In a post yesterday to the Microsoft Tech Community blog, Microsoft Windows Core Networking team members Tommy Jensen, Ivan Pashov, and Gabriel Montenegro announced that Microsoft is planning to adopt support for encrypted Domain Name System queries in order to “close one of the last remaining plain-text domain name transmissions in common web traffic.”
That support will first take the form of integration with DNS over HTTPS (DoH), a standard proposed by the Internet Engineering Task Force and supported by Mozilla, Google, and Cloudflare, among others. “As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future,” wrote Jensen, Pashov, and Montenegro. “For now, we’re prioritizing DoH support as the most likely to provide immediate value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.”
But Microsoft is being careful about how it deploys this compatibility given the current political fight over DoH being waged by Internet service providers concerned that they’ll lose a lucrative source of customer behavior data.
This clearly isn’t the sexiest of subjects, but there’s an important tug of war happening here between ISPs and privacy advocates.
I’ve got no issue with encrypted DNS initiatives, but I’m really not a fan of HTTP(S) becoming the new TCP which everything else needs to be funneled through. Direct TCP/IP connections are already becoming problematic due to the increasing use of IPv4 address translation and firewalls that ban ports. These are creating evolutionary pressure to build everything on top of HTTP and disregard the rest of TCP/IP. Browser makers are ok with this because it forces everything on the internet to revolve around browser technology. If we step back I’m not so sure it’s a good idea for the internet technologically speaking. Websockets are a prime example of a how basic TCP socket technology is being replaced by a convoluted HTTP based protocol adding lots of overhead and complexity. The result is more complex socket handing and reliance on additional HTTPification daemons. The way things are going, HTTP/HTTPS may as well become kernel-space primitives alongside TCP to eliminate the overhead of routing everything through a user space HTTP gateway.
https://en.wikipedia.org/wiki/In-kernel_web_server
Since everything will be running over HTTP, a new version of iptables is needed for HTTP, called “httptables”…this is only half funny, because you know it’s only a matter of time.
Not just between privacy advocates and ISPs. I have kids in the house and I like to control which services are available work at different times. So if it’s time for homework I can block netflix and youtube. However with DNS over HTTPS it’s MUCH harder to block a service. After all numerous web services use one of the large clouds, so you can’t easily block by IP address.
That’s the point though. To give cloudflare and possibly google massive data about everything you do on the web. Mozilla is giving all your data to one party. Microsoft and Google have better positions on DoH than Mozilla simply because there are options and not forced overrides of your DNS settings. Encrypting DNS traffic is a good thing, but what Mozilla is doing is not about privacy. I’m hoping DoT takes off instead or at least someone finally seems the stupidity of migrating to HTTPs to get TCP + encryption only to go back to UDP with HTTP/3. Trying to debug resolvers using different sources is going to be a nightmare in the future. Firefox users cloudflare, chrome uses something else, we have the OS resolvers, we have random apps built on top of electron doing something else.
DNS is supposed to be distributed not all going to the same place.
If we’re going to blow up a protocol, how about SMTP? Require encryption there instead. Much more useful.
laffer1,
You may be right, using HTTPs enables DNS requests to be centralized, and that’s probably the point. Mozilla, and google, and microsoft all stand to benefit from centralized DNS.
I agree that SMTP is in need of a replacement to fix legacy security problems and make it universally consistent, however SMTP is one of the few remaining federated internet protocols in use today and I don’t trust large corporate interests to keep it that way. If large corporations had the opportunity to replace it, they would kill off the federated aspects of email and replace it with centralized data silos with private servers.
Microsoft is already discriminating against small providers like mine in accepting emails. And as for gmail, it’s hard to even open an account anymore since they’ve began banning legitimate phone numbers for verification. These are just some of the reasons privatizing our internet protocols is dangerous and harmful.
The biggest problem I have with DNS over HTTPS or DNS over TCP is that each device or application can decide to bypass the DNS server of the local network or machine and instead perform DNS queries directly to a pre-programmed endpoint, thus removing my control over its queries.
This means I am now unable to monitor or block DNS queries that are performed from within my own network or by applications running on my own computer. That blows, I want absolute control because it’s MY network and they are MY machines.
The simple solution to this (if possible) is to avoid devices or applications that do not allow me to intercept their DNS queries.
Current applications can already bypass your DNS service. It’s not a new thing.
By using regular dns during the bypass, I’m still able to intercept and change their request or the response. With encryption not so much, although dnssec already gives us signed responses so whatever you might be right.
That’s not true though. DNS could go through any port, it could be authenticated (DNSsec), etc, it might not even use the DNS protocol. In fact, nothing requires anyone use DNS at all, an application might just have a list of IP addresses instead. Nothing required those applications to be controllable in this way.