Windows 10 Previews DNS Over HTTPS (thurrott.com) 90
An anonymous reader quotes a report from Paul Thurrott: With the new build of Windows 10 [19628], Microsoft is starting to test DNS over HTTPS. The new build comes with Microsoft's initial support for DNS over HTTPS on Windows, and Insiders will have to manually enable the new feature. If you would like to enable DNS over HTTPS in Windows 10, you will have to first install the latest Insider build. After that, you will have to go into the registry and tweak an entry to first enable the new DNS over HTTPS client, and then update the DNS servers your computer is using. It's not as easy as ticking a checkbox, but Microsoft has shared the instructions to enable the feature in detail, so make sure to check it out here. What is DNS over HTTPS and why is it important? "DNS, to put simply, is the process where an easy-to-read and write domain address is translated into an actual IP address for where a web resource is located," writes Thurrott. "Although most websites already use HTTPS for added privacy, your computer is still making DNS requests and resolving addresses without any encryption. With DNS over HTTPS, your device will perform all the required DNS requests over a secured HTTPS connection, which improves security thanks to the encrypted connection."
Solving the wrong problem (Score:5, Insightful)
Because Microsoft (and whatever partner they use) is so much more trustworthy than my ISP.
Re: (Score:3)
But, but if you just use Verified Service from Trusted Provider, you'll be Safe!
Re: (Score:3)
Re: (Score:2)
But is it a Trustificate?
Re: (Score:3, Insightful)
Where's that guy when you need him (Score:3)
What? No you just need a hosts file engine...
DNSSEC (Score:5, Insightful)
exactly the endpoint/workstation needs to actually validate the answers cryptographically...
the standard is DNSSEC and most root's support it, please Microsoft engineers... do the right thing here rather than a quick patch
John Jones
Re:DNSSEC (Score:4, Informative)
Re: (Score:2)
Re:DNSSEC (Score:5, Informative)
Not the same thing. DNSSEC is about making sure nobody tampers with DNS traffic. DoH is about making sure nobody can read your DNS traffic.
And OS level implementation is the correct implementation. Not sure why everyone here is acting like Microsoft is adding a mandatory service that uses their DNS servers or something. They are adding support for the technology. Set it up to use whatever servers you want. Or don't. Whatever.
Re: (Score:3)
DNSSEC and DNS over HTTPS solve two very *very* different problems. And you want to hope that whatever server you are connecting to via DoH also supposed DNSSEC.
Re: (Score:2)
Re: (Score:1)
It's really ridiculous to insist we trust one or the other.
We should be secure because we put our trust in math and physics, and the design of protocols--not services, not tools (look how corruptible Mozilla/humans are), but protocols-- that are simple, and can be used independently of any third party "provider".
Can't use Windows without trusting Microsoft (Score:4, Informative)
> It's really ridiculous to insist we trust one or the other.
> We should be secure because we put our trust in math and physics, and the design of protocols --not services, not tools (look how corruptible Mozilla/humans are),
If you use Windows and especially Edge / IE, Microsoft controls the "random" numbers used in the math. The math can't protect you if you don't trust your operating system and browser.
That's the concept of the trusted computing base - you HAVE to trust your OS, it can see all of your keystrokes. So you might want to make sure it's trustworthy.
(Note it's trustED computing base, not trustWORTHY computing base.)
Re: (Score:1)
I've said for years that we need host-proof computing with fully homomorphic encryption.
I stand by my argument, without compromise. Because I've written the code to prove it possible, and IBM has hardware to do it faster.
Re: (Score:1)
Re: (Score:2)
It says they are just introducing support for it, which you will then need to configure yourself. What's wrong about that? Building DoH into the OS is the correct implementation, not the fragmenting browser solution that Mozilla and Google are doing.
This is a good thing.
Re: (Score:2, Troll)
No, it belongs in systemd.
No, seriously, isn't that the claim that systemd makes? A service layer?
Re: Solving the wrong problem (Score:1)
"They said they introduced support for injecting cyanide into your bloodstream when you hold your phone! You still have to enable it yourself. What's wrong with that?"
Re: (Score:2)
Because Microsoft (and whatever partner they use) is so much more trustworthy than my ISP.
Errr, yet they absolutely are. ISPs have demonstrated a willingness to simply sell their entire database of customer data to whoever is paying. Many other companies have not.
You're mad if you are privacy focused and you trust your ISP.
You're slightly less mad if you trust an advertising company (at least they keep your data to themselves in order to make a profit).
You're significantly less mad using some random service on the internet.
And you're completely sane if you run your own DNS server.
Re: (Score:2)
Toootally unlinke Microsoft
Yes. Microsoft is selling eyes and access to you, not selling you outright.
Also, *deliberate* false dichtotmy.
Only if you're ignorant.
Set your own DNS. Use DNSSEC. Done.
DNSSEC and DoH are two very different solutions to two very different problems. Also you can set your own DoH server. I don't expect Slashdot's most ignorant poster to understand the differences.
Even better: Add a (non-forwarding, self-resolving) DNS server daemon to Windows and use that.
If MS was about privacy, they'd do that.
Holy shit talk about a fucking retarded idea that doesn't solve any of the problems either DNSSEC or DoH address.
Learn to write, you illiterate.
Just learn... anything. I'm sorry English is my 4th language and I only learned it in my teens, but serio
Re: (Score:2)
Someone still knows what you want to resolve.
1. Using ISP DNS server
The ISP can have logs of what you want to resolve
2. Using some other DNS server
The ISP can still find out what you are resolving (tcpdump), the DNS server company also knows.
3. Using your own DNS server
Your ISP knows, the root and tld servers may know and the server of the domain you are resolving knows.
4. Using DNS over HTTPS
The DoH provider knows.
I guess one way would be to run own DNS server, but have it use TOR to resolve the IPs.
Re: (Score:2)
Google (Chrome) and Firefox use *YOUR* DNS provider (if your DOH provider supports it).
Reading the actual article, Edge will do the same thing but only if your DNS provider is one of 3 providers. Looks like a good way to beta test.
Re: (Score:1)
Real blocking incoming (Score:5, Informative)
Right now, most of the "legal blocks" across many nations with semi-free internet (example: UK) are enforced by ISP's on their DNS servers. This is usually considered sufficient by governments, so technically minded people can easily circumvent them by switching to DNS servers that are free from such interference.
If this goes through, ISPs will likely be mandated to actually start running proper "known ip range blocklists", making circumventing government mandated blocks much harder. So this change is liable to make blocking of things like porn, wrongthink and pirate bay much more invasive and hard to circumvent without a dedicated VPN tunnel.
Comment removed (Score:4, Interesting)
s/differend/different/; s/awrness/awareness/ (Score:1)
I should have fixed that before posting ...
Re: (Score:2)
IP address blocks don't work thanks to CDNs. Any given IP address in the CDN will be serving innumerable sites, constantly shifting and changing. The collateral damage would be immense.
Re: (Score:2)
Re: (Score:2)
That is the first thing they do. The blocklists are because it is difficult for e.g. a UK court to order a US ISP to remove material that is legal in the UK.
Re: (Score:2)
That's what they have been trying to do. Suing CDNs to stop them providing services to sites they don't like. So far Cloudflare seems to be resisting.
Re: (Score:2)
If this goes through, ISPs will likely be mandated to actually start running proper "known ip range blocklists"
Don't be silly. There's nothing preventing a mandate that actually works against changing DNS server as it is. Also thanks to IP reuse it's not actually possible to block a website or service by IP address without significant collateral damage.
Re: (Score:1)
Well, no. Presently in order to block DNS resolution of a domain name, the Fascist Government must coerce hundreds of thousands of DNS operators to tamper with the responses those DNS resolvers provide. This requires *lots* of enforcement thugs with lots of guns and lots of prisons in order to coerce compliance. It is very expensive and does not work very well.
With DoH, that same Fascist Government only needs one or two enforcement thugs, a couple of guns, and maybe one or two public executions to achiev
Re: (Score:2)
You can change your DNS-over-HTTP resolvers, exactly the same as with regular DNS.
Future plan? (Score:2)
If they push this as enabled by default in an upcoming patch they're going to reek havoc on millions of domains. Surely they know that right?
fuck off (Score:4, Funny)
can DNS over HTTPS fuck off and die already?
Re: (Score:1)
It works. It's not the best, nor the likely permanent 'solution', since security rarely has a permanent solution.
And I'm using it now, Insider Preview ring, and it works with HTTPS, common HTTP, self-signed certs, and a flaky cert I won't bore you with.
How about you stifle a little? Jon Postel would not answer your text.
Re: fuck off (Score:2, Insightful)
It's idiotc and pointless NIHing!
It is a "solution" for a problem that would not even exist without already going in the insane direction before!
Jeez, were you all born after 2000 and think "browser = Internet" or what??
There is no point for the extra layers in there! You could just change your DNS server and be done with it! (DNSSEC implied.) So DNS directly over TLS!
HTTP ONLY exists in there because certain morons apparently are physically unable to think outside of the "web" (aka WWW aka "browser content
Re: fuck off (Score:1)
Sheesh. I was using internet before browsers. Condescending git.
Re: (Score:2)
It is no use arguing with BAReFO0t. He does not know the first thing about anything he comments on.
In this particular case he does not know the differences between DNSSEC, DNS-over-TLS, and DNS-over-HTTPS.
Re: (Score:2)
HTTP ONLY exists in there because certain morons apparently are physically unable to think outside of the "web"
Alternately, x over HTTPS tends to solve the problem of "nefarious actors want to block/intercept/rewrite packets they have no business tampering with" (i.e. Comcast wants to rewrite your DNS reponses with "our ad server" rather than NXDOMAIN, or the PRC only wants you to use approved DNS servers so they can censor your content). Unless you're using some DPI-SSL technology and the client trusts your certificate, it's effectively impossible to tell this traffic apart from the rest of the vast glut of https
Re: (Score:2)
can DNS over HTTPS fuck off and die already?
MS wants it! Hence it will be sickly and have mental issues forever, but it will not die.
Re: (Score:2)
can DNS over HTTPS fuck off and die already?
Why? Do you have something against the problems it is solving?
Re: (Score:3)
Attempting to address one problem by introducing five worse problems is not a solution.
Re: (Score:2)
Attempting to address one problem by introducing five worse problems is not a solution.
Can you list the 5? And before you start talking about inability to intercept DNS as a problem remember why this is a solution in the first place.
Re: fuck off (Score:1)
What problems does HTTP solve in there? Hm?
What problem that changing your DNS server in the settings and using DNSSEC cannot solve.
You literally cannot think outsite of youw browser window, can you, WhatWG idiot.
Re: (Score:3)
HTTP? None. Fortunately DoH doesn't use HTTP, otherwise it would defeat the one problem it is trying to solve.
Now it does use HTTPS. I'll leave it as an exercise to you as to why the S is significant. Although for some reason you seem to think that DNSSEC has something to do with encryption, so I suggest while you're googling DoH you also Google DNSSEC since you seem to no nothing about either.
DNSSEC and DoH solve two different problems with zero percent overlap to the root server. You better hope your DoH
Re: (Score:2)
can DNS over HTTPS fuck off and die already?
Not yet. Only once Google implements in their chat apps we can consider it truly dead.
What a scam (Score:5, Insightful)
People are being sold a bridge with DNS over HTTPS, based on pretend privacy. Your ISP will not be able to see your DNS queries all right but, short of using a VPN, they will still be able to see where you are going. On the other hand, your DoH server will be able to see all your queries. And who is going to control that server? Google, Cloudflare, Microsoft. Are they more trustworthy than your ISP? Finally, adding insult to injury, by using am effectively non-blockable port (443) DoH is an invaluable gift for parties keen on disseminating malware through DNS tunnels..
Thanks, Google, Cloudflare, Microsoft, and, especially, Mozilla.
Re:What a scam (Score:5, Interesting)
Firefox turned DoH on with an update, apparently, and it broke my internal network. Behind my firewall, my DNS practices are my own business.
I don't trust any of these fucks.
Re: (Score:2)
Re: (Score:2)
So when asked did you accept the change of DNS server and that someone broke your *network*, or are you saying that merely trying to connect to your local DNS resolver over HTTPS to see if it supports DoH is enough to crash it?
In either case it sounds like your network was already very broken if it is that fraglie.
Re: (Score:2)
I use Brave. It was other people who clicked through who use Firefox. My internal network has it's own DNS that works just fine resolving internal requests to private IPs that doesn't work so well if applications make their own decisions to use transports and services outside of the firewall. Sounds like you don't know what you're talking about, Judgy McJudgerson.
Re: (Score:2)
Your ISP will not be able to see your DNS queries all right but, short of using a VPN, they will still be able to see where you are going.
Not true. If they can't see the DNS request all they can see is the IP address you connect to, which is very likely to be a CDN serving hundreds or thousands of unrelated sites.
While it's still not perfect it does greatly increase the cost of surveillance, which is always the goal. The more effort required the less practical mass surveillance becomes.
And if you can still use your ISP's unencrypted DNS server on port 53 if you really want to, it's not going away. All this does is upgrade you to DoH if is available from your preferred server.
Re: (Score:2)
they will still be able to see where you are going.
Yep. The'll see I'm going to a CDN and from there they'll know that I watched Netflix, of downloaded illegal snuff videos, or watched a church sermon. IP addresses are absolutely useless for telling you anything about what someone is doing on the internet.
That bridge for privacy is not "pretend" in the slightest, especially when that bridge goes over a roadblock that otherwise wouldn't let you pass.
And who is going to control that server? Google, Cloudflare, Microsoft.
On I'm counting on that. I really hope my data actually goes to a company that will look after it in the name
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
It is SSL-encrypted HTTP. And the body of HTTP response has DNS info in it.
Re: (Score:2)
So just run your own DoH server that does things the way you want?
DNS could be better.. (Score:2)
So this is at least a step in a better direction compared to the browsers deciding to skip the OS entirely in name resolution. The OS providing a consistent name resolution experience solution is far better than the browsers giving up on it.
I still cringe a bit at the 'the only network protocol that exists is HTTP' facet of it. DTLS probably would have been a more minimal amendment to the DNS strategy and maybe SCTP or TCP I could be convinced, but HTTP seems a bit silly. It's not particularly unworkable or
Re: (Score:2)
Re: (Score:2)
As far as my home DNS server is concerned, my corporate DNS server does not exist (in fact, it cannot reach it due to private network). Conversely, while my corporate DNS server does have internet address resolution, I don't want to use it when I don't have to and it can't possibly resolve local addresses.
Already I have to set up dnsmasq or similar on my computer that has to reach both, but I have to frequently fight various things on the OS to keep that working, because generally a manually managed localho
This is gonna get tricky (Score:2)
web browser runs through their proxy or the OS runs through its proxy or the router runs through its proxy. Meanwhile you can't self-activate a modem on your cable service because the DNS you hit isn't theirs and doesn't expose their validation service...
While I prefer it in the router most people aren't going to understand that concept to properly set it up so having it in the OS is probably the best rather than have each browser do its own thing. (then again, they're not going to know how to set it up in
Comment removed (Score:5, Informative)
Re: (Score:2)
That only really applies to Mozilla's and Google's terrible in-browser implementation though. Supporting it in the OS is just the same as the IP stack supporting any other network protocol. Its there to use and assuming PiHole has been updated to support DoH on its end then you can specify your device as your DoH server.
Not sure why everyone is assuming MS is making this a mandatory service. It isn't. They are adding protocol support. You have to configure it yourself.
DoH on its own is just a way to prevent
Re: (Score:2)
The question is whether this is being made opt-in or opt-out. If they turn this on by default instead of allowing those who want it to turn it on themselves then we know there's an ulterior motive. And if that motive is strong enough that they'd be willing to break every internal domain in existence then that should scare the shit out of you.
Re: (Score:3)
Re: (Score:2)
- DOH renders things like PiHole and domestic control of DNS useless. malware and applications are free to serve dedicated advertisements in-app with impunity.
So block known DoH servers. There's not many of them. PiHole doesn't help you.
- If you forgot Verizon once injected ads in SRVFAIL records until hackers pushed back and basically coded the practice out, you can be forgiven.
Noone forgot that. But that's nothing compared to Verizon wholesale selling customer data to 3rd parties. Why do you think DoH became a topic in the first place? It was a response to a need after ISPs have been identified as abusive shits.
- despotic regimes dont need to care about DOH
Indeed for despotic regimes you want to be VPNing anyway, this isn't relevant there.
Re: (Score:2)
It's utterly pointless too! (Score:1)
Don't forget that.
It has exactly zero advantages over just changing your freaking DNS server and maybe port in the settings and using DNSSEC.
It only adds HTTPS for some WhatWGdiotic reason and strongly hints you should have your browser or OS maker spy on you instead of your ISP like that makes a difference to the ad company buying it or the law enforcer abusing his national security letter.
Re: for those looking for the downside. (Score:1)
you can use bind, pihole, with DoH, you can even maintain an Internal dns. I use the cloudflared in DNS proxy mode and use that as the forwarding server. Internal DNS registration still works, and it is not avahi, broadcasts, or WINS.
Also a curious thing happened when I went away from UDP 53 resolution to TCP 443 resolution, queries got faster whether I used 1.1.1.1, 8.8.8.8, or my local ISP dns. I thought it would be slower using TCP
Hahaha, fooled you! (Score:2)
My DNS servers do not support HTTPS. Hence even if the resolution is indirect, the last call will be open.
Re: (Score:1)
You can, one software I know of is cloudflared, there may be others, but this was a simple RPM to install
cloudflared-stable-linux-amd64.rpm
If you want it to configure is a daemon you can, but you can have it listen to local host on a different port /usr/local/bin/cloudflared proxy-dns --port 5353 then set bind, pihole, dnsmasq or whatever to use localhost:5353 as a forwarder. Running MS DNS or does your DNS server not work with a non port 53 server? Then have it listen on its interface
Re: (Score:2)
Oh, yes, I can, but I chose not to. DNS is not secure anyways. That is not really going to change anytime soon and I prefer to just make that obvious instead of giving a false sense of security.
Re: (Score:1)
I agree with that may induce a false sense of security and there is a point along the chain that can be taken advantage of. But it protects the other parts of DNS also it was faster for me over using DoH than unencrypted DNS. The tinfoil hat in me suspects that somewhere along the line somebody is stopping and looking and possible looking at my DNS traffic, maybe because I contracted for an ISP once and they had Sandvine equipment and figure they all mess with traffic.
Re: (Score:2)
Wait, really? It can't handle a CNAME? If so, that's strange. I guess I have some reading to do.
Comment removed (Score:4, Interesting)
Re: (Score:1)
Ye olde "average idiot" bullshit argument. (Score:1)
1. Nowadays, average people care a lot about their privacy.
2. If you had friends, you'd know that they do not know, but they know they do not know, and ask their competent friend to do it for them. Clueless does not mean stupid.
3. The stupid meme you just parroted probably did more work to push clueless people to be careless (because it was just expected from them to be like that) than it was ever the case naturally.
Also, again, MS could just set a different DNS server by default and use DNSSEC. HTTP serves
DOH means going full retard. (Score:2)
DNS over TLS would have made sense.
Running your own nameserver would have even more sense. (Any RPi can do it in its spare time, so it's really not necessary to have a separate server. Put in on every PC and be done with it.)
* over HTTP(S) is just another case of the WhatWG insanity: Replace ALL the things with a web version with pointless layers over useless layers of inner platforms, because when you were born after the invention of the wheel, obviously you need to re-invent one. One that still uses the o
Re: (Score:2)
DNS over TLS would have made sense.
Solves a different problem than DoH.
Running your own nameserver would have even more sense.
Solves nothing.
Oh man I'm not even going to bother reading the rest of your ignorance. I'm amazed you less you seem to know about a topic the more you seem to post on Slashdot about it. An you have posted A LOT on this story.
Another ignorant post brought to us by BAReFO0t
Paul Vixie (Score:1)
Paul Vixie talk about DNS over HTTPS
Re: Paul Vixie (Score:1)