Microsoft announced that it will add support for the DoH (DNS over HTTPS) protocol in a future version of Windows 10, while retaining support for DoT (DNS over Over TLS). DoH is designed to allow DNS resolution over encrypted HTTPS connections, while DoT encrypts and encapsulates DNS queries through transport layer security protocols (TLS) rather than using plain text DNS lookups.
Compared to traditional DNS, working with cloud service providers to make DNS requests over HTTPS, the performance impact on uncached DNS queries is minimal, with most queries only about 6 milliseconds slower, but mozilla considers this an acceptable cost when it comes to balancing security and protecting private data. And in some cases, it can be hundreds of milliseconds faster than traditional DNS.
By adding DoH to the Windows 10 Core Network, Microsoft hopes to improve the security and privacy of its customers on the Internet by encrypting all DNS queries made by customers and removing plain text domain names that typically appear in unsecured network traffic.
“A lot of people think DNS encryption needs DNS centralization, but that’s true only if encrypted DNS adoption isn’t universal,” Microsoft said. Keeping DNS decentralized is critical for client operating systems, such as Windows, as well as Internet service providers, to adopt encrypted DNS widely. “
Microsoft also introduced the principles used to determine the DNS encryption protocol built into Windows 10 and how it is configured:
By default, Windows DNS must be as private and functional as possible without user or administrator configuration, because Windows DNS traffic represents a snapshot of the user’s browsing history. For Windows users, this means that Windows can make their experience as private as possible, and for Microsoft, it will try to encrypt Windows DNS traffic without changing the configured DNS resolver set by users and system administrators.
Privacy-conscious Windows users and administrators need to guide them in DNS settings even if they don’t know what DNS is. Many users are interested in controlling their privacy and looking for privacy-centric settings, such as application permissions to cameras and locations, but may not notice or know DNS settings, or may not understand their importance.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. You must ensure that you do not need expertise or work from Windows users to benefit from encrypted DNS. Both enterprise policies and UI operations should need to be performed only once, without maintenance.
After configuration, Windows users and administrators need to explicitly allow fallbacks from encrypted DNS. After Windows is configured to use encrypted DNS, if Windows users or administrators do not receive additional instructions, you should assume that you do not fall back to unencrypted DNS.
For more information, check out the original blog: