Microsoft has introduced a DNS over HTTPS client to Windows 10 Build 19628, to Windows 10 Insiders in the Fast Ring.
DNS over HTTPS is a controversial internet privacy technology which would encrypt DNS connections and hide them in the common HTTPS traffic, making it impossible for ISPs to snoop on your internet traffic and know which websites you are visiting. Currently, DNS requests are sent over plaintext UDP connections.
The DNS-over-HTTPS protocol (IETF RFC8484) can be built directly into apps, allowing each app to use its own DNS resolvers rather than depend on the operating system. The technology is currently in testing in Google’s Chrome and is already available in Firefox.
DNS over HTTPS cuts ISPs completely from knowledge of your network traffic and in UK the technology has seen heavy opposition from ISPs and security services.
According to IPSAUK, it would also “bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”
The UK GCHQ spy service has said it will impede police investigations and undermine laws which mandate that ISPs needed to block certain websites.
If you rather keep all your internet traffic private, however, Insiders can enable DNS-over-HTTPS by making the following registry edit:
- Opening the Registry Editor
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
- Create a new DWORD value named “EnableAutoDoh”
- Set its value to 2
You then need to configure Windows to use a DNS-over-HTTPS DNS server such as Cloudflare’s 184.108.40.206 or Google’s 220.127.116.11 through the Control Panel or the Settings app.
To add a DNS server in the Control Panel:
- Go to Network and Internet -> Network and Sharing Center -> Change adapter settings.
- Right click on the connection you want to add a DNS server to and select Properties.
- Select either “Internet Protocol Version 4 (TCP/IPv4)” or “Internet Protocol Version 6 (TCP/IPv6)” and click Properties.
- Ensure the “Use the following DNS server addresses” radio button is selected and add the DNS server address into the fields below.
The next time the DNS service restarts, Windows will start using DoH to talk to these servers instead of classic DNS over port 53. The easiest way to trigger a DNS service restart is by rebooting the computer.
Windows Core Networking engineers Tommy Jensen, Ivan Pasho and Gabriel Montenegro said DoH in Windows “will close one of the last remaining plain-text domain name transmissions in common web traffic.”
The move is controversial, as it could prevent companies from managing their network traffic, but Microsoft said it was worth the price, saying it has to treat privacy as a human right and has to have end to end cybersecurity built into products.
Read more detail about the Windows 10 implementation at Microsoft here.