
Windows will improve user privacy with DNS over HTTPS - omiossec
https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-will-improve-user-privacy-with-DNS-over-HTTPS/ba-p/1014229
======
pdkl95
> There is an assumption by many that DNS encryption requires DNS
> centralization.

A lot of the discussion recently, like this statement, conflates "DNS
encryption" with "DoH". Encrypting DNS does _not_ require centralization, but
_DoH does_ require[1] centralization in in the RFC. DoH doesn't even "improve
user privacy"; it simply changes who can record your DNS queries. Instead of
the ISP, Cloudflare/Microsoft/etc gets to see your unencrypted DNS queries.

The way to actually improve privacy is to perform the recursive resolution
locally[2]. The actual communication with each individual DNS server needs to
be encrypted, which is where work needs to be done. DNS servers need to
support DNS over TLS (DoT) or some other type of encrypted transport.
Hypothetically, DoH could be modified to support this, although that seems
more complicated than simply wrapping the DNS protocol in TLS.

You don't get privacy by centralizing all of your requests onto one server. To
protect privacy, you limit the data that any one party can see. DNS was
designed for this purpose: only the NS record of a domain needs to be sent to
a centralized server, which is easy to cache for a long time. Most requests
then go to domain-specified authoritative server[4].

It's good to see Microsoft at least trying to address this at the OS level.
App doing DNS without involving the OS seems to be more about taking away
control from the user. I'm sure Google would love to be able top bypass DNS
based adblocking.

[1]
[https://news.ycombinator.com/item?id=21110296](https://news.ycombinator.com/item?id=21110296)

[2] Which is easy: follow NS records until you get to the server that has your
authoritative answer.

[3]
[https://news.ycombinator.com/item?id=21348328](https://news.ycombinator.com/item?id=21348328)

~~~
Someone1234
> Encrypting DNS does not require centralization, but DoH does require
> centralization in in the RFC.

This isn't a problem that DoH was designed to solve. It is designed to be a
highly compatible, secure, endpoint DNS solution. Which it is. So while this
criticism is accurate, it is also irrelevant, DoH replaces one "hop" on DNS
and that's all it was ever designed to do.

> DoH doesn't even "improve user privacy"; it simply changes who can record
> your DNS queries. I

It stops passive eavesdropping. Right now you can change who you use for DNS
and your ISP can still monitor your DNS to profile you and invade your
privacy. With DoH you can pick a privacy focused endpoint and nobody between
you or that endpoint can trivially monitor your DNS.

DoT solves this too but has issues (see next response).

> DNS servers need to support DNS over TLS (DoT) or some other type of
> encrypted transport.

DoT and even unencrypted DNS is blocked on a lot of free WiFi. Now what? DoH
solves this issue, as it was designed to. DoH can traverse even the most
locked down network over the same HTTPS channel as any other web traffic.

> You don't get privacy by centralizing all of your requests onto one server.

Perhaps, but it scales really well and is the basis for all current DNS
resolution. If everyone on the internet did as you suggested core internet
infrastructure would fail under the load. You've essentially killed almost all
caching.

~~~
acqq
> With DoH you can pick a privacy focused endpoint and nobody between you or
> that endpoint can trivially monitor your DNS.

Even with the DoH which site you access is still trivially to track by your
ISP and anybody along the wire as the site name is still not encrypted in the
TLS connection traffic.

~~~
Someone1234
> site name is still not encrypted in the TLS connection traffic

Encrypted SNI is solves exactly that and is becoming increasingly common.

None of these solutions work individually to solve privacy problems but all of
them together are substantially increasing the cost and decreasing the
accuracy of profiling users on-mass.

DoT never gained widespread adoption as an endpoint solution due to
compatibility problems. It is technically the superior choice (Vs. DoH), but
what good is superior if it breaks all the time? DoH is more imperfect but
actually works reliably across different network configurations and client
devices, which means it "wins" even if it is "worse."

~~~
acqq
> Encrypted SNI is solves exactly that and is becoming increasingly common.

Can you please elaborate? I know only this:

[https://serverfault.com/questions/976377/how-can-i-set-up-
en...](https://serverfault.com/questions/976377/how-can-i-set-up-encrypted-
sni-on-my-own-servers)

"Encrypted Server Name Indication (ESNI) is still an Internet Draft, _you will
not find it in any major server implementation_ as it is subject to change. In
fact, the draft version implemented by Firefox supports draft-ietf-tls-esni-01
which is incompatible with newer draft versions."

Edit: I see Firefox Nightly is mentioned, it is the version that normal users
who use Firefox (Firefox has at the moment less than 5% worldwide marker
share) just don't use (it annoyingly updates every night).

~~~
Someone1234
Cloudflare's entire network supports it and Firefox Nightly can consume it
see: [https://blog.cloudflare.com/encrypted-
sni/](https://blog.cloudflare.com/encrypted-sni/)

That means over 10% of the internet's traffic supports ESNI (even if <1% of
clients consume it regularly). We're also seeing additional vendors explore
ESNI, including Chrome's team who have said they will look into implementing
it when the spec is finalized.

------
sb057
I wonder if the ISPA (British telecom association) will nominate Microsoft for
the 2020 Internet Villain Award.

[https://www.ispa.org.uk/ispa-announces-finalists-
for-2019-in...](https://www.ispa.org.uk/ispa-announces-finalists-
for-2019-internet-heroes-and-villains-trump-and-mozilla-lead-the-way-as-
villain-nominees/)

~~~
throw0101a
The reason why the ISPA did not like DoH is because UK law said they had to
block/filter traffic. Per court order, a UK ISP would be obliged to block
things, and if DNS was no longer an option, they would potentially start
having to do IP blocking and BGP sink holing (PDF warning):

* [https://www.icann.org/sites/default/files/packages/ids-2019/...](https://www.icann.org/sites/default/files/packages/ids-2019/08-fidler-icann-dns-symposium-a-uk-isp-view-on-doh-issue-11may19-en.pdf)

That law now seems to be dead, which may reduce their worries on the matter:

* [https://arstechnica.com/tech-policy/2019/10/uk-government-ab...](https://arstechnica.com/tech-policy/2019/10/uk-government-abandons-planned-porn-age-verification-scheme/)

While I'm sure the ISP techs may have had some misgivings about DoH (plenty of
tech-mind folks like Paul Vixie do), the strong response from the ISPA may
have been guided by the lawyers.

~~~
catalogia
It seems to me that UK ISPs might have more luck trying to modify the behavior
of the UK government than the behavior of American tech corporations.

------
zaarn
I guess that is the end of the naysaying really; if the underlying OS supports
DoH then browsers can use the settings of that resolver if present and rely on
them instead of having to manually do it.

On another note; I like the principles laid out in the article, they do
reflect how I'd want a system to act in the presence of DoH servers.

I bet the steps forward will be to test if the DHCP Server configured is
capable of DoH and if it is, then using it _only_ over DoH on that network. A
second thing might be if DHCP or RA's learn a new flag that indicate the
resolver uses DoH upstream or supports DoH itself.

~~~
numlock86
Did you mean DNS server instead of DHCP server? What has DHCP to do with any
of this?

~~~
vetinari
DHCP tells the devices on the local network, what DNS server they are supposed
to be using.

~~~
numlock86
I know. Hence the question.

------
atesti
Currently DNS filters and hosts files are a good way to block trackers and
telemetry. By securing this using HTTPS, we are not far from closing another
loophole for user freedom: What if Chrome does not allow self signed PKI roots
anymore? On Android one already gets a scary message each day when installing
a root certificate

~~~
jbott
This is software running on a users' computer. They will always have the
opportunity to modify their configuration (or patch the running software if
needed). The argument that DoH is a step backwards doesn't make sense, since
it's always been possible for software that wants to circumvent hosts file /
DNS filters to use an alternate name resolver.

I agree that we should push for more configuration options, but the fact
remains that it's the users decision to run software that doesn't respect
their freedom of choice, and ultimately they control the code that runs on
their machine.

DoH is overall a huge benefit to preventing in-flight tampering and protecting
user privacy. The net-benefits far outweigh the downside that "good" network
providers can no longer tamper with DNS results.

~~~
JohnFen
> it's always been possible for software that wants to circumvent hosts file /
> DNS filters to use an alternate name resolver.

And it's always been possible to block access to all DNS resolvers except your
local one. Until now.

> the fact remains that it's the users decision to run software that doesn't
> respect their freedom of choice

Unless that code is malware or some Javascript an advertiser has placed on a
website. There is no way to stop software from doing its own DoH requests
without using browser or OS services to do it, so the controls supplied by the
browser or OS are of rather limited value.

> The net-benefits far outweigh the downside that "good" network providers can
> no longer tamper with DNS results.

I disagree. I'm of the opinion that DoH brought with it a security problem
that is difficult to resolve. It does provide additional security in another
area, but that's not something that couldn't have been done using a more
reasonable approach that didn't hamper my ability to control what's happening
on my own machines.

~~~
growse
> Unless that code is malware or some Javascript an advertiser has placed on a
> website. There is no way to stop software from doing its own DoH requests
> without using browser or OS services to do it, so the controls supplied by
> the browser or OS are of rather limited value.

This is true irrespective of DoH. If software wants to ignore the OS settings
and resolve names down via its own custom protocol, that's what it's going to
do. Short of auditing that software and it's connections, you can't really
stop it.

The OS settings are not a _control_ , they're a _convenience_.

~~~
JohnFen
True. DoH just makes it much cheaper and easier to do in a robust way. Which
means it will be done much more often -- probably commonly, because of
advertisers.

------
JohnFen
DoH provides a way for programs to do DNS lookups while evading any attempts
at blocking certain DNS lookups.

This is a dream situation for advertisers and enforced telemetry. This is also
why the existence of DoH has made it necessary for me to install a MITM HTTPS
proxy in my network, so that I can regain control.

DoH brings some privacy benefits, but it also brings privacy costs. It is not
an unambiguous win -- it is a tradeoff.

~~~
dastx
If you run a local DNS server (e.g. AdGuard Home or Pi-Hole) you can set them
up as a DoH system and still block requests.

My bigger issue with this is that Microsoft is trying to paint themselves as
an angel when in reality, as part of Windows 10, they've added so much
telemetry, it feels as if they're closer to an ad giant than a software giant.

~~~
alibert
One possible problem is when devices start to use their own hardcoded DoH
resolver. Today, Chromecast devices use their own resolver (still standard
DNS), tomorrow, they might use DoH resolver. Worse, think about apps starting
to do that on your mobile phone...

Now, you need MITN on your home network or you block everything to
google.dns:443... but what if they rotate their DoH resolvers?

~~~
EvanAnderson
MitM wont help, eventually. They'll start pinning certificates.

The DNS content filtering ship has sailed. It was nice while it lasted.

------
LinuxBender
If you are a stubborn troglodyte like me and have your own secure DNS solution
in place, then you can add the following domain to your local DNS to always
NXDOMAIN: use-application-dns.net to tell the resolver to use local network
DNS settings. And then of course, null route all the DoH resolvers.

I am somewhat curious what the fallout would be if ISP's decided to NXDOMAIN
that domain. Would they get in any trouble?

~~~
EvanAnderson
If your DNS server doesn't easily allow you to return an NXDOMAIN (the DNS
server in Windows Server is this way, for example) you can also just create an
empty zone for "use-application-dns.net". As long as no "A" or "AAAA" records
are returned the conditions for the canary will be satisfied.

------
mc3
Why are Microsoft doing this? One explanation is morality - they are doing it
for the greater good. Another explaination is branding - they want to look
like the new "no evil company" which ties in with their open source
initiatives. It could also be a way to prevent Google having too much power
which is a good thing for Microsoft. It also might be to sell more Windows
licences, but I doubt this would factor into the decision about what OS to
use. Or it is just that technical people got to make the decision unhampered
by management, and technical people value privacy.

~~~
godelski
There's the age old question, "if someone does something good for the wrong
reasons, are those things still good?"

I for one welcome the new competitive facade of privacy and security. Minor
improvements are at least improvements.

------
zeruch
...it just won't improve it with the endless telemetry and crap ads it inserts
at the OS level.

------
dTal
Can anyone expand on what advantage HTTPS has over raw SSL/TLS? Why tunnel
over another application-level protocol? What's the value-add of throwing GET
and POST etc into the mix?

Truth be told, I don't even really understand why we didn't adopt "DNSs"
decades ago along with HTTPS. Encrypt at socket level, done. What's the catch?

~~~
dqv
Here's what the RFC[0] says about it:

>Two primary use cases were considered during this protocol's development.
These use cases are preventing on-path devices from interfering with DNS
operations, and also allowing web applications to access DNS information via
existing browser APIs in a safe way consistent with Cross Origin Resource
Sharing [...]

[0]:
[https://tools.ietf.org/html/rfc8484#page-3](https://tools.ietf.org/html/rfc8484#page-3)

~~~
dTal
I don't see how on-path devices could distinguish between DNS-over-HTTPS and
DNS-over-TLS, provided they were run on the same port. It's just an encrypted
socketed connection.

As for web apps... well, that's horrifying enough to be the real reason.
Javascript should not be running its own DNS queries, outside of the system
DNS settings - it's a layering violation that looks a lot like an end run
around the "user agent" concept (i.e. the web app, rather than the browser
itself, is the "trusted endpoint" and the user is considered an adversary). If
web browsers actually wanted such functionality to be available, they could
easily expose an API for it.

------
kodablah
> However, since these servers and their DoH configurations are well known,
> Windows can automatically upgrade to DoH while using the same server.

They are not well known. How do they know my DNS server is DoH? It's good
that, like Chrome and unlike FF, they plan on using the existing DNS servers
but are they also using a known whitelist of DoH servers? How can I get on
there?

We need an HSTS/Alt-Svc for DoH...can't I return an EDNS response or something
w/ my standard DNS response that says I support DoH and the clients use it
henceforth while it remains the same configured server? Maybe even a default
domain to check DoH support even on NXDOMAIN so it doesn't leak the first
domain requested in clear UDP.

~~~
judge2020
Chrome has an upgrade list[0], last time I checked Firefox allowed you to
choose in settings.

0:
[https://github.com/chromium/chromium/blob/711b1ba2735f8af4bd...](https://github.com/chromium/chromium/blob/711b1ba2735f8af4bd6359c6292e1875412df74f/net/dns/dns_util.cc#L146-L217)

~~~
kodablah
I feared it was hardcoded :-( I am trying not to ask every user of my DNS
server to manually configure each of their browsers and their OS.

------
cm2187
And of course, for your privacy, Microsoft will send a copy of all your DNS
requests to its telemetry servers unless you opt out with a registry key!

~~~
foxrob92
A registry key that is reset to the default every major update, no less.

------
hiccuphippo
I already use dnscrypt-proxy on both Windows and Linux for DoH. Filtering
hosts is even easier because it allows wildcards.

------
iramiller
I suppose with DNS level blocking of ads now impossible that means I will need
to crawl my DNS blocklist and resolve those domains, then block those IP
addresses at the network gateway... Even if clients punch out through a secret
DoH ip those resolved advertiser domains will still be null routed.

Not as easy but just as effective.

------
ggzgd
>DNS traffic represents a snapshot of the user’s browsing history

This is what the Mozilla Corporation didn't get when they decided to send by
default all the DNS traffic to Cloudflare. Or, perhaps, they did get it
right...

~~~
beatgammit
Well, it's at least different than sending it to your ISP, which I'm sure most
users do by default. The question is, do you trust CloudFlare or your ISP
more?

I hope more DNS servers support DNS over HTTPS soon because my options for
using it are:

\- CloudFlare \- self hosted with CloudFlare's code

Not a lot of options there...

~~~
turbinerneiter
My ISP. They are regulated and I pay them. If they do stuff I don't want I can
complain and switch.

I have not relationship with Cloudfare. I don't want them to have data about
me. I never signed a contract with them.

~~~
babypuncher
Tell me more about this magical place you live with more than one high speed
ISP.

~~~
jeltz
I think that is actually plenty of countries. Most countries do not have an
ISP oligopoly like the US, Canada or Australia.

~~~
foxrob92
The parts of Australia with NBN (read: about 90% of houses in the country)
have choice in ISP. I'm not sure of the split between all the FTTx options, so
they may not all count as "high speed".

------
2bitencryption
Is there an easy explanation anywhere of how I can achieve the most secure DNS
configuration that is reasonably simple to set up today?

I.e. what's the best I can do, short of hosting my own DNS?

~~~
babypuncher
I have a few VMs that run all my networking services. One of them runs
cloudflared and Pihole. Cloudflared is a DNS server that routs all DNS queries
to 1.1.1.1 using DoH. I have Pihole configured to use cloudflared as its
upstream DNS. So in addition to the Pihole's ad/tracker blocking, all DNS
requests leaving my network are done over DoH regardless if clients actually
support it.

------
ocdtrekkie
This is the correct approach, and I'm glad to see Microsoft is taking the lead
here.

The operating system should support DoH. Any browser not respecting the
operating system's DNS configuration should rollback their plans to hijack DNS
requests (particularly Firefox) and entrust the network stack to the OS, as is
intended.

------
m0xte
Let us disable telemetry first.

------
andrewstuart
This is awesome news.

Long awaited and MUCH needed for privacy.

This is the _primary_ way in which your privacy is invaded.

Where is Apple on this?

------
dancemethis1
...Are people going to believe this?

------
josteink
> Silently changing the DNS servers trusted to do Windows resolutions could
> inadvertently bypass these controls and frustrate our users. We believe
> device administrators have the right to control where their DNS traffic
> goes.

What Google and Mozilla seems not to get, Microsoft gets 100%.

Good on them. Thanks for sticking up for the user, MS. At least someone did.

~~~
kyrra
Mozilla is being more aggressive here than Google. My understanding about how
Chrome will work, if the DNS servers configured on your machine support DoH,
they will silently upgrade to use DoH. But it is entirely based on what your
system DNS server is set to.

[https://9to5google.com/2019/10/28/chrome-encrypt-
dns/](https://9to5google.com/2019/10/28/chrome-encrypt-dns/)

Mozilla (I believe) is doing rolling out DoH to users (in the US) to use
CloudFlare's DoH server. This will bypass the system configured DNS servers.
This can be disabled in settings. And if the DoH DNS lookup fails, it'll
fallback to the system configured DNS.

[https://support.mozilla.org/en-US/kb/firefox-dns-over-
https](https://support.mozilla.org/en-US/kb/firefox-dns-over-https)

(I'm a googler, opinions are my own)

~~~
SAI_Peregrinus
Additionally (for Mozilla, not sure about chrome) there are a couple of checks
to allow system administrators to force Firefox to fall back to the system DNS
if desired. Either they can return NXDOMAIN (or some other options) to queries
for use-application-dns.net, or they can use the usual group policy/active
directory/policies.json methods to configure users' Firefox to not use DoH or
use their internal DNS server with DoH if supported.

[https://support.mozilla.org/en-US/kb/canary-domain-use-
appli...](https://support.mozilla.org/en-US/kb/canary-domain-use-application-
dnsnet)

[https://support.mozilla.org/en-US/kb/customizing-firefox-
usi...](https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-
policy-windows)

[https://support.mozilla.org/en-US/kb/customizing-firefox-
usi...](https://support.mozilla.org/en-US/kb/customizing-firefox-using-
policiesjson)

[https://github.com/mozilla/policy-
templates/blob/master/READ...](https://github.com/mozilla/policy-
templates/blob/master/README.md#dnsoverhttps)

~~~
vetinari
With the admins having to userride use-application-dns.net, they have to break
DNSSEC for the .net root.

Classy move, Mozilla.

~~~
SAI_Peregrinus
They don't have to, that's one of the options. If they're corporate admins
they likely have Active Directory or the ability to require the profiles.json,
which also disables it.

It's intended as a way to allow DNS filtering software to work when admins
aren't involved with user devices. DNS filtering software breaks DNSSEC
anyway. So using it doesn't break anything extra.

~~~
vetinari
I believe you meant Group Policies, as Active Directory in itself won't solve
any Firefox configuration problems. With policies.json, we have such
experience that random Firefox updates wipe it out and we have to redeploy.

With the DNSSEC breackage, the issue is the scope. With a little bit of
thought, they could break just .application-dns.net instead of entire .net, if
they used use.application-dns.net instead of use-application-dns.net. But I
guess collateral damage wasn't in the mind of whoever suggested that.

~~~
tptacek
The whole point of this feature is to ensure DNS filtering keeps working.
Since DNS filtering already conflicts with DNSSEC, what does it matter that
one of Firefox's mechanisms for signaling that you want DNS filtering also
conflicts with DNSSEC?

~~~
vetinari
No, the point of this feature is to use the resolver configured by the network
administrator. DNS filtering might be one of the reasons, but there might be
others, like resolving zones behind ACL, which by definition won't be
resolvable by public resolvers.

Also, it is a difference, when a single second level domain has broken DNSSEC
(especially one used only by single application that won't use DNSSEC anyway),
and when entire top level domain is broken (which will be used by other
applications, which do validate DNSSEC).

I know that DNSSEC is not favoured by browser makers; I'm personally not a big
fan either. But just ignoring it as they were all the years is something
different, than actively trying to undermine it and damaging other users of
it.

