Microsoft adds initial support for DNS-over-HTTPS (DoH) in Windows Insiders
Support for the DNS-over-HTTPS protocol has landed this week in Windows Insiders, Microsoft’s experimental version of Windows, where the company tests new features before making them broadly available.
Current Windows 10 Insiders Fast Ring distributions now include a DNS-over-HTTPS (DoH) client.
When activated, this new DoH client will allow the Windows OS to use the DoH protocol instead of classic DNS when connecting to the internet and when resolving web domains.
Work on adding a DoH client in Windows 10 began last year, in November.
Microsoft was responding to a rise in public interest in using DoH instead of DNS. At the time, browsers like Chrome and Firefox had shipped support for DoH.
However, from a software architectural perspective, Mozilla and Google’s DoH rollout were criticized by many engineers and system administrators.
Ever since the early days of operating system design, the OS has been in charge of DNS settings for all apps. By adding DoH support in browsers, Mozilla and Google took this control out of the operating system’s capabilities and, inherently, created problems for enterprise system administrators.
By developing a DoH client, Microsoft is bringing this control at the OS level again. This move benefits both system administrators of large corporate networks, but also home consumers, who will be able to benefit from DoH’s increased privacy even for apps that don’t natively support DoH (as Chrome and Firefox do now).
The DoH protocol is currently being viewed as a win for user privacy. The protocol works by taking a regular DNS request to resolve a web domain but hiding it.
Instead of sending the request in cleartext to a DNS server over port 53, DoH takes the request, encrypts it, and sends it as regular HTTPS traffic via port 443. In other words, DoH effectively hides DNS inside regular HTTPS traffic.
DNS servers that can process DoH traffic are called DoH resolvers. A DoH resolver has an open interface that listens for incoming HTTPS traffic, decrypts the request, resolves against the normal DNS name server systems, and returns the result to the user via the same HTTPS route, hence the name DNS-over-HTTPS.
Last year, Microsoft said that its end goal for the Windows DoH client is to migrate users from DNS to DoH without the user having to change any of their DNS settings. This would be done by having Windows automatically detect if a user’s locally-set DNS servers have an alternative DoH interface.
If the DoH client is enabled, Windows will use the DoH interface and fall back to classic DNS when DoH interfaces aren’t available or responding.
The Windows DoH client that shipped this week with Windows 10 Insiders Fast Ring builds supports only three DoH resolvers at the moment (Cloudflare, Google, Quad9), but this is only for the testing phase, and eventually, this will work seamlessly once it reaches the Windows stable release.
Fast Ring users willing to give the DoH client a go can find instructions on how to enable the client on this page.