Windows 10 gets DNS over HTTPS support, how to test

Microsoft announced that initial support for DNS over HTTPS (DoH) is now available in Windows 10 Insider Preview Build 19628 for Windows Insiders in the Fast ring

 

Windows 10 gets DNS over HTTPS support, how to testThe DoH protocol addition in a future Windows 10 release was advertised by Redmond in November 2018, with the inclusion of DNS over TLS (DoT) to also stay on the table.

DoH enables DNS resolution over encrypted HTTPS connections, while DoT is designed to encrypt DNS queries via the Transport Layer Security (TLS) protocol, instead of using clear text DNS lookups.

Thorugh the inclusion of DoH support to the Windows 10 Core Networking, Microsoft boosts its customers’ security and privacy on the Internet by encrypting their DNS queries and automatically removing the plain-text domain names normally present in unsecured web traffic.

“If you haven’t been waiting for it, and are wondering what DoH is all about, then be aware this feature will change how your device connects to the Internet and is in an early testing stage so only proceed if you’re sure you’re ready,” Microsoft explains.

How to test DoH right now

Although DoH support is included in the Windows 10 Insider Preview Build 19628 release, the feature is not enabled by default, and Insiders who want Windows to use encryption when making DNS queries will have to opt-in.

If you are a Windows Insider and you want to start testing DoH on your Windows 10 device right away, you will first have to make sure that you are in the Fast ring and that you are running Windows 10 Build 19628 or higher.

To activate the built-in DoH client, you will have to follow the following procedure:

• Open the Registry Editor
• Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
• Create a new DWORD value named “EnableAutoDoh”
• Set its value to 2
Enable the DoH client
Adding the EnableAutoDoh reg key (Microsoft)

After you activate the Windows 10 DoH client, Windows will automatically start encrypting your DNS queries if you are using one of this DoH-enabled DNS servers:

Server Owner Server IP addresses
Cloudflare 1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
Google 8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844
Quad9 9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::fe:9

“You can configure Windows to use any of these IP addresses as a DNS server through the Control Panel or the Settings app,” Microsoft further explains.

“The next time the DNS service restarts, we’ll start using DoH to talk to these servers instead of classic DNS over port 53. The easiest way to trigger a DNS service restart is by rebooting the computer.”

To add your own custom DNS servers using the Windows Control Panel, use the following steps:

• Go to Network and Internet -> Network and Sharing Center -> Change adapter settings.
• Right click on the connection you want to add a DNS server to and select Properties.
• Select either “Internet Protocol Version 4 (TCP/IPv4)” or “Internet Protocol Version 6 (TCP/IPv6)” and click Properties.
• Ensure the “Use the following DNS server addresses” radio button is selected and add the DNS server address into the fields below.

How to test if DoH is working

To check if the Windows DoH client is doing its job, you can use the PacketMon utility to check the traffic going out to the web over port 53 — once DoH is enabled, there should be little to no traffic.

To do that, open a Command Prompt or a PowerShell window and run the following commands to reset PacketMon network traffic filters, add a traffic filter for port 53 (the port used for unencrypted DNS queries), and to start real-time traffic logging:

pktmon filter remove
pktmon filter add -p 53

Microsoft also provides instructions on how to test the DoH client by manually adding DNS servers with DoH support that aren’t in the default auto-promotion list.

Monitoring Windows 10 plain text DNS traffic

DoH adoption, trials, and future plans

Mozilla already rolled out DNS-over-HTTPS by default to all US-based Firefox users starting February 25, 2020, by enabling Cloudflare’s DNS provider and allowing users to switch to NextDNS or another custom provider from the browser’s network options.

Google is also currently running a limited DoH trial on all platforms (besides Linux and iOS) starting with the release of Chrome 79.

However, unlike Mozilla, Google will not automatically change the DNS provider but, instead, they will only upgrade Chrome’s DNS resolution protocol only when the default DNS provider has DoH support.

US government agencies’ CIOs were also advised last month to disable third-party encrypted DNS services until an official federal DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready.

 

Source: https://www.bleepingcomputer.com/news/microsoft/windows-10-gets-dns-over-https-support-how-to-test/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top