For fans of DNS-over-HTTPS (DoH) privacy, it must feel like a dam of resistance is starting to break.
Mozilla Firefox and Cloudflare were the earliest adopters of this controversial new way to make DNS queries private by encrypting them, followed not long after by the weight of Google, which embedded DoH into Chrome as a non-default setting.
This week an even bigger name joined the party – Windows 10 – which Microsoft has announced will integrate the ability to use DoH, and eventually also its close cousin DNS-over-TLS (DoT), into its networking client.
It looks like game over for the opponents of DoH, predominantly ISPs which have expressed a nest of worries – some rather self-serving (we can’t monetise DNS traffic we can’t see) and others which perhaps deserve a hearing (how do we filter out bad domains?).
(The author has) already covered how DoH and DoT work in previous articles, but the gist is they encrypt the queries a computer makes to DNS servers in a way that means intermediaries such as ISP and governments can’t easily see which websites are being visited.
Another way to think of it is that DoH extends the benefits of HTTPS security to DNS traffic. While not perfectly private (data still leaks via things like Server Name Indication), it’s better than sending DNS queries in the clear.
In fact, DoT has some advantages over DoH, but requires ports to be opened in routers/firewalls. DoH is indistinguishable from regular web browsing traffic whereas DoT runs in its own lane, making it easier to block or filter, and requires users to configure more settings to make it work.
Because DoH piggybacks HTTPS, it just works out of the box – as long as the client software supports it, that is. That’s why Windows 10 integration, whenever that appears, is important.
Given that DoH support is already turned on in Firefox (which uses Cloudflare resolution) and Google’s Chrome (which uses its own DNS), what does Windows 10 integration add? MORE >>
To read the entire November 21st, 2019 article by John E Dunn, go to https://nakedsecurity.sophos.com/2019/11/21/dns-over-https-is-coming-to-windows-10/
On the subject of HTTPS, is your website already utilising an SSL certificate (HTTPS)? If not, then contact Enrapture for more information on how we can quickly help you fix that problem.