Microsoft announced that initial support for DNS over HTTPS (DoH) is now available in Windows 10 Insider Preview Build 19628 for Windows Insiders in the Fast ring
DoH enables DNS resolution over encrypted HTTPS connections, while DoT is designed to encrypt DNS queries via the Transport Layer Security (TLS) protocol, instead of using clear text DNS lookups.
Thorugh the inclusion of DoH support to the Windows 10 Core Networking, Microsoft boosts its customers’ security and privacy on the Internet by encrypting their DNS queries and automatically removing the plain-text domain names normally present in unsecured web traffic.
“If you haven’t been waiting for it, and are wondering what DoH is all about, then be aware this feature will change how your device connects to the Internet and is in an early testing stage so only proceed if you’re sure you’re ready,” Microsoft explains.
How to test DoH right now
Although DoH support is included in the Windows 10 Insider Preview Build 19628 release, the feature is not enabled by default, and Insiders who want Windows to use encryption when making DNS queries will have to opt-in.
If you are a Windows Insider and you want to start testing DoH on your Windows 10 device right away, you will first have to make sure that you are in the Fast ring and that you are running Windows 10 Build 19628 or higher.
To activate the built-in DoH client, you will have to follow the following procedure:
• Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
• Create a new DWORD value named “EnableAutoDoh”
• Set its value to 2
After you activate the Windows 10 DoH client, Windows will automatically start encrypting your DNS queries if you are using one of this DoH-enabled DNS servers:
Server Owner | Server IP addresses |
Cloudflare | 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 |
8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 |
|
Quad9 | 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::fe:9 |
“You can configure Windows to use any of these IP addresses as a DNS server through the Control Panel or the Settings app,” Microsoft further explains.
“The next time the DNS service restarts, we’ll start using DoH to talk to these servers instead of classic DNS over port 53. The easiest way to trigger a DNS service restart is by rebooting the computer.”
To add your own custom DNS servers using the Windows Control Panel, use the following steps:
• Right click on the connection you want to add a DNS server to and select Properties.
• Select either “Internet Protocol Version 4 (TCP/IPv4)” or “Internet Protocol Version 6 (TCP/IPv6)” and click Properties.
• Ensure the “Use the following DNS server addresses” radio button is selected and add the DNS server address into the fields below.
How to test if DoH is working
To check if the Windows DoH client is doing its job, you can use the PacketMon utility to check the traffic going out to the web over port 53 — once DoH is enabled, there should be little to no traffic.
To do that, open a Command Prompt or a PowerShell window and run the following commands to reset PacketMon network traffic filters, add a traffic filter for port 53 (the port used for unencrypted DNS queries), and to start real-time traffic logging:
pktmon filter add -p 53
Microsoft also provides instructions on how to test the DoH client by manually adding DNS servers with DoH support that aren’t in the default auto-promotion list.
DoH adoption, trials, and future plans
Mozilla already rolled out DNS-over-HTTPS by default to all US-based Firefox users starting February 25, 2020, by enabling Cloudflare’s DNS provider and allowing users to switch to NextDNS or another custom provider from the browser’s network options.
Google is also currently running a limited DoH trial on all platforms (besides Linux and iOS) starting with the release of Chrome 79.
However, unlike Mozilla, Google will not automatically change the DNS provider but, instead, they will only upgrade Chrome’s DNS resolution protocol only when the default DNS provider has DoH support.
US government agencies’ CIOs were also advised last month to disable third-party encrypted DNS services until an official federal DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready.
Source: https://www.bleepingcomputer.com/news/microsoft/windows-10-gets-dns-over-https-support-how-to-test/