Microsoft will support DNS over HTTPS (DoH) in Windows 10 in what's likely to be a controversial move against intelligence agencies. The tech giant said it's looking to make encrypt DNS queries while making things easy for a user to configure.
For the unfamiliar, DNS, or the Domain Name System, lets users type ‘winbuzzer.com' into their browser and be directed to its actual location, a series of dots and numbers known as its IP address. DNS is typically handled by the user's Internet Service Provider (ISP), who often keeps a record of these translations.
In some countries, including the UK, ISPs are forced to keep these records for an extended period of time. These are shared with a number of agencies (In the UK's case, 41). With often little oversight, this lets agencies view a full list of every website a particular user has visited, though not individual pages. Users on a network can also snoop on what websites others are visiting.
The UK's GCHQ agency says such technology could stop from properly identifying threats. Meanwhile, ISPs are concerned they'll be unable to block content mandated by the government. Mozilla, who has a form of DoH implemented in its browser via Cloudflare DNS, says that's not the case.
The First Stepping Stone
Whatever the case, Microsoft is determined to push on due to both privacy and ecosystem benefits.
“Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that ‘we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology',” said program manager Tommy Jensen in a blog post. “We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal.”
As a first milestone, Microsoft says DoH for DNS servers Windows is already configured to use. It will automatically encrypt user's DNS queries if the resolves they use support it. In the future, though, it's open to DNS over TLS (DoT) and other solutions.
You can read up on the full details of the implementation on the Windows Networking blog.