Microsoft Talks Up Windows Support for Encrypted DNS
The Windows operating system will be getting support for an encrypted Domain Name System (DNS) option, Microsoft announced this week, adding greater privacy protections for Internet connections.
In addition, Microsoft plans to adopt the "DNS over HTTPS" (DoH) approach in Windows for encrypting DNS traffic, which is currently a proposed standard of the Internet Engineering Task Force (IETF). DNS is a protocol used to translate plain-text URLs, such as "microsoft.com," into numerical strings like "188.8.131.52," which are used to reach Web sites. With the IETF's encrypted DNS approach, a DoH client encodes a DNS query, while a DoH server "defines the URI," per the standard.
The encryption of DNS traffic is conceived as adding greater privacy controls since it's currently possible to read and even redirect browsing activities (via so-called "man-in-the-middle" attacks) with the current plain text approach. Internet Service Providers (ISPs) use DNS servers to resolve Internet addresses, but the use of this technology also means that they have access to this plain-text information and can see what their customers are viewing on the Web.
Windows Supports DoH
Microsoft's announcement suggested that Windows OS is already configured to use DoH, if wanted. However, no details were provided.
Microsoft isn't planning to change current default configurations of Windows servers, though. The current plain-text DNS resolution is sometimes used to block access to offensive sites or set parental controls, and so Microsoft is planning to keep DNS controls in the hands of device administrators.
"We believe device administrators have the right to control where their DNS traffic goes," the announcement stated.
Microsoft plans to generally publicize the existence of DNS settings in Windows so as to "give users, device admins, and enterprise admins the ability to configure DoH servers explicitly" if greater privacy protections are wanted.
Google and Mozilla have already started implementing DoH encryption in their browsers. Their actions possibly spurred Microsoft's announcement to some degree. Here's how Microsoft described it:
Why announce our intentions in advance of DoH being available to Windows Insiders? With encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible. We don't want our customers wondering if their trusted platform will adopt modern privacy standards or not.
Although it wasn't mentioned in the announcement, the Chrome-based Microsoft Edge browser has access to a so-called "Secure DNS lookups" feature that enables DNS over HTTPS, although it was at the preview stage, according to a Sept. 16 Microsoft Tech Community post.
EFF Backs DoH
The Electronic Frontier Foundation (EFF) Internet privacy organization is backing DoH as a way to add privacy protections for Web browsers and thwart government censorship attempts.
"Countries like China and Turkey have used control over DNS to block their citizens' access to websites and track the web activity of activists, a form of censorship that will eventually be much more difficult once there is widespread implementation of DoH," stated Ernesto Falcon, an EFF senior legislative counsel, in an October announcement.
The main opponents of DoH, though, are some telecom and cable service providers, the EFF noted. In a September letter to Congress (PDF download), the NCTA, CTIA and US Telecom claimed Google was planning to control DNS lookups as an anticompetitive measure using DoH. The letter claimed that DoH would affect services provided by ISPs, including providing parental controls and finding the nearest connections, and it would get in the way of anti-piracy efforts.
In a response letter, the EFF noted that the DoH "was created through an open standards process at the IETF lasting over two years and including contributions and input from many different sectors." Google's own plan doesn't cut out the ISPs, the EFF's letter added.
"Public documents state that Google will make Chrome attempt to use individual ISPs' own DoH services, which means if all DNS providers adopt DoH, which would yield the greatest privacy benefit to Internet users, then nothing will change after Google adopts DoH."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.