Microsoft Core Networking Team Has Your Back With Secure DNS For Windows Over HTTPS

Microsoft Building
Microsoft is having a "Do'h!" moment, though not in the bumbling, Homer Simpson sense. Quite the opposite, actually. In a blog post, Microsoft announced its Windows Core Networking team is working on improving user privacy by implementing DNS over HTTPS, or DoH for short, into a future build of Windows 10.

From Microsoft's vantage point, supporting encrypted DNS queries in Windows 10 would essentially close one of the last remaining plain-text domain name transmissions in common web traffic. At the same time, Microsoft says providing encrypted DNS support will not be easy without breaking existing Windows device admin configurations.

"With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured," Microsoft says.

That's where adopting DoH in the Windows DNS client comes into play. In addition, Microsoft says a as a platform, Windows Core Networking is flexible in terms of enabling users to use whatever protocols they need, "so we're open to having other options such as DNS over TLS (DoT) in the future."

"For our first milestone, we'll start with a simple change: use DoH for DNS servers Windows is already configured to use. There are now several public DNS servers that support DoH, and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server. However, since these servers and their DoH configurations are well known, Windows can automatically upgrade to DoH while using the same server," Microsoft says.

Users and admins can decide what DNS server to use by picking the network they join or specifying the server directly. Windows 10 will automatically encrypt DNS queries without any action required by the individual apps or users, so long as the DNS resolvers they are using support encryption over HTTPS.

Microsoft also made clear that none of this means it will make changes to whichever DNS server Windows was configured to use by the user or network. This is important, as many people employ ISP or public DNS content filtering for things like blocking offensive websites.

"Today, users and admins decide what DNS server to use by picking the network they join or specifying the server directly; this milestone won’t change anything about that," Microsoft says.

Microsoft says it chose to announce its plans ahead of making DoH available to Windows Insiders because "with encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible."

"We don't want our customers wondering if their trusted platform will adopt modern privacy standards or not," Microsoft said.