Windows Preview has UI for DoH in build 20185

Playing around with Windows release Preview build 20185 and I see they are adding a UI for DNS to make setting DNS over HTTPS pretty easy to set:

I still don’t understand DoH, why don’t they use the industry standard DoT? I use DoT with DNSSEC at home with my DNS server and I am currently blocking DoH at the firewall (blocking known DoH servers that Google and Mozilla use).

My DNS server uses a secure TLS connection to the backbone DNS server, using, you know, the DNS protocol. It also runs a blocklist of around 2.5 million dodgy sites, like the 2.5K Facebook tracking domains, other tracking domains and known malware sites.


Especially, that it’s only a short-term mitigation, creating unnecessary traffic. But we obviously have too much bandwidth.

It also causes multiple problems with QoS and traffic management. If all starts to go over HTTP, it’ll be a mess. It’s a violation of the most generic rule that each service has a dedicated port number. With this attitude, more “friendly” man-in-the-middle solutions are gonna be needed to keep the network going.

1 Like

Well you can be for it or against it, but you should at least understand why it is desirable even if you’re against it. Near as I can tell it is desirable because it is a user level choice (in that they can choose to have a browser that implements it) whereas host DNS is not normally an end user configurable item. Networking is too much black magic for the average user, but they can generally manage to find and click a checkbox.

One assumes MS has decided to add it to the OS because it’s becoming popular in browsers. Why they haven’t also decided to do DoT probably says it’s not as popular. Even still, on the OS level you need admin privs to activate it, which you do not need in the browsers.

You’re saying “short-term” as in, eventually down the line, your DNS requests get touched by an untrusted entity when it spits out the other end? That’s obviously an inevitability.

I still think the traffic is necessary because it prevents third party entities (Verizon pimping my queries out to whoever is writing checks) that my DNS traffic isn’t aimed at involving themselves. I just want a choice of where my queries end up without everyone in between seeing them.

1 Like

It has always been end user configurable. On early Windows networks, you’d have to manually set the DNS address on every PC.

And whether it is done properly (DoT to a DNSSEC compliant host) or it uses DoH makes no difference to the user, they would use the same interface and either select to use encrypted DNS using its protocol or encyrypted DNS using HTTPS, which is wrong in so many ways.

That is the whole point of DoT… DoT is DoH done right.

1 Like

Yes, wasn’t sure if he was talking about DNS encryption in general. Certainly advocate for DoT over DoH. Well structured standards being eroded to meet the lowest common denominator is always frustrating.

1 Like

My point is you need to take of your white hat and pretend to be an untrained end user. There is a difference between a user who is a network engineer with admin privs, an end user who is an enthusiast with admin privs and a basic user who does not have admin privs. Almost anyone can configure their browser without needing special training or privileges. Almost no one can successfully configure DNS, privs or not.

If they aren’t an admin, they won’t be able to configure this either. Changing network settings requires admin privileges.

Um @BigD perhaps you need to re-read my original post. My point was DoH started IN THE BROWSER and an end user can configure their own browser without being an admin.

The further point is MS saw this, and decided to add it to the OS as a whole… but there it DOES require admin privs.

It’s perfectly legitimate and yes, I do believe, there’s a need for that. I was mainly comparing DoT to DoH. The latter makes the directory queries and the actual data requests indistinguishable, which is wrong and can also cause problems with traffic optimization.

What I am afraid of is, that network providers will try to find patterns in HTTPS-data stream and perform some traffic shaping based on that, which would be a real mess.

The browsers chose to use the ONLY conduit they had. The DNS servers are still at the same IP addresses. If someone wished to block HTTP[S] access to a DNS server, there doesn’t seem to be much anyone could do about it… the bigger question is why it’s anyone else’s business how I satisfy my DNS queries…
hint: it’s not.

Unless you’re subject to my network’s acceptable use policy, then it’s my legal responsibility to be up in your business.

1 Like

Businesses have the means to lock down the settings of the PCs they own, and I’m sure even Firefox allows you to “force load” network (aka Proxy) settings. If an employee works around IT, then you either don’t know about it, or you have rules in the employee handbook to deal with this situation.

It’s been my experience that good IT people let a lot slide, unless there is actual harm… and bad IT people act like bad cops.

There’s quite a few reasons, one of which would be making a congested network usable. DNS queries are frequent, short, and time out quickly unlike bulk transfer, which can handle jitter, variable bandwidth, and retransmissions quite well.

Um, no, just no. DNS queries are cached… always have been… probably always will be. They arrive with a TTL (time to live)… so they eventually expire and you would see any update. The TTL is potentially up to 24 hours. Almost all DNS queries are resolved locally from a cache, or one level up from a cache.

1 Like

This is largely incorrect. Local resolvers can cache an average of 100-300 entries, depending on the memory size and other configuration options. Older records get evicted long before they reach their TTL unless your traffic doesn’t go beyond a narrow group of servers. And also, DNS servers are often responsible for load-balancing, responding to queries with a TTL of a minute or so.

However, this isn’t the question here. A local DoH server will, obviously, cache much more than your local resolver but you still need to be able to reach it first, which, without proper TOS-tags could become difficult in many scenarios. Not to mention a case when you wanna bypass your provider’s server and get your answers from a third-party one located on the Internet.

Unlike DoH, DoT doesn’t cause those issues.

Almost no ISPs are yet providing DoH so odds are you are already bypassing them. If you [manually] enable DoH in Firefox, it will default to Cloudflare, but you can also choose NextWeb, or enter the URL of your own DoH capable DNS server. If you don’t manually enable it, Firefox will check to see if your system DNS server is DoH capable (I presume via allowlist) and enable it automatically unless you are in what it believed to be an enterprise setting.