resolver%2C%20everything%20else%20works%20the%20same%20as%20it%20always%20has.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20thing%20this%20actually%20affects%20is%20transparently%20intercepting%20DNS%20traffic%20and%20redirecting%20it%20to%20somewhere%20the%20client%20did%20not%20want.%26nbsp%3B%20Protecting%20against%20this%20is%20a%20good%20thing.%26nbsp%3B%20Those%20who%20legitimately%20control%20the%20machines%20they're%20monitoring%20can%20configure%20them%20appropriately%20for%20their%20needs%20rather%20than%20relying%20on%20dirty%20tricks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20won't%20change%20a%20thing%20as%20far%20as%20malware%20or%20ads%20are%20concerned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020049%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020049%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.reddit.com%2Fr%2Fpihole%2Fcomments%2Fdy4b3b%2Fwindows_will_improve_user_privacy_with_dns_over%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.reddit.com%2Fr%2Fpihole%2Fcomments%2Fdy4b3b%2Fwindows_will_improve_user_privacy_with_dns_over%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yhxs7%20_1z5rdmX8TDr6mqwNv7A70U%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EHow%20does%20this%20impact%20the%20use%20of%20a%20PiHole%3F%20Do%20you%20lose%20some%20control%20on%20some%20closed%20source%20devices%3F%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yj2hf%20%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_1S45SPAIb30fsXtEcKPSdt%20%20_3ezOJqKdLbgkHsXcfvS5SA%20%22%3E%3CDIV%20class%3D%22_2LeW9tc_6Fs1n7Ou8uD-70%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIf%20a%20device%20or%20computer%20is%20using%20DNS%20over%20HTTPS%2C%20their%20DNS%20lookups%20will%20look%20like%20regular%20HTTPS%20requests%2C%20so%20they%20won't%20even%20hit%20the%20pihole%20at%20all.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIt%20will%20be%20a%20'good'%20way%20for%20systems%20to%20bypass%20ad%20filters%20or%20tracking%20filters%20like%20the%20pihole.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yjftc%20%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAs%20long%20as%20you%20point%20devices%20you%20control%20to%20the%20pihole%20as%20a%20dns%20server%20then%20the%20endpoint%20will%20still%20be%20there%2C%20right%3F%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EThis%20will%20be%20a%20problem%20for%20devices%20like%20the%20chrome%20cast%20that%20have%20servers%20hard%20coded%20and%20don't%20allow%20the%20end%20user%20to%20modify%20them.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22_3sf33-9rVAO_v4y0pIW_CH%20%22%3E%3CDIV%20class%3D%22_1DooEIX-1Nj5rweIc5cw_E%22%3E%3CDIV%20class%3D%22_36AIN2ppxy_z-XSDxTvYj5%20t1_f7yjftc%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22P8SGAKMtRxNwlmLz1zdJu%20Comment%20t1_f7yk6o7%20%22%3E%3CDIV%20class%3D%22_3tw__eCCe7j-epNCKGXUKk%20%22%3E%3CDIV%20class%3D%22_3cjCphgls6DH-irkVaA0GM%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ENot%20necessarily.%20If%20the%20device%20or%20computer%20or%20the%20browser%2C%20for%20example%2C%20are%20configured%20to%20use%20DNS%20over%20HTTPS%20then%20your%20pihole%20is%20completely%20out%20of%20the%20loop.%20Some%20will%20allow%20you%20to%20turn%20off%20DoH%20(for%20now)%20but%20some%20won't.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020660%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020660%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20guidance%20up%20now%20on%20the%20PiHole%20site%20for%20the%20integration%20of%20the%20%22cloudflared%22%20service%20on%20a%20PiHole.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20interested%20in%20seeing%20the%20low-level%20flow%20of%20the%20nameserver%20selection%20logic.%20It%20sounds%20like%20MS%20is%20making%20some%20reasonable%20choices%20with%20respect%20to%20not%20arbitrarily%20undoing%20user%20configurations%20for%20client%20nameservers.%26nbsp%3B%20That%20having%20been%20said%2C%20the%20interoperability%20is%20in%20the%20details.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1022383%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1022383%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461760%22%20target%3D%22_blank%22%3E%40cpuprohky%3C%2FA%3EYou%20are%20correct%20that%20something%20like%20a%20Chromecast%20where%20you%20might%20by%20redirecting%20DNS%20traffic%20via%20your%20router%20to%20the%20PiHole%20would%20no%20longer%20be%20possible.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20thing%20is%20though%2C%20Google%20could%20do%20this%20today%20as%20Google%20DNS%20already%20supports%20DoH%20and%20Chromecast%20has%20nothing%20to%20do%20with%20Windows.%26nbsp%3B%20So%20I'm%20not%20sure%20why%20you%20are%20posting%20about%20it%20on%20here%20as%20its%20nothing%20to%20do%20with%20what%20Microsoft%20are%20doing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1039120%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1039120%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20agree%20that%20privacy%20is%20something%20that%20is%20VERY%20important%2C%20especially%20in%20our%20modern%20age.%26nbsp%3B%20However%20Privacy%20from%20our%20ISP%20is%20nice%2C%20but%20Microsoft%20still%20has%20their%20own%20tracking%20in%20windows%2C%20As%20I%20(and%20others)%20have%20asked%20for%20in%20many%20places%2C%20PLEASE%20LET%20US%20DISABLE%20ALL%20MICROSOFT%20SPYWARE%2C%20AND%20CRAPWARE%20IN%20WINDOWS%2010.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461760%22%20target%3D%22_blank%22%3E%40cpuprohky%3C%2FA%3E%2C%20good%20point%2C%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F463661%22%20target%3D%22_blank%22%3E%40alexatkinuk%3C%2FA%3E%26nbsp%3B%20Pihole%20is%20a%20DNS%20server%20based%20adblocker%2C%20and%20this%20article%20is%20directly%20about%20DNS.%20as%20for%20Chromecast%2C%20people%20like%20ME%2C%20use%20Google%20Chromecasts%20with%20our%20windows%20PC's.%26nbsp%3B%20As%20DNS%20is%20one%20of%20the%20backbones%20of%20the%20Internet%2C%20It%20does%20directly%20effect%20the%20use%20of%20devices%20like%20PiHole%20and%20Chromecasts%2C%20furthermore%20it%20effects%20anything%20that%20needs%20to%20resolve%20a%20name%20to%20IP.%26nbsp%3B%20As%20your%20statement%20indicates%20a%20lack%20of%20knowledge%20on%20what%20DNS%20is%2C%20and%20how%20the%20internet%20works%2C%20I%20would%20advice%20studying%20the%20topic.%26nbsp%3B%20If%20you%20would%20like%2C%20I%20can%20provide%20the%20names%20of%20some%20good%20resources.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20to%20answer%26nbsp%3B%40cpuprojky's%20question%3A%3C%2FP%3E%3CP%3Eas%20for%20PiHole%2C%20It%20already%20supports%20DNS%20over%20HTTPS%2C%20below%20is%20a%20link%20from%20PiHole%20explaining%20how%20to%20set%20it%20up.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.pi-hole.net%2Fguides%2Fdns-over-https%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.pi-hole.net%2Fguides%2Fdns-over-https%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChromecast's%20should%20not%20be%20affected%20(depending%20on%20what%20your%20doing)%20As%20screen%20casting%20is%20a%20intranet%20matter%2C%20and%20video%20streaming%20the%20chromecast%20connects%20to%20it's%20own%20DNS%20servers%2C%20(your%20computer%20functions%20only%20as%20the%20remote%2C%20the%20device%20works%20'mostly'%20on%20it's%20own).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1039337%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1039337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F472287%22%20target%3D%22_blank%22%3E%40GLaDOS%3C%2FA%3EI%20think%20it%20may%20be%20you%20who%20doesn't%20understand%20the%20potential%20issues%20with%20DoH.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20normal%20DNS%20we%20can%20easily%20redirect%20it%20at%20the%20router%20by%20catching%20all%20outgoing%20traffic%20on%20the%20DNS%20port%20and%20sending%20it%20to%20our%20PiHole.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20DoH%2C%20we%20would%20need%20a%20rule%20that%20catches%20the%20actual%20IP%20addresses%20of%20every%20single%20possible%20DoH%20server%20our%20clients%20might%20hit%2C%20as%20its%20indistinguishable%20from%20normal%20HTTPS%20traffic%20so%20cannot%20be%20simply%20redirected%20by%20port.%26nbsp%3B%20Either%20that%20or%20we'd%20need%20to%20redirect%20all%20HTTPS%20traffic%20via%20a%20proxy%20server%20and%20spoof%20it%20there%20somehow.%26nbsp%3B%20This%20would%20have%20the%20annoying%20drawback%20of%20having%20ALL%20HTTPS%20traffic%20going%20via%20the%20proxy%2C%20needing%20much%20beefier%20hardware%20and%20potential%20for%20problems%20occuring.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1060802%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1060802%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20consider%20DoH%20or%20DoT%20an%20upgrade%20as%20this%20is%20just%20a%20brand%20new%20attack%20vector%20for%20attackers%20that%20will%20be%20able%20to%20hide%20their%20DNS%20traffic%20from%20the%20prying%20eyes%20of%20enterprise%20security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1061093%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061093%22%20slang%3D%22en-US%22%3E%3CP%3EI%20somewhat%20agree%2C%20as%20the%20way%20I%20use%20it%20at%20home%20is%20to%20catch%20all%20DNS%20traffic%20at%20the%20router%2C%20forcing%20it%20to%20use%20my%20local%20DNS%20cache%20which%20THEN%20uses%20DoT%20to%20perform%20uncached%20lookups%20with%20Cloudflare.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20clients%20bypass%20this%2C%20they%20are%20exposed%20to%20all%20the%20security%20risks%20I'm%20blocking%20at%20the%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlus%20how%20do%20you%20handle%20Intranet%20DNS%20lookups%3F%26nbsp%3B%20Will%20this%20be%20something%20you%20can%20suddenly%20only%20do%20with%20Windows%20Enterprise%20editions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1095073%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1095073%22%20slang%3D%22en-US%22%3E%3CP%3EPeople%20complaining%20that%20this%20will%20allow%20uses%20to%20bypass%20a%20DNS%20router%20forwarding%20to%20a%20PiHole%20are%20a%20little%20bit%20too%20naive...%20I%20would%20never%20trust%20a%20solution%20that%20implies%20the%20users%20are%20clueless%20and%20only%20use%20Windows.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20this%2C%20Microsoft%20is%20just%20making%20it%20easier%20for%20users%20to%20have%20DNS%20security%20with%20OS%20support%20DoH%20but%20users%20can%20already%20do%20this%20anyway%20in%20many%20multiple%20ways%3A%20it%20is%20quite%20easy%20to%20install%20a%20DNS%20forwarder%20that%20uses%20DoH%20and%20DoT%20which%20will%20already%20bypass%20yous%20%22Secure%22%20DNS%20PiHole%20solution%2C%20even%20browsers%20are%20now%20able%20to%20do%20this%20directly%20and%20bypass%20the%20Windows%20configured%20DNS%20servers%2C%20other%20OSs%20already%20have%20this%20and%20Android%2010%20allows%20you%20to%20do%20this%20as%20well%20with%20a%20simple%20configuration%20check.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20not%20be%20naive%2C%20your%20PiHole%20solution%20was%20already%20quite%20broken%20way%20before%20this%20announcement...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1153043%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1153043%22%20slang%3D%22en-US%22%3E%3CP%3EA%20few%20questions%20to%20the%20implementation%20team%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Are%20there%20any%20guesses%2Findications%20which%20version%20of%20Windows%2010%20this%20will%20first%20come%20in%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Is%20it%20likely%20to%20get%20retrofitted%20to%20older%20but%20still%20supported%20Windows%20systems%20(i.e.%208.1)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20I'm%20guessing%20you%20will%20introduce%20it%20in%20one%20of%20the%20Windows%2010%20updates%20(e.g.%2020H2%20etc)%2C%20but%20not%20as%20a%20retrofitted%20patch%20for%20older%20builds%20(e.g.%201903%2C%201909%20etc)%20via%20a%20cumulative%20update%3F%20Is%20that%20correct.%20(Obviously%20with%20Windows%208.1%20its%20a%20different%20story%2C%20as%20there's%20only%20one%20supported%20branch%20of%20the%208.1%20OS%20code%2C%20and%20thus%20a%20backport%20(speaking%20as%20a%20developer%20myself)%2C%20might%20be%20feasible).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1176527%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176527%22%20slang%3D%22en-US%22%3E%3CP%3EDefinitely%20agree%20with%26nbsp%3BJoseph%20Zollo%26nbsp%3B%20that%20there%20needs%20to%20be%20full%20support%20in%20the%20ecosystem%2C%20with%20Windows%20Server%20DNS%20Servers%20being%20able%20to%20talk%20to%20upstream%20DoH%20servers%20and%20also%20serve%20DoH%20to%20clients.%20Because%20in%20any%20enterprise%20environment%2C%20clients%20will%20talk%20to%20central%20internal%20DNS%20servers%2C%20not%20directly%20to%20a%20public%20DNS%20provider.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1423096%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20will%20improve%20user%20privacy%20with%20DNS%20over%20HTTPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1423096%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20plans%20to%20add%20DoH%20server%20functionality%20to%20Windows%20Server%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20reason%20I%20ask%20is%20that%20without%20it%2C%20the%20added%20DoH%20functionality%20in%20the%20client%20will%20be%20of%20very%20limited%20use%20in%20an%20enterprise%20environment%20based%20on%20Windows%20Server%20based%20DNS%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20be%20really%20useful%20is%20a%20DoH%20server%20which%20uses%20certificates%20for%20access%20authentication.%20In%20that%20way%20we%20could%20make%20our%20internal%20(filtered)%20DNS%20available%20to%20our%20corporate%20computers%20even%20when%20they%20are%20outside%20of%20our%20network%20(and%20not%20on%20VPN).%3C%2FP%3E%3C%2FLINGO-BODY%3E

Skip to footer content

Brought to you by Tommy Jensen, Ivan Pashov, and Gabriel Montenegro

Here in Windows Core Networking, we’re interested in keeping your traffic as private as possible, as well as fast and reliable. While there are many ways we can and do approach user privacy on the wire, today we’d like to talk about encrypted DNS. Why? Basically, because supporting encrypted DNS queries in Windows will close one of the last remaining plain-text domain name transmissions in common web traffic.

Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology."

We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.

With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user’s browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

Based on these principles, we are making plans to adopt DNS over HTTPS (or DoH) in the Windows DNS client. As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future. For now, we're prioritizing DoH support as the most likely to provide immediate value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.

For our first milestone, we'll start with a simple change: use DoH for DNS servers Windows is already configured to use. There are now several public DNS servers that support DoH, and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server. However, since these servers and their DoH configurations are well known, Windows can automatically upgrade to DoH while using the same server. We feel this milestone has the following benefits:

We will not be making any changes to which DNS server Windows was configured to use by the user or network. Today, users and admins decide what DNS server to use by picking the network they join or specifying the server directly; this milestone won’t change anything about that. Many people use ISP or public DNS content filtering to do things like block offensive websites. Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes.
Many users and applications that want privacy will start getting the benefits without having to know about DNS. In line with principle 1, the DNS queries become more private with no action from either apps or users. When both endpoints support encryption, there’s no reason to wait around for permission to use encryption!
We can start seeing the challenges in enforcing the line on preferring resolution failure to unencrypted fallback. In line with principle 4, this DoH use will be enforced so that a server confirmed by Windows to support DoH will not be consulted via classic DNS. If this preference for privacy over functionality causes any disruption in common web scenarios, we’ll find out early.

In future milestones, we'll need to create more privacy-friendly ways for our users to discover their DNS settings in Windows as well as make those settings DoH-aware. This will give users, device admins, and enterprise admins the ability to configure DoH servers explicitly.

Why announce our intentions in advance of DoH being available to Windows Insiders? With encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible. We don’t want our customers wondering if their trusted platform will adopt modern privacy standards or not.

If you are interested in joining the larger industry conversation about encrypting the DNS, check out one of the IETF working groups working with DNS (ABCD, Apps Doing DNS, DNSOP, DPRIVE) or the new Encrypted DNS Deployment Initiative.

Do you have questions or feedback for us regarding the Windows plan to adopt encrypted DNS? We’d love to hear from you! Feel free to comment below.

Tags:
DNS

16 Comments

@cpuprohky you seem to have a serious misunderstanding of what DNS-over-HTTPS is and what is happening here. This change will not override your own manually configured local DNS servers, it will only matter if a client is configured to use a well-known DNS server that support DoH, for example Cloudflare's 1.1.1.1 or Google's 8.8.8.8. Clients configured to use those or other similar public DNS servers will be automatically upgraded to DoH, those set to private servers or public services not known to support DoH will not be changed.

Also, if you want to run your own DNS server that monitors and/or modifies traffic you can still do so with DoH. It's just a different protocol between the client and the chosen resolver, everything else works the same as it always has.

The only thing this actually affects is transparently intercepting DNS traffic and redirecting it to somewhere the client did not want. Protecting against this is a good thing. Those who legitimately control the machines they're monitoring can configure them appropriately for their needs rather than relying on dirty tricks.

It won't change a thing as far as malware or ads are concerned.

https://www.reddit.com/r/pihole/comments/dy4b3b/windows_will_improve_user_privacy_with_dns_over/

How does this impact the use of a PiHole? Do you lose some control on some closed source devices?

If a device or computer is using DNS over HTTPS, their DNS lookups will look like regular HTTPS requests, so they won't even hit the pihole at all.

It will be a 'good' way for systems to bypass ad filters or tracking filters like the pihole.

As long as you point devices you control to the pihole as a dns server then the endpoint will still be there, right?

This will be a problem for devices like the chrome cast that have servers hard coded and don't allow the end user to modify them.

Not necessarily. If the device or computer or the browser, for example, are configured to use DNS over HTTPS then your pihole is completely out of the loop. Some will allow you to turn off DoH (for now) but some won't.

Hello,

I agree that privacy is something that is VERY important, especially in our modern age. However Privacy from our ISP is nice, but Microsoft still has their own tracking in windows, As I (and others) have asked for in many places, PLEASE LET US DISABLE ALL MICROSOFT SPYWARE, AND CRAPWARE IN WINDOWS 10.

As for @cpuprohky, good point, and @alexatkinuk Pihole is a DNS server based adblocker, and this article is directly about DNS. as for Chromecast, people like ME, use Google Chromecasts with our windows PC's. As DNS is one of the backbones of the Internet, It does directly effect the use of devices like PiHole and Chromecasts, furthermore it effects anything that needs to resolve a name to IP. As your statement indicates a lack of knowledge on what DNS is, and how the internet works, I would advice studying the topic. If you would like, I can provide the names of some good resources.

Now to answer @cpuprojky's question:

as for PiHole, It already supports DNS over HTTPS, below is a link from PiHole explaining how to set it up.

https://docs.pi-hole.net/guides/dns-over-https/

Chromecast's should not be affected (depending on what your doing) As screen casting is a intranet matter, and video streaming the chromecast connects to it's own DNS servers, (your computer functions only as the remote, the device works 'mostly' on it's own).

@GLaDOSI think it may be you who doesn't understand the potential issues with DoH.

With normal DNS we can easily redirect it at the router by catching all outgoing traffic on the DNS port and sending it to our PiHole.

With DoH, we would need a rule that catches the actual IP addresses of every single possible DoH server our clients might hit, as its indistinguishable from normal HTTPS traffic so cannot be simply redirected by port. Either that or we'd need to redirect all HTTPS traffic via a proxy server and spoof it there somehow. This would have the annoying drawback of having ALL HTTPS traffic going via the proxy, needing much beefier hardware and potential for problems occuring.

People complaining that this will allow uses to bypass a DNS router forwarding to a PiHole are a little bit too naive... I would never trust a solution that implies the users are clueless and only use Windows.

With this, Microsoft is just making it easier for users to have DNS security with OS support DoH but users can already do this anyway in many multiple ways: it is quite easy to install a DNS forwarder that uses DoH and DoT which will already bypass yous "Secure" DNS PiHole solution, even browsers are now able to do this directly and bypass the Windows configured DNS servers, other OSs already have this and Android 10 allows you to do this as well with a simple configuration check.

Do not be naive, your PiHole solution was already quite broken way before this announcement...

A few questions to the implementation team:

1) Are there any guesses/indications which version of Windows 10 this will first come in?

2) Is it likely to get retrofitted to older but still supported Windows systems (i.e. 8.1)?

3) I'm guessing you will introduce it in one of the Windows 10 updates (e.g. 20H2 etc), but not as a retrofitted patch for older builds (e.g. 1903, 1909 etc) via a cumulative update? Is that correct. (Obviously with Windows 8.1 its a different story, as there's only one supported branch of the 8.1 OS code, and thus a backport (speaking as a developer myself), might be feasible).

Are there any plans to add DoH server functionality to Windows Server?

The reason I ask is that without it, the added DoH functionality in the client will be of very limited use in an enterprise environment based on Windows Server based DNS servers.

What would be really useful is a DoH server which uses certificates for access authentication. In that way we could make our internal (filtered) DNS available to our corporate computers even when they are outside of our network (and not on VPN).

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Windows will improve user privacy with DNS over HTTPS - Microsoft Tech Community...

Recommend

梦想v1.4 CMS平台XSS漏洞分析

Run Azure Cloud Shell in Windows Admin Center

Meet Thomas Guenoux, Founder of CommitStrip

go 学习笔记之咬文嚼字带你弄清楚 defer 延迟函数

Algebraic Data Types: Things I wish someone had explained about functional progr...

How one career decision can change your life: Sara’s story

首届“全国人工智能大赛”——AI+4K霸榜选手思路一窥

再谈快速开发平台(11.19)

关于Prometheus监控的思考：多标签埋点及Mbean

罗永浩和他的“锤粉”信徒

About Joyk