Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Read the article. Unlike Mozilla's approach, Microsoft's DoH rollout is intentionally designed to not bypass DNS-based filtering. ISPA shouldn't have any problem with what Microsoft is doing.


Au contraire, if you've configured Windows to use e.g. Google's DNS then it will bypass deep-packet-inspection-based DNS filtering.


Except ISP will block 443/tcp for these widely known servers and if I got it right Windows will fallback to unencrypted DNS.


It sounds like in this early milestone they will NOT fallback to unencrypted DNS to do a sort of 'scream test'.

> We can start seeing the challenges in enforcing the line on preferring resolution failure to unencrypted fallback. In line with principle 4, this DoH use will be enforced so that a server confirmed by Windows to support DoH will not be consulted via classic DNS. If this preference for privacy over functionality causes any disruption in common web scenarios, we’ll find out early.


Until HTTP/3 gets popular, and then 443/udp becomes a things as well. :)


It should become IETF RFC in the first place (it still is a draft).




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: