Microsoft DoH (DNS over HTTPS)

Ref: Windows DNS over HTTPS

I’m really hoping they follow the spec correctly and actually test it before pushing it out to all windows systems, especially for corporate users whose admins have spent years building up all their firewall rules.

Following the spec correctly won’t help admins with carefully crafted filters. The spec is not friendly to corporate environments where an end user’s DNS traffic is legally and morally (IMO) subject to scrutiny.

The spec is still being drafted and finalized but yes Microsoft is helping with the effort.

A spec is a spec so whether or not it is enabled on your system or browser is irrelevant.

This is good, in that it is at the OS level, DNS over HTTPS in a browser is “silly”, because the OS has information about which DNS service to use and suddenly the browser starts to use its own DNS server without notifying the user. If things go wrong in the browser, it makes troubleshooting very difficult.

What I find really good is that you need to physically change the DNS settings to use this, so it won’t affect corporate environments - I would also expect to see Windows Server’s DNS service offer DNS over HTTPS in the future.

That said, why DNS over HTTPS and not the existing DNS over TLS? I already use the latter, along with DNSSEC on my Pi-Hole, which does the DNS work in my network at home. That does all the blocking and filtering for me, so that end devices don’t need ad blockers etc. and it blocks a lot of known malware sites.

That is why I am very happy with Microsoft’s approach (at the moment), compared to Firefox and Chrome, Amazon etc. which will completely ignore your DNS settings and use what they think is best for you. I’ve actually disabled DNS over HTTPS, along with DNS requests from any device other than my Pi-Hole at the firewall, because the Silk browser in Fire devices ignore your DNS settings.


I’ve noticed that the ASUS Nighthawk image for DD-Wrt .bin includes the option to use dnscrypt but i’ve had a hard time getting it to work right.
Is it complicated to get the PiHole setup and using the DNSSEC?
I tried setting up DNSSEC with my cloudflare account but gave up with the settings after a few hrs :frowning:

It is relatively easy. I bought a Raspi 3b+ kit and had it up and running in under 30 minutes. The Pi-Hole software is relatively easy to install. Some basic Linux knowledge is useful, if there are any problems with the installation, but if nothing goes wrong, it is just copying a couple of commands to the console and letting it install.

Once installed, you need to set up the black lists and select one of the pre-defined DNS providers (Cloudflare, Google, openDNS, Quad9 and a few others, with DNSSEC etc. I downloaded a few lists, which block pr0n, malware, tracking and Facebook (all 1,500 of their domains).

Once it is up and running, you just need to change your router to tell it to provide the Pi-Hole’s IP address for DNS purposes.


This is great news and a big middle finger in the air to the ISPs and Governments that are complaining.

I have been using DoH in the OS since DNSCrypt added it.
Even when MS do the update I will probably stick with DNSCrypt due to the flexibility and functionality.
MS will probably just bolt everything in and users won’t see any difference to the way they edit or use the DNS setting.
I use the blocking feature and am a big fan of the way it hops around the list of resolvers to use the fastest.
People have complained about DNS lock-in with the browsers, but you always end up opting for 1 or 2. Currently I have 87 in my list (I am hiding the ones that block)

How are you filtering for DoH requests on your network? Or do you mean you’ve disabled it at the client level?

I’ve set up rules in the firewall to not let DoH traffic through - https traffic to Cloudflare’s and Goodle’s DNS servers is disabled, which means that any browser attempting to use DoH should fall back to the DNS settings in the OS. Interestingly, the Firewall will also act as a broadcast DoH server in its own right, and it uses my Pi-Hole as its DNS authority. I have turned that on, but I haven’t had time to test it yet, just that DoH to Cloudflare and Google don’t work and that browsers trying to use it still obey my local DNS rules (E.g. Facebook is unreachable).