Microsoft joins encrypted DNS club

Microsoft is the latest browser vendor to join the encrypted DNS club by supporting DNS over HTTPS in Windows 10. In Build 19628 and higher, you’ll be able to encrypt your DNS traffic to prevent your geeky flatmate, that hoodie-wearing person in your local coffee shop, and possibly your ISP from snooping on your browsing destinations.

We’ve explained encrypted DNS before, but briefly, it encrypts DNS queries between your computer and the DNS resolver (which does the DNS lookup for you) so those in between can’t see which websites or other URLs you’re asking for. There are two types. One is DNS over TLS (DoT) which is tricky to implement on many networks. The other, which more networks are likely to play nicely with, is DNS over HTTPS (DoH). The latter is the version that Microsoft is using.

Encrypted DNS is better in some ways than the existing DNS, which operates in plain text, but as some Naked Security readers have pointed out, it still has some gotchas.

First, your DNS resolver has to support the technology. Second, that company can still see all your traffic, so you still have to trust someone who can see where you’re surfing to respect your privacy. Third, it stops any local cybersecurity tools from inspecting your DNS traffic to filter out malicious URLs. Your DoH-enabled DNS resolver might well have its own filtering, but that means you’re trusting it with just about everything, and makes it difficult to introduce multi-layered DNS filtering protection. It also stops the authorities from censoring certain sites or snooping on your traffic, which is a divisive issue.

When it first announced its plans to introduce DoH in November, Microsoft said that “supporting encrypted DNS queries in Windows will close one of the last remaining plain-text domain name transmissions in common web traffic.”

This month sees the company fulfil its vow by experimenting with it as part of the Windows Insider program. To enjoy encrypted DNS queries, you must be in the Fast Ring, which is the group in the program that gets weekly updates with brand new features. That gets you Preview Build 19628. Even then, you’ll have to turn DoH on because it’s off by default.

With this announcement, Microsoft joins Firefox, which aims to make DoH a default feature in Firefox, and Google, which is experimenting with it in Chrome.

When it announced its intention to move to DoH, Redmond said that it wouldn’t change users’ DNS settings, but offers a choice of three DoH providers for those who want to use DoH: Cloudflare, Google, or Quad9. It also provides instructions for adding your own DoH-capable resolver using the command line.

Whether or not you take advantage of this feature depends on your local network configuration, and – given that Microsoft warns this is an experimental feature – your risk appetite. If you decide to take the plunge, Microsoft offers instructions on how to flip the DoH switch here.