back to article Microsoft joins Google and Mozilla in adopting DNS over HTTPS data security protocol

Microsoft has put its weight behind the DNS-over-HTTPS (DoH) security protocol, greatly increasing the likelihood of it becoming a default internet standard. In a post published Sunday on its networking blog, Microsoft engineers confirmed plans to adopt DoH as a default, explaining that it would “close one of the last …

  1. big_D Silver badge

    Windows Server

    I'm assuming that future versions of Windows Server will include DNS over HTTPS in their DNS service for clients.

    I prefer this method to what Google and Firefox are doing - I've already blocked DNS over HTTPS to their known DNS servers on my firewall and I am enforcing a local DNS over HTTPS in the my USG, which uses my Pi-Hole as its authority. In turn, the Pi-Hole uses DNS over TLS and DNSSEC to Quad9 for its DNS source.

    One question, why use DNS over HTTPS, when DNS over TLS already exists and doesn't break traditional DNS?

    1. Pascal Monett Silver badge

      Re: Windows Server

      Because, as written in the article, DNS over TLS leaves the ISPs with the power to view your destination, whereas DNS over HTTPS removes that ability since it is encrypted end-to-end.

      Obviously, ISPs prefer DNS over TLS because apparently there isn't a single organization out there that doesn't want to track your activity.

      1. big_D Silver badge

        Re: Windows Server

        DNS over TLS is no different to DNS over HTTPS, apart from it uses the DNS protocol, as opposed to HTTPS. Both are end-to-end encrypted and can't be spied upon. But it is a more standard protocol, so probably the ISPs are keener on using that themselves than DOH.

        If you use a DNS provider other than your ISP and use TLS, they can't see the traffic. DoH uses the same TLS encryption as well, but over HTTPS TCP instead of DNS UDP.

        1. big_D Silver badge

          Re: Windows Server

          Also, at the moment, Chrome and Firefox disrespect your own DNS settings and use their own DNS servers (Google and Cloudflare by default, respectively), whereas non-browser DNS respects the operating system settings.

          I suspect that that is the part that the ISPs don't like. It is certainly the part I don't like, because I have a carefully curated DNS server on my network, the last thing I want is my browser to arbitrarily ignore my settings.

          Blocking DoH to known Google and Cloudflare DNS servers was my solution to the problem. I could see disreputable IPSs doing that as well.

          1. john.jones.name
            Mushroom

            exactly

            the problem is that end point (slab or phone or actual so called personal computer ) mostly have terrible resolvers which on a PC is most often down to Microsoft

            So firefox decided to bypass the system (in the USA) and setup a TLS connection to cloudflare and send all the traffic to them (effectively over a SSL tunnel).

            the BOFH who setup all those internal websites was none to pleased since support calls came in...

            the BOFH who monitored for p0rn was none to pleased when everyone bypassed the controls...

            solution from networking types was use a standard DoT which phones work with(modern android and MDM'd iPhones)... and respect the BOFH while still giving privacy if the BOFH allowed it... which they wont but then they will block DoH anyway via fancy DPI so that solves nothing either

            my issue is that NONE of this infrastructure actually verified the answers they are getting.. how dumb is that ?

            VERY

            Microsoft realise that they have to do some engineering on their resolver I hope they realise verification is important...

          2. DavCrav Silver badge

            Re: Windows Server

            "I could see disreputable IPSs doing that as well."

            You mean anyone who wants to follow government-mandated blocking like Cleanfeed and court-ordered blocks on pirate sites? If Google really does break Cleanfeed, expect blocking Google DNS to be mandated by the courts as well.

            Or we could test out that extradition treaty, with the charge 'aiding and abetting the distribution of child pornography. Couple of decades' porridge for Eric?

            1. Anonymous Coward
              Anonymous Coward

              Re: Windows Server

              If Cleanfeed can be defeated by not using an ISPs DNS servers, it's not fit for purpose. While it may be a useful way of detecting access to hosts with illegal content, it could be bypassed using a hosts file sent out-of-band.

              Your argument for Google (or A.N.Other DoH provider) being prosecuted would seek compliance potentially with a prosecution as well, but I am not sure a DoH provider is breaking the current laws.

              TL;DR: Cleanfeed can no longer rely on DNS for blocking content assuming it currently does as most (all?) ISPs use other methods to identify/block the traffic. The lack of DNS may result in more false positives but that's a small side effect given the nature of Cleanfeed.

              1. Suricou Raven Silver badge

                Re: Windows Server

                Cleanfeed is just BT's implementation. It has become something of a genericised trademark though, as other ISP filters are sometimes referred to as Cleanfeed.

                There is no government mandate on exactly how the filtering is to be achieved. There isn't even a statutory requirement that filtering be used at all - but there have been a few political statements making it quite clear that if all major ISPs do not voluntarily maintain some form of filter, a law to force them will be passed. It's an optioinal-but-not-really thing.

                As for how it works, who knows? The systems are very secretive. There was the incident some years ago in which part of Wikipedia was blocked that shed some light on how it works, and the Australian block list was leaked once revealing it to be full of mistakes and over-blocking, but for the most part it's so secretive that when a page is blocked some ISPs spoof a 404 error in order to obscure that any filtering is happening at all. The Virgin Media system, as of 2008, used a combination of DNS filtering, IP filtering and - for hosts which required blocking only some files, or shared hosts - redirecting all HTTP traffic for a certain host through a proxy server which could block specific files. That's how the Wikipedia block was detected - for a brief time all UK traffic was being directed through just a few proxy servers, and appearing to come from this handful of IP addresses, which played hell with Wikipedia's abuse and spam detection. That was more than ten years ago, so it's very likely they have moved on to something more advanced now - probably involving a list of suspect IPs on which to carry out DPI.

              2. Roland6 Silver badge

                Re: Windows Server

                >Your argument for Google (or A.N.Other DoH provider) being prosecuted would seek compliance potentially with a prosecution as well, but I am not sure a DoH provider is breaking the current laws.

                Well given the current UK laws, it can be argued a DoH provider is an "electronic communications service (ECS) provider", so subject to the relevant UK laws and regulations...

                I suspect, browser vendors who include IP address details of DoH servers outside of the UK/EU may fall foul of the law...

        2. Time Waster

          Re: Windows Server

          Indeed. Let’s not go starting rumours that DoH is somehow more secure than DoT. HTTPS is simply HTTP over TLS, so the only real difference between these protocols is that DoH is a text protocol beneath the encryption rather that DoT being binary (and actually designed for the purpose of efficiently performing DNS transactions rather than serving web pages).

    2. EastFinchleyite

      Re: Windows Server

      "DNS over TLS (DoT) that ISPs prefer because it gives them continued access to unencrypted DNS traffic." I am not sure that statement makes sense but perhaps....

      My understanding of this issue comes largely from El Reg in its previous articles. From 23rd October 2018 comes

      ========================================

      "Network admins, he argued on Twitter, need to be able to see and analyse DNS activity, and DoH prevents that. "DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH."

      DoT is DNS over TLS, RFC 7858, a separate standard from DoH that works towards the same integrity and privacy aims. Which matters more, network or user?

      While DoT achieves those aims, it's still subject to a level of interference that DoH resists: DoT has port 853 to itself, and can therefore be blocked, and a user's DoT request (but not the content of, or response to, that request) is visible from the network.

      DoH, on the other hand, shares port 443 with other HTTPS traffic."

      ====================================

      I think this means that both DoT and DoH traffic is encrypted but because the DoH traffic is merged in with all other HTTPS traffic on port 443, the DoH traffic cannot easily be identified as DNS traffic. It can under DoT although you can't see what is actually in it.

      The real issue here is who runs the DNS servers. It seems that Google and Microsoft through their browsers are defaulting all DNS over HTTPS traffic to their own servers where it is decrypted and they can see everything. Do you trust them.

      At the moment in the UK, my Plusnet router defaults to DNS servers chosen by them. I can (and have) easily chosen the OpenDNS alternative. I think this may become much more difficult in future as the DoH choice will be done by the browser. Trust Microsoft and Google to improve matters to their own advantage.

      1. P. Lee Silver badge

        Re: Windows Server

        Several interesting aspects:

        1. DNS controls disappear. Things like Cisco's umbrella become a bit pointless.

        2. Apps should still respect system DNS configuration because you may need internal DNS.

        3. Apps snitching on you become more difficult to stop

        4. If its difficult to monitor snitching apps, you should ditch them entirely. Avoid anything with cloud ties - no Chrome or Edge, maybe swap for Chromium, Brave, Dissenter.

        5. DNS amplification attacks should disappear.

        6. Offering open DNS resolvers should be safe (though using them without DNSSEC is another matter...) which means the type of DNS censorship Australia implements should be generally obsolete. Bitchute might benefit from this.

        1. No 3

          Re: Windows Server

          Curious here: how will all of this work with captive portals?

          i.e. when I connect to the 'free' wifi network on the subway, a captive portal opens which I have to click an 'I agree' button.

          1. Sandtitz Silver badge
            Thumb Up

            Re: Windows Server

            "Curious here: how will all of this work with captive portals?

            i.e. when I connect to the 'free' wifi network on the subway, a captive portal opens which I have to click an 'I agree' button."

            Perhaps some of them will break.

            If the user is first redirected to a web page with only an IP address - the captive portal should work.

            At least Firefox can be configured to use traditional DNS as a fallback if DoH queries fail. (network.trr.mode=2) So it still should work.

        2. eldakka Silver badge

          Re: Windows Server

          1. DNS controls disappear. Things like Cisco's umbrella become a bit pointless.

          Incorrect.

          If you are in a location that such a beast is being used, it means you are on some sort of controlled network, e.g. a corporate (work) network, or a university network, or similar environment, i.e., not using your home private network.

          In this scenario, if the network admins (as directed by the organisations policies) are actually concerned about security, as opposed to just saying they care, then they will be using MITM proxies (e.g. Bluecoat proxies, F5s, etc.) for all network traffic anyway. Which means they can see the content of all HTTPS traffic anyway. Which means they can poke into the packet, see it's a DoH request, and do whatever they want with it, discard, reject with error messages, or redirect to their own internal DNS servers.

          If you are on a network that doesn't deem installing MITM proxies in it as worthwhile for monitoring internal security (what the users of the network are doing), then it is not a network that takes internal security seriously, therefore it doesn't matter if they can't tell what is in the packet.

          Since ISPs are 'passthrough' networks, that is, they have no rights to what's in the packets anyway, they are dumb pipes, it is irrelevant if they can't see what is in DoH requests.

      2. thondwe

        Re: Windows Server

        Think this is the key point, if your ISP wants to force you to use their DNS server at the moment, it's easy for them to limit port 53 to just their DNS servers? Same would apply to DoT on port 853.

        DoH being mingled in with https means they need to block a (huge) list of alternative DoH servers.

        What's NOT broken (if your ISP router gets DoH support, or you can do the same at the OS level) is the ability to force your DNS client to use Cisco Umbrella or similar DNS filtering service or EVEN use the ISP's own DNS filtering servers - which will no doubt be the default setup for many ISPs anyway?

        1. Roland6 Silver badge

          Re: Windows Server

          DoH being mingled in with https means they need to block a (huge) list of alternative DoH servers.

          Bet it is a lot shorter than the list of adware/malware sites that corporate firewalls currently block...

          The real problem with everything over HTTPS is that it effectively moves functionality that is currently handled by lower layers of the network stack into the application with all the processing overheads and security ramifications of doing system stuff in user space.

          1. EnviableOne Silver badge
            Mushroom

            Re: Windows Server

            ^^^ This is the key difference DoT identifes as control plane traffic at layer 3 to distinguish DoH from web traffic you have to look at layer 5 at least.

            you can make port level decisions in asics, whereas you need cpu time to make application level distinction, and in delay sensitive applications that can make all the difference.

            DoT allows you to prioritise DNS over general web traffic and allows you to service it on a seperate port too, this you cant do with DoH.

            DoT is just as encrypted, as DoH, but quicker and less resouce intensive to implement, so it saves energy time and capability, making it better for battery life and minimisation, and better for the environment.

            DoT is the logical choice, but this is being lead by browser makers, they dont see traffic till it hits layer 6 (or occasionally 5) and they dont understand what goes on between the client and the server.

      3. big_D Silver badge

        Re: Windows Server

        Except that the Google and Cloudflare, for example, DoH servers have known addresses, so you just block traffic to them on the firewall.

  2. Blockchain commentard Silver badge

    On corporate AD networks, it's normally an internal server (or two) which does DNS stuff so I hope they implement it on the server side and not just as a client for Windows 10 computers. On a similar vein, how many home routers are set to be the DNS server? There's going to be a big increase in DNS queries if Linksys, Netgear etc. can't continue at host DNS results.

    1. big_D Silver badge

      By default, all of them. They all act as a DNS proxy/forwarder on the local network and by default they get their DNS server settings via DHCP from the ISP. It is one of the first things I override when I get a new router.

      And now, I don't even use the router for DNS, I use a Pi-Hole with DNS over TLS and DNSSEC to a trusted provider. My security gateway provides DoH and uses the Pi-Hole as its authority.

    2. LDS Silver badge

      Just any Windows Home system will use by default MS DoH provider... if anybody thought MS would have let all those juicy data to Google was wrong. Expect Apple to be the next one.

      Anyway DoH is designed to bypass routers - you need to fingerprint the original requester, Intermediate resolvers and caches are bad for tracking and profiling (sure, you can set up a intermediate resolver with DoH too - it's just complex enough to ensure most users won't).

      That's why HTTP instead of just encrypting the DNS request (as in DoT) - HTTP carries far more data useful for fingerprinting.

      1. mark l 2 Silver badge

        Even if MS set the system DNS to use their own DOH servers. If Chrome uses its own internal resolver to send all its DOH traffic to Google (Like Firefox currently does) then it would by pass the system settings. So Google would still get all the DNS data from the browser no matter what Windows was set to do.

        1. LDS Silver badge

          Sure, the battle for your data will continue - once the ISPs are out of the picture it will be a battle among those who will try tro control DoH queries - just wait for applications to be run on Windows abide to Windows DoH settings... or Apple apps that to be allowed in the store will have to use the Apple approved API to query DNS....

          Anyway, keep on they are doing it to keep your queries safe - they are only trying to ensure they know *everything* about you queries - encryption is useless when you can't trust the other endpoint. And the few DoH endpoints will have an enormous power over the internet, which will become even more centralized.

          You will discover one day the eggs were put all on the wrong basket(s)....

  3. Anonymous Coward
    Anonymous Coward

    ISPs complain that they use the ability to see DNS queries to

    inject ads, spy on their customers and make extra profit selling this data - aggregated or not. Also, they complain that they're being "nudged" by various "law enforcement agencies" to complain, but can't say that publicly.

    Anyway, we can expect "THINK OF THE CHILDREN!!!" and "TERRORISTS!!!!" to appear in the line of arguments, if they haven't yet.

    Now, gospadin Putin, my daily paycheck please!

    1. Kane Silver badge
      Black Helicopters

      Re: ISPs complain that they use the ability to see DNS queries to

      "Anyway, we can expect "THINK OF THE CHILDREN!!!" and "TERRORISTS!!!!" to appear in the line of arguments, if they haven't yet."

      Too late!

    2. LDS Silver badge

      "inject ads, spy on their customers and make extra profit selling this data "

      Google does exactly the same and at a far larger scale, wholly integrated. MS is after the same model.

      So what's the advantage of DoH? Making Google and then MS even bigger and more dangerous than they are already? You fear your ISP and not Google & C.? Really naive.

      Why not forbid the use of such data, instead?

      1. P. Lee Silver badge

        Re: "inject ads, spy on their customers and make extra profit selling this data "

        Just stop using their stuff.

        1. LDS Silver badge

          "Just stop using their stuff."

          Can you?

          Without legal roadblocks, they have the power and you don't - and you won't be able to stop using their stuff. Just look at how Google's captcha system is infecting the internet.

          DoH is a classic example of a few powerful companies trying to obtain control and force you to use their stuff.

          With DoH bypassing ads filters and the like, they will also be free to pump more ads and slurp more data about you. Enjoy!

          1. bombastic bob Silver badge
            Devil

            Re: "Just stop using their stuff."

            DoH is a classic example of a few powerful companies trying to obtain control and force you to use their stuff.

            it's what monopolies do, yeah.

            (Time to, once again, speak softly and CARRY A BIG STICK.)

          2. rmullen0

            Re: "Just stop using their stuff."

            How could it bypass ad filters? I would think something like Ad Block Plus would work the same way it always has? Maybe I don't understand how the filtering works. I wouldn't think it has anything to do with DNS, but, maybe something like pi hole fakes DNS or something to eliminate the ads...

            1. LDS Silver badge

              "How could it bypass ad filters?"

              AdBlock may work until the browser let it work (see Chrome API changes to neuter them) - and you have to install it explicitly on each device you're using. Moreover not all software retrieving ads or sending slurped data is a browser and can be blocked with an add-in.

              But using built-in DNS resolvers using their own DNS over HTTP means they will try to bypass ad filters employed at the DNS level like PiHole and the like.

              PiHole & C. can be updated to support DoH too, but users will be required to be able to generate valid certificates, which is a "little" more complex than just setting the DNS IPs. Moreover as more software won't use the OS DNS settings (and the hosts file as well...), you'll need to change the settings in each of them. Sure, there will be group policies and the like, maybe, but it's not something most home and SOHO networks employ, and after all, they need to track what people do outside the office.

              You can still try to block the DoH endpoints, but once they control the Internet DNS system good luck with that.

              IP blacklists would still work - but once you control the DNS you can even keep on rotating the underlying IPs of your ads farms and make them far harder to block.

              I see people who while believing to get some more secrecy, are giving away more privacy.

              Google & C. will still give away data to law enforcing agencies, if people believe this will protect their little illegal activities from ISPs reporting they are utterly wrong.

              Especially since these systems to answer quickly and avoid too much traffic across long-distance links use anycast and have systems answering in each country (or almost), so cops don't need to go much far to get the data, and don't really need to go through international agreements for requests.

    3. Adrian 4 Silver badge

      Re: ISPs complain that they use the ability to see DNS queries to

      Why would governments care ? They'll just get logs from google etc. on pain of allowing them to continue to exist.

  4. TrumpSlurp the Troll Silver badge

    Parental Controls?

    Just wondering how local ISPs will deliver these where required by local law if they can't identify the target site.

    Presumably some part of the connection setup is visible, such as negotiating the encryption, unless VPN.

    1. P. Lee Silver badge

      Re: Parental Controls?

      Currently SNI is visible, but I think that goes away with the next version of TLS.

      In the West the law is generally applicable for what's available. Better TLS is just a better VPN.

  5. Anonymous Coward
    Anonymous Coward

    DNS based filtering

    I use a very old free OpenDNS account where I was able to hold onto multiple networks and different 'rules' for each.

    Various VLANs/SSIDs on my home network NATed to different external addresses, thus different filtering rules.

    Firewall blocks DNS other than to OpenDNS (except Sky boxes using ISP DNS).

    I'm led to believe that Cisco Umbrella/OpenDNS will block known DoH hosts under the Proxy/Anonymiser category and I'm also dropping DoT on my firewall rules.

    1. Anonymous Coward
      Anonymous Coward

      not going to work

      Cisco Umbrella/OpenDNS will block known DoH hosts - it might work nowish but not for long...

      your led down the garden path...

      the solution is always going to be Deep Packet Inspection on your network gateway otherwise you are going to loose control... everything is going down port 443 and wont need to make lookups so there is nothing for Umbrella/OpenDNS to look up and then block...

      1. Anonymous Coward
        Anonymous Coward

        Re: not going to work

        I must admit I haven't (yet) delved too deeply into DoT/DoH, but my tactics so far are based upon:

        "Because DoH can be used to bypass Umbrella, Umbrella includes known DoH servers in the “Proxy / Anonymizer” content category. This mechanism is effective, but has limitations:

        It cannot block brand new DoH providers that are unknown to us

        It cannot block DoH which is used via IP address

        For the first issue, we do our best to watch new DoH providers, and customers can further improve coverage by also blocking Newly Seen Domains.

        For the latter limitation, there are limited scenarios where DoH is accessed directly by IP address. Firefox with Cloudflare is the most well-known example."

        The latter point could potentially be an issue, but I don't know how many providers currently operate this way. My assumption (which could be incorrect) is there will be a standard DNS request to look up the hostname associated with the DoH provider (which can be blocked). If that lookup were to succeed (or a connection be made by IP) then clearly DPI would be the only means to prevent that.

        1. Anonymous Coward
          Anonymous Coward

          Re: not going to work

          > It cannot block DoH which is used via IP address

          user/integrator please name a IP address that does DNS ?

          does that 8.8.8.8 or 1.1.1.1 do DoH ?

          in summary you cant block cloudflare or google without DPI on the gateway and...

          your welcome

          1. Anonymous Coward
            Anonymous Coward

            Re: not going to work

            CloudFlare suggest their DoH offering runs via their standard 1.1.1.1 resolver:

            86 ;;; DNS

            chain=forward action=accept protocol=udp src-address=<internal subnet for domain-joined PCs>

            dst-address=<internal Windows DNS> dst-port=53

            87 chain=forward action=accept protocol=udp dst-address=208.67.222.222

            dst-port=53

            88 chain=forward action=accept protocol=udp dst-address=208.67.220.220

            dst-port=53

            89 chain=forward action=accept protocol=udp src-address=<Sky boxes>

            dst-address=<ISP DNS 1> dst-port=53

            90 chain=forward action=accept protocol=udp src-address=<Sky boxes>

            dst-address=<ISP DNS 2> dst-port=53

            91 chain=forward action=drop protocol=udp dst-port=53

            92 chain=forward action=drop protocol=tcp dst-port=853

            93 chain=forward action=drop protocol=udp dst-port=853

            94 chain=forward action=drop protocol=tcp dst-port=53

            95 chain=forward action=drop protocol=tcp dst-address=1.1.1.1 dst-port=443

            96 chain=forward action=drop protocol=tcp dst-address=1.0.0.1 dst-port=443

            97 chain=forward action=drop protocol=tcp dst-address=8.8.8.8 dst-port=443

            98 chain=forward action=drop protocol=tcp dst-address=8.8.4.4 dst-port=443

            1. jmecher

              Re: not going to work

              You're only blocking 3 major DNS providers, just on ipv4, and the code is already sizeable.

              If you add more of them and throw ipv6 into the mix it's going to get out of hand pretty soon.

              I'm doing it differently, by just allowing my pi-hole outbound acces to 53/853 udp/tcp and dropping everything else by default; it's certainly shorter. I'm not addressing DoH in any way, but neither is your setup.

              1. dca1

                Re: not going to work

                DPI is the only true solution but for now I'm doing as you do with 53/853 only allowed by pihole. I also manage a list of ip's on my router that are dropped for 443. The list updates weekly based on resolving the ip's of all the rel="nofollow" links on this page https://github.com/curl/curl/wiki/DNS-over-HTTPS to get me ip's for known DoH servers. It's not ideal, mine also isn't the best implementation (made it when I was just pondering DoH) but it catches enough right now, is more or less zero maintenance and is better than nothing.

        2. Roland6 Silver badge

          Re: not going to work

          >My assumption (which could be incorrect) is there will be a standard DNS request to look up the hostname associated with the DoH provider

          From a previous El Reg article, I remember it being said that the browser (Firefox/Chrome) shipped with a hard coded DoH server IP address.

      2. Roland6 Silver badge

        Re: not going to work

        >the solution is always going to be Deep Packet Inspection on your network gateway otherwise you are going to loose control...

        ?deep packet inspection of encrypted packets ...

        1. amanfromMars 1 Silver badge

          Re: not going to work

          ?deep packet inspection of encrypted packets ... .... Roland6

          Where/When puzzling restless enigmas are thrown into quarantine and asylum bins because of that Olde Worlde Rumsfeldism ....

          Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.

          Quite a Sage was Donald.

        2. It's just me
          Big Brother

          Re: not going to work

          It's known as MITM or MiddleBox TLS interception/inspection. Doing it without raising a warning/error on the client requires that either you get your own certificate installed as a root CA on the client, or you are able to obtain, via theft or coercion, a signing key from one of the several hundred CAs your browser already trusts.

  6. Christopher Reeve's Horse
    Childcatcher

    So, for the simpletons like myself...

    I'm just about competent enough with my home network to have set up a Pi-Hole and continue to use my ISP's DNS service (from BT) via the Pi-Hole to allow the fairly simple use of parental controls. I know DNS based parental controls aren't perfect, but lets run with that for now...

    So basically, now, in Firefox, I can just go into settings, switch on DoH, and this will completely bypass my Pi-Hole and my ISP's parental control options. What now? I was just getting the hang of being slightly in control, and now that's all gone?

    1. Qumefox

      Re: So, for the simpletons like myself...

      The data floggers don't want you be in control. Their business model falls apart if users have the ability to shut off that flow of juicy PII to them. Which is why you can bet that Google's decision to force chrome to use DoH to their own servers had pretty much zero to do with security, other than maybe the security of their revenue stream by ensuring their ads are harder to block and that no one but them would be able to slurp those DNS resolves.

    2. It's just me
      Boffin

      Re: So, for the simpletons like myself...

      You should be able to, at your router, block traffic to the DoH IPs that Firefox uses - ping mozilla.cloudflare-dns.com and then block the IP(s) it resolves to. Currently it resolves to 104.16.248.249 and 104.16.249.249.

      1. Roland6 Silver badge

        Re: So, for the simpletons like myself...

        >Currently it resolves to 104.16.248.249 and 104.16.249.249.

        and the IPv6 variants...

        It is easy to forget about when your ISP doesn't support it.

        However, it can bite you, on one client site just changed ISP and all the lights went on, they now have a totally unprotected IPv6 connection to the Internet - fortunately as the line isn't connected to the office LAN (yet) it can be mitigated in a considered manner...

  7. kmedcalf

    Real Issue

    Nobody seems to have addressed the real issue here. While Microsoft adding support for Homer Simpson DNS resolution and serving (DoH) is all very dandy, I am quite sure that they will require that Windows Server have IIS installed to be able to handle the H part of DoH, thus hugely increasing the attack surface of the server for very little to no gain in actual security (and actually a significant decrease in security since IIS is known to be a buggy insecure turd).

    This will take a lot of work to implement and is likely to be highly restrictive. For example, in the Windows domain model the default DNS lives on the Domain Controllers, why would you want your DC's to be running IIS?

    It all seems rather foolish to me.

    1. Roland6 Silver badge

      Re: Real Issue

      This is a reason why DNS over TLS would be more appropriate.

    2. jgard

      Re: Real Issue

      This is just lazy, boring and uninformed Microsoft bashing.

      There is no reason a DC would need IIS to run DNS over HTTPS. You don’t need IIS to unwrap data in a HTTP/S request. AD servers commonly expose several RESTfull / SOAP APIs, AD web services is an example.

      And the remark about IIS being a buggy insecure turd? Have you seen the number of vulns in Tomcat for example? IIS is commonly run on DCs and required for some roles on Enterprise CAs. It’s also required for AD Federation Services that manage SSO and other auth mechanisms. Both those roles often are placed on domain controllers. How often do you hear a large corporation was hacked because the IIS site running web enrollment was breached or someone hijacked their domain because insecure IIS was running on the ADFS server? You don’t.

      I’m no MS fan, but it grinds my gears when people talk rubbish, slagging a big company off cause it’s cool, when they obviously don’t know much about the subject in question.

  8. boltar Silver badge

    Where's the logic in this?

    Ok, so your ISP/government/hacker can't see the address you're resolving. So what? They only have see what TCP/UDP connections you make and to what port to know what sites you're accessing anyway so unless you're using a VPN you're hosed as far as site visiting privacy is concerned.

    This is a solution looking for a problem unless the problem is actually the internet giants trying to reduce ISPs down even further to nothing more than dumb pipes so they can ultimately grab their business.

    1. iGNgnorr

      Re: Where's the logic in this?

      "This is a solution looking for a problem unless the problem is actually the internet giants trying to reduce ISPs down even further to nothing more than dumb pipes so they can ultimately grab their business."

      Please see the UK Labour party's intention to take over internet delivery in the name of making it "free" (as in beer, not as in freedom.)

    2. EnviableOne Silver badge

      Re: Where's the logic in this?

      Ok so using the VPN the VPN provider gets the meta data, if you use either DoH or DoT then only the server gets to see the request, if you use DNSSEC on top, only the server you choose gets to see the request, this is why the protocols were developed.

      With the way hosting works and TLS by knowing which IP you're talking to, you could be talking to any one of 100s of different sites.

      The reason Google did it, is your second point. for Google more data = more $$$$ and if they combine the DNS queries with the other data they can resolve you a lot better

      1. boltar Silver badge

        Re: Where's the logic in this?

        You've missed the point. Use as much encryption as you want on DNS , you still have to ultimately connect to the server you want and even if you're on a VPN then the VPN provider will know anyway unless you use a proxy like the onion and if you use that you don't need DoH in the first place. So wheres the gain? There isn't one.

  9. Roland6 Silver badge

    So its all as clear as mud!

    Interesting article on How To Geek.

    Basically, there are three issues down to implementation choices.

    1) The protection of DNS traffic, in this respect the only real difference between DoT and DoH is the use of different TCP/UDP ports.

    2) How a client selects a DNS service.

    3) The default out-of-the-box behaviour and the extent to which it can be overridden.

    These last two are in the hands of the developer and I think aren't specified in the RFC.

    Mozilla have decided that Firefox will default to using the Cloudflare DoH service and thus bypass host system DNS settings, the user has to actively either change the default DoH server (can still bypass host system DNS settings) or disable DoH (and use host system DNS).

    Google with Chrome are saying that they will use the host systems DNS server using either DNS or DoH depending on what that DNS server supports.

    Microsoft are saying they will implement DoH at the OS level, ie. the Windows network client will natively support communications over DNS or DoH depending on the DNS server configuration - I assume there will be some security protocol/procedure that will enable a client system to negotiate an appropriate level of communication security (I wonder if the MS solution will also include DNSsec).

    1. Roland6 Silver badge

      Re: So its all as clear as mud!

      Cont.

      It would seem that in getting DoH "out there", Mozilla have stepped over a boundary with their client implementation; a boundary it would seem Google and MS are being a little more respectful of.

      I anticipate that once MS deliver a W10 build with DoH support, Mozilla will fall back into line.

      However, this just leaves a small problem, MS are only implementing DoH in a future W10 build (but still no word on W10 DNSsec) - increasing the impetus to migrate away from W7 et al, so surviving W7 & 8 systems may benefit from a current Firefox style client that avoids the host systems DNS resolver. Additionally, it is not clear which versions of Windows server will get support for DoH.

      Aside: interesting article here from MS: Windows will improve user privacy with DNS over HTTPS - key quote "we are making plans to adopt DNS over HTTPS (or DoH) in the Windows DNS client.", so may arrive in a couple of years.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019