Microsoft announced that it will add support for the DoH (DNS over HTTPS) protocol in future versions of Windows 10, and will also retain support for DoT (DNS over TLS). DoH is designed to allow DNS resolution over encrypted HTTPS connections, while DoT encrypts and encapsulates DNS queries through Transport Layer Security Protocol (TLS) instead of plain text DNS lookups.
Compared with traditional DNS, working with cloud service providers to issue DNS requests over HTTPS has little impact on uncached DNS queries. Most queries are only about 6 milliseconds slower, but weigh security and protect private data. From a perspective, Mozilla believes this is an acceptable cost. And in some cases, even hundreds of milliseconds faster than traditional DNS.
By adding DoH to the Windows 10 Core Networking, Microsoft wants to improve its customers on the Internet by encrypting all DNS queries made by customers and removing plain text domains that typically appear in insecure network traffic. Microsoft wrote:
With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team’s guiding principles on making those decisions:
- Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user’s browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
- Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don’t know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
- Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don’t require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
- Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.