Microsoft lends its support to DNS over HTTPS to boost user privacy
Joining the likes of Mozilla and Google, Microsoft has announced that it will support DNS over HTTPS (DoH).
The company says that the adoption of encrypted DNS is important for the overall health of the internet ecosystem. It goes on to set out a number of principles that will be at the heart of adopting DoH in the Windows DNS client.
- DoH! Google tries to clear up DNS-over-HTTPS confusion
- Microsoft updates cloud contracts after EU privacy complaints
- Microsoft is blocking the Windows 10 November 2019 Update on systems with certain Realtek Bluetooth drivers
In a blog post, Microsoft acknowledges the importance of increasing the security and privacy of DNS: "Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology."
The post goes on to say:
We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.
Microsoft has clearly seen the importance and relative ease of rolling out DoH, but says that this is not necessarily the only protocol it will support. While DoH is described as "likely to provide immediate value to everyone" -- at least partly because it allows for the reuse of the existing HTTPS infrastructure -- the company may look at DNS over TLS (DoT) in the future.
The principles Microsoft says its DoH adoption will be based on are as follows:
- Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user’s browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
- Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
- Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
- Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.
For now, Microsoft says it will not be making any changes to DNS server configurations in Windows that have been put in place by users or admins. However, where possible and appropriate, when connecting to public DNS servers that support DoH, connections can be automatically upgraded to use the protocol, falling back to standard DNS if the configuration requires it.
The approach that Microsoft is taking means that people will be able to benefit from DoH without having to know anything about the protocol.
Read more about what the company has to say in this community post.