Windows Insiders gain new DNS over HTTPS controls

Published Jun 29 2021 06:00 AM 5,684 Views

Credit and thanks to Alexandru Jercaianu, Vladimir Cernov, and Sam Yun for implementation work

 

Over the last year, we have been improving the DNS over HTTPS (DoH) functionality in the Windows DNS client. Now we are pleased to introduce you to the different features now available through the Windows Insider program.

 

To start with, we want to note that the registry key controls documented in our original DoH testing blog post are no longer applicable. As stated there, those instructions were time limited to the initial DoH test rollout. If you did ever set that key, please delete it then reboot your machine before proceeding with the rest of this blog post.

 

Next, we will be reviewing the new configuration behavior, how Windows will know if a DNS server supports DoH, and what our next steps are in advancing encrypted DNS discovery.

 

UI

The first control you should try out is the new UI fields in the Settings app, originally announced on the Insider blog. When Windows knows a given DNS server’s IP address has a corresponding DoH server, it will unlock a dropdown that lets you decide whether to require encryption always be used, use encryption but fall back to plain-text DNS when encryption fails, or not to use encryption (the default value).

 

tojens_0-1624918166884.png

 

GPO

For enterprise administrators, we have provided a new GPO for controlling DoH behavior. This will allow the use of DoH to be allowed, required, or prohibited system-wide.

  • Allowed will defer the use of DoH to local settings available in the UI per network adapter.
  • Required will prevent the use of configured DNS servers if they do not support DoH and will disable fallback to plain-text DNS.
  • Prohibited will prevent any local DoH settings from taking effect, ensuring Windows functions as it did before the DoH client using plain-text DNS only.

 

tojens_1-1624918166897.png

 

NRPT

The Name Resolution Policy Table (NRPT) allows administrators to specify rules for name resolution by namespace. For example, you can create an NRPT rule that specifies all queries for “*.microsoft.com” must be sent to a specific DNS server.

 

If Windows knows that a DNS server provided in an NRPT rule supports DoH (see the next section for how this works), then the traffic affected by the NRPT rule will inherit the benefits of using DoH. This allows admins who want to use DoH for some namespaces and not others to configure that behavior.

 

Knowing a server supports DoH

All these mechanisms rely on Windows already knowing a given DNS server IP address supports DoH. We ship a few definitions of known DoH servers in Windows:

 

Server Owner

Server IP addresses

Cloudflare

1.1.1.1

1.0.0.1

2606:4700:4700::1111

2606:4700:4700::1001

Google

8.8.8.8

8.8.4.4

2001:4860:4860::8888

2001:4860:4860::8844

Quad9

9.9.9.9

149.112.112.112

2620:fe::fe

2620:fe::fe:9

 

Other definitions need to be added using the netsh command. To start with, you can check to see what DoH server definitions we already know by retrieving them:

 
Using netsh
netsh dns show encryption
Using PowerShell
Get-DnsClientDohServerAddress

 

Then you can add another server definition to the list and ensure it never falls back to plain-text DNS:

 
Using netsh
netsh dns add encryption server=<resolver-IP-address> dohtemplate=<resolver-DoH-template> autoupgrade=yes udpfallback=no
Using PowerShell
Add-DnsClientDohServerAddress -ServerAddress '<resolver-IP-address>' -DohTemplate '<resolver-DoH-template>' -AllowFallbackToUdp $False -AutoUpgrade $True

 

If you prefer to allow fallback so that when encryption fails you can still make DNS queries, you can run the same commands with the fallback flag toggled to add a new server:

 
Using netsh
netsh dns add encryption server=<resolver-IP-address> dohtemplate=<resolver-DoH-template> autoupgrade=yes udpfallback=yes
Using PowerShell
Add-DnsClientDohServerAddress -ServerAddress '<resolver-IP-address>' -DohTemplate '<resolver-DoH-template>' -AllowFallbackToUdp $True -AutoUpgrade $True

 

The `-AutoUpgrade` and `-AllowFallbackToUdp` flags together represent the values present in the Setting app per-server dropdown. If for some reason you want to add these DoH server definitions but leave them to use unencrypted DNS for now, you can set the `-AutoUpgrade` flag to false instead of true as in the examples above.

 

If you want to edit an existing list entry rather than adding a new one, you can use the `Set-DnsClientDohServerAddress` cmdlet in place of the `Add-DnsClientDohServerAddress` cmdlet.

 

It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could we established, we would have to first send a plain-text DNS query to bootstrap it. This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates.

 

Coming up next

Going forward, we want to be able to directly discover DoH server configuration from the DNS server. This would mean DoH servers could be used without having to include it in Windows or manually configure the IP address to DoH template mapping. We are currently contributing to two proposals in the IETF ADD WG to enable this: Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR). We look forward to updating you with our first tests in supporting DoH discovery!

3 Comments
Occasional Contributor


Looking at the settings screenshot in the article, it doesn't look like it's possible to set a particular DNS-over-HTTPS DNS server system-wide for the entire machine – in order to make sure it always uses a particular encrypted-only DNS-over-HTTPS DNS server regardless of what Ethernet/Wi-Fi networks the machine connects to. If this is the case, it would be better if it had it's own separate setting – one setting that is applied everywhere – like how DNS-over-TLS is implemented on Android 9 upwards.

 

The main appeal of DoH/DoT is to ensure control/authenticity over the DNS requests on networks that you do not own or control. For example, if the device is connecting to someone else's Wi-Fi, such as a third-party home network, coffee shop, fast food restaurant, hotel, airport, coach, train station, etc.. Or if it is unwittingly connected to a malicious network that's pretending to be a legitimate public Wi-Fi network.

 

Therefore, it would be most effective if there was a single setting to set a DNS-over-HTTPS setting system-wide as the DNS provider for all networks, meaning that the machine will always be using a trusted/secure DNS provider regardless of what networks the machine joins; and not require any user configuration beyond first setting up DoH. This would ensure that whatever the network, the DNS requests from the device aren't being modified by a malicious MITM – either on a deliberately malicious network, or a network where the owner's DNS has been unknowingly hijacked by a malicious individual.

 

 

Occasional Contributor

It is mentioned that there are group policy settings to configure this. Since there is no mention of where to get group policy adm files for Windows 11, could you provide registry settings to make these changes? Previously I tested DoH in Windows by enabling the registry key in Windows 10 builds, however I neded up deleting the key to disable it because it seemed to increase latency when working over my company's RRAS SSTP VPN. I feel like I'm seeing the same slow down now in Windows 11 dev build and I'd like to be able to disable the feature and test to see if latency is improved.

Senior Member

I cannot see DNS over HTTPS in any preview builds for Windows 10 anymore. Is DoH going to be Windows 11 only?

%3CLINGO-SUB%20id%3D%22lingo-sub-2494644%22%20slang%3D%22en-US%22%3EWindows%20Insiders%20gain%20new%20DNS%20over%20HTTPS%20controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2494644%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3ECredit%20and%20thanks%20to%20Alexandru%20Jercaianu%20and%20Vladimir%20Cernov%20for%20implementation%20work%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EOver%20the%20last%20year%2C%20we%20have%20been%20improving%20the%20DNS%20over%20HTTPS%20(DoH)%20functionality%20in%20the%20Windows%20DNS%20client.%20Now%20we%20are%20pleased%20to%20introduce%20you%20to%20the%20different%20features%20now%20available%20through%20the%20Windows%20Insider%20program.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20start%20with%2C%20we%20want%20to%20note%20that%20the%20registry%20key%20controls%20documented%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fnetworking-blog%2Fwindows-insiders-can-now-test-dns-over-https%2Fba-p%2F1381282%22%20target%3D%22_blank%22%3Eoriginal%20DoH%20testing%20blog%20post%3C%2FA%3E%20are%20no%20longer%20applicable.%20As%20stated%20there%2C%20those%20instructions%20were%20time%20limited%20to%20the%20initial%20DoH%20test%20rollout.%20If%20you%20did%20ever%20set%20that%20key%2C%20please%20delete%20it%20then%20reboot%20your%20machine%20before%20proceeding%20with%20the%20rest%20of%20this%20blog%20post.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENext%2C%20we%20will%20be%20reviewing%20the%20new%20configuration%20behavior%2C%20how%20Windows%20will%20know%20if%20a%20DNS%20server%20supports%20DoH%2C%20and%20what%20our%20next%20steps%20are%20in%20advancing%20encrypted%20DNS%20discovery.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%20id%3D%22toc-hId--434575980%22%3EUI%3C%2FH2%3E%0A%3CP%3EThe%20first%20control%20you%20should%20try%20out%20is%20the%20new%20UI%20fields%20in%20the%20Settings%20app%2C%20%3CA%20href%3D%22https%3A%2F%2Fblogs.windows.com%2Fwindows-insider%2F2020%2F08%2F05%2Fannouncing-windows-10-insider-preview-build-20185%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eoriginally%20announced%20on%20the%20Insider%20blog%3C%2FA%3E.%20When%20Windows%20knows%20a%20given%20DNS%20server%E2%80%99s%20IP%20address%20has%20a%20corresponding%20DoH%20server%2C%20it%20will%20unlock%20a%20dropdown%20that%20lets%20you%20decide%20whether%20to%20require%20encryption%20always%20be%20used%2C%20use%20encryption%20but%20fall%20back%20to%20plain-text%20DNS%20when%20encryption%20fails%2C%20or%20not%20to%20use%20encryption%20(the%20default%20value).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22tojens_0-1624918166884.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F292154iE9457EAC2D187477%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22tojens_0-1624918166884.png%22%20alt%3D%22tojens_0-1624918166884.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%20id%3D%22toc-hId-2052936853%22%3EGPO%3C%2FH2%3E%0A%3CP%3EFor%20enterprise%20administrators%2C%20we%20have%20provided%20a%20new%20GPO%20for%20controlling%20DoH%20behavior.%20This%20will%20allow%20the%20use%20of%20DoH%20to%20be%20allowed%2C%20required%2C%20or%20prohibited%20system-wide.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAllowed%20will%20defer%20the%20use%20of%20DoH%20to%20local%20settings%20available%20in%20the%20UI%20per%20network%20adapter.%3C%2FLI%3E%0A%3CLI%3ERequired%20will%20prevent%20the%20use%20of%20configured%20DNS%20servers%20if%20they%20do%20not%20support%20DoH%20and%20will%20disable%20fallback%20to%20plain-text%20DNS.%3C%2FLI%3E%0A%3CLI%3EProhibited%20will%20prevent%20any%20local%20DoH%20settings%20from%20taking%20effect%2C%20ensuring%20Windows%20functions%20as%20it%20did%20before%20the%20DoH%20client%20using%20plain-text%20DNS%20only.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22tojens_1-1624918166897.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F292155i9188FB2CB0E3B796%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22tojens_1-1624918166897.png%22%20alt%3D%22tojens_1-1624918166897.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%20id%3D%22toc-hId-245482390%22%3ENRPT%3C%2FH2%3E%0A%3CP%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-R2-and-2012%2Fdn593632(v%3Dws.11)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EName%20Resolution%20Policy%20Table%3C%2FA%3E%20(NRPT)%20allows%20administrators%20to%20specify%20rules%20for%20name%20resolution%20by%20namespace.%20For%20example%2C%20you%20can%20create%20an%20NRPT%20rule%20that%20specifies%20all%20queries%20for%20%E2%80%9C*.microsoft.com%E2%80%9D%20must%20be%20sent%20to%20a%20specific%20DNS%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20Windows%20knows%20that%20a%20DNS%20server%20provided%20in%20an%20NRPT%20rule%20supports%20DoH%20(see%20the%20next%20section%20for%20how%20this%20works)%2C%20then%20the%20traffic%20affected%20by%20the%20NRPT%20rule%20will%20inherit%20the%20benefits%20of%20using%20DoH.%20This%20allows%20admins%20who%20want%20to%20use%20DoH%20for%20some%20namespaces%20and%20not%20others%20to%20configure%20that%20behavior.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%20id%3D%22toc-hId--1561972073%22%3EKnowing%20a%20server%20supports%20DoH%3C%2FH2%3E%0A%3CP%3EAll%20these%20mechanisms%20rely%20on%20Windows%20already%20knowing%20a%20given%20DNS%20server%20IP%20address%20supports%20DoH.%20We%20ship%20a%20few%20definitions%20of%20known%20DoH%20servers%20in%20Windows%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3EServer%20Owner%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3EServer%20IP%20addresses%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3ECloudflare%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E1.1.1.1%3C%2FP%3E%0A%3CP%3E1.0.0.1%3C%2FP%3E%0A%3CP%3E2606%3A4700%3A4700%3A%3A1111%3C%2FP%3E%0A%3CP%3E2606%3A4700%3A4700%3A%3A1001%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3EGoogle%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E8.8.8.8%3C%2FP%3E%0A%3CP%3E8.8.4.4%3C%2FP%3E%0A%3CP%3E2001%3A4860%3A4860%3A%3A8888%3C%2FP%3E%0A%3CP%3E2001%3A4860%3A4860%3A%3A8844%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3EQuad9%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E9.9.9.9%3C%2FP%3E%0A%3CP%3E149.112.112.112%3C%2FP%3E%0A%3CP%3E2620%3Afe%3A%3Afe%3C%2FP%3E%0A%3CP%3E2620%3Afe%3A%3Afe%3A9%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOther%20definitions%20need%20to%20be%20added%20using%20the%20netsh%20command.%20To%20start%20with%2C%20you%20can%20check%20to%20see%20what%20DoH%20server%20definitions%20we%20already%20know%20by%20retrieving%20them%3A%3C%2FP%3E%0A%3CH6%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%20id%3D%22toc-hId--1967297380%22%3E%26nbsp%3B%3C%2FH6%3E%0A%3CH6%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%20id%3D%22toc-hId-520215453%22%3EUsing%20netsh%3C%2FH6%3E%0A%3CPRE%3Enetsh%20dns%20show%20encryption%3C%2FPRE%3E%0A%3CH6%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%20id%3D%22toc-hId--1287239010%22%3EUsing%20PowerShell%3C%2FH6%3E%0A%3CPRE%3EGet-DnsClientDohServerAddress%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20you%20can%20add%20another%20server%20definition%20to%20the%20list%20and%20ensure%20it%20never%20falls%20back%20to%20plain-text%20DNS%3A%3C%2FP%3E%0A%3CH6%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%20id%3D%22toc-hId-1200273823%22%3E%26nbsp%3B%3C%2FH6%3E%0A%3CH6%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%20id%3D%22toc-hId--607180640%22%3EUsing%20netsh%3C%2FH6%3E%0A%3CPRE%3Enetsh%20dns%20add%20encryption%20server%3D%26lt%3Bresolver-IP-address%26gt%3B%20dohtemplate%3D%26lt%3Bresolver-DoH-template%26gt%3B%20autoupgrade%3Dyes%20udpfallback%3Dno%3C%2FPRE%3E%0A%3CH6%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%20id%3D%22toc-hId-1880332193%22%3EUsing%20PowerShell%3C%2FH6%3E%0A%3CPRE%3EAdd-DnsClientDohServerAddress%20-ServerAddress%20'%26lt%3Bresolver-IP-address%26gt%3B'%20-DohTemplate%20'%26lt%3Bresolver-DoH-template%26gt%3B'%20-AllowFallbackToUdp%20%24False%20-AutoUpgrade%20%24True%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20prefer%20to%20allow%20fallback%20so%20that%20when%20encryption%20fails%20you%20can%20still%20make%20DNS%20queries%2C%20you%20can%20run%20the%20same%20commands%20with%20the%20fallback%20flag%20toggled%20to%20add%20a%20new%20server%3A%3C%2FP%3E%0A%3CH6%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%20id%3D%22toc-hId-860849189%22%3E%26nbsp%3B%3C%2FH6%3E%0A%3CH6%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%20id%3D%22toc-hId--946605274%22%3EUsing%20netsh%3C%2FH6%3E%0A%3CPRE%3Enetsh%20dns%20add%20encryption%20server%3D%26lt%3Bresolver-IP-address%26gt%3B%20dohtemplate%3D%26lt%3Bresolver-DoH-template%26gt%3B%20autoupgrade%3Dyes%20udpfallback%3Dyes%3C%2FPRE%3E%0A%3CH6%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%20id%3D%22toc-hId-1540907559%22%3EUsing%20PowerShell%3C%2FH6%3E%0A%3CPRE%3EAdd-DnsClientDohServerAddress%20-ServerAddress%20'%26lt%3Bresolver-IP-address%26gt%3B'%20-DohTemplate%20'%26lt%3Bresolver-DoH-template%26gt%3B'%20-AllowFallbackToUdp%20%24True%20-AutoUpgrade%20%24True%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20%60-AutoUpgrade%60%20and%20%60-AllowFallbackToUdp%60%20flags%20together%20represent%20the%20values%20present%20in%20the%20Setting%20app%20per-server%20dropdown.%20If%20for%20some%20reason%20you%20want%20to%20add%20these%20DoH%20server%20definitions%20but%20leave%20them%20to%20use%20unencrypted%20DNS%20for%20now%2C%20you%20can%20set%20the%20%60-AutoUpgrade%60%20flag%20to%20false%20instead%20of%20true%20as%20in%20the%20examples%20above.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20edit%20an%20existing%20list%20entry%20rather%20than%20adding%20a%20new%20one%2C%20you%20can%20use%20the%20%60Set-DnsClientDohServerAddress%60%20cmdlet%20in%20place%20of%20the%20%60Add-DnsClientDohServerAddress%60%20cmdlet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20would%20be%20easier%20for%20users%20and%20administrators%20if%20we%20allowed%20a%20DoH%20server%20to%20have%20its%20IP%20address%20determined%20by%20resolving%20its%20domain%20name.%20However%2C%20we%20have%20chosen%20not%20to%20allow%20that.%20Supporting%20this%20would%20mean%20that%20before%20a%20DoH%20connection%20could%20we%20established%2C%20we%20would%20have%20to%20first%20send%20a%20plain-text%20DNS%20query%20to%20bootstrap%20it.%20This%20means%20a%20node%20on%20the%20network%20path%20could%20maliciously%20modify%20or%20block%20the%20DoH%20server%20name%20query.%20Right%20now%2C%20the%20only%20way%20we%20can%20avoid%20this%20is%20to%20have%20Windows%20know%20in%20advance%20the%20mapping%20between%20IP%20addresses%20and%20DoH%20templates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%20id%3D%22toc-hId--782877780%22%3EComing%20up%20next%3C%2FH2%3E%0A%3CP%3EGoing%20forward%2C%20we%20want%20to%20be%20able%20to%20directly%20discover%20DoH%20server%20configuration%20from%20the%20DNS%20server.%20This%20would%20mean%20DoH%20servers%20could%20be%20used%20without%20having%20to%20include%20it%20in%20Windows%20or%20manually%20configure%20the%20IP%20address%20to%20DoH%20template%20mapping.%20We%20are%20currently%20contributing%20to%20two%20proposals%20in%20the%20IETF%20ADD%20WG%20to%20enable%20this%3A%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-add-ddr%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EDiscovery%20of%20Designated%20Resolvers%3C%2FA%3E%20(DDR)%20and%20%3CA%20href%3D%22https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-add-dnr%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EDiscovery%20of%20Network-designated%20Resolvers%3C%2FA%3E%20(DNR).%20We%20look%20forward%20to%20updating%20you%20with%20our%20first%20tests%20in%20supporting%20DoH%20discovery!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2494644%22%20slang%3D%22en-US%22%3E%3CP%3EA%20recap%20of%20the%20new%20ways%20Insiders%20can%20configure%20the%20use%20of%20DNS%20over%20HTTPS%20on%20Windows%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2498978%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Insiders%20gain%20new%20DNS%20over%20HTTPS%20controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2498978%22%20slang%3D%22en-US%22%3E%3CP%3E%3CBR%20%2F%3ELooking%20at%20the%20settings%20screenshot%20in%20the%20article%2C%20it%20doesn't%20look%20like%20it's%20possible%20to%20set%20a%20particular%20%3CEM%3EDNS-over-HTTPS%3C%2FEM%3E%20DNS%20server%20system-wide%20for%20the%20entire%20machine%20%E2%80%93%20in%20order%20to%20make%20sure%20it%20always%20uses%20a%20particular%20encrypted-only%20%3CEM%3EDNS-over-HTTPS%3C%2FEM%3E%20DNS%20server%20regardless%20of%20what%20Ethernet%2FWi-Fi%20networks%20the%20machine%20connects%20to.%20If%20this%20is%20the%20case%2C%20it%20would%20be%20better%20if%20it%20had%20it's%20own%20separate%20setting%20%E2%80%93%20one%20setting%20that%20is%20applied%20everywhere%20%E2%80%93%20like%20how%20%3CEM%3EDNS-over-TLS%3C%2FEM%3E%20is%20implemented%20on%20Android%209%20upwards.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20main%20appeal%20of%20DoH%2FDoT%20is%20to%20ensure%20control%2Fauthenticity%20over%20the%20DNS%20requests%20on%20networks%20that%20you%20do%20not%20own%20or%20control.%20For%20example%2C%20if%20the%20device%20is%20connecting%20to%20someone%20else's%20Wi-Fi%2C%20such%20as%20a%20third-party%20home%20network%2C%20coffee%20shop%2C%20fast%20food%20restaurant%2C%20hotel%2C%20airport%2C%20coach%2C%20train%20station%2C%20etc..%20Or%20if%20it%20is%20unwittingly%20connected%20to%20a%20malicious%20network%20that's%20pretending%20to%20be%20a%20legitimate%20public%20Wi-Fi%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETherefore%2C%20it%20would%20be%20most%20effective%20if%20there%20was%20a%20single%20setting%20to%20set%20a%20%3CEM%3EDNS-over-HTTPS%3C%2FEM%3E%20setting%20system-wide%20as%20the%20DNS%20provider%20for%20all%20networks%2C%20meaning%20that%20the%20machine%20will%20always%20be%20using%20a%20trusted%2Fsecure%20DNS%20provider%20regardless%20of%20what%20networks%20the%20machine%20joins%3B%20and%20not%20require%20any%20user%20configuration%20beyond%20first%20setting%20up%20DoH.%20This%20would%20ensure%20that%20whatever%20the%20network%2C%20the%20DNS%20requests%20from%20the%20device%20aren't%20being%20modified%20by%20a%20malicious%20MITM%20%E2%80%93%20either%20on%20a%20deliberately%20malicious%20network%2C%20or%20a%20network%20where%20the%20owner's%20DNS%20has%20been%20unknowingly%20hijacked%20by%20a%20malicious%20individual.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2508030%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Insiders%20gain%20new%20DNS%20over%20HTTPS%20controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2508030%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20mentioned%20that%20there%20are%20group%20policy%20settings%20to%20configure%20this.%20Since%20there%20is%20no%20mention%20of%20where%20to%20get%20group%20policy%20adm%20files%20for%20Windows%2011%2C%20could%20you%20provide%20registry%20settings%20to%20make%20these%20changes%3F%20Previously%20I%20tested%20DoH%20in%20Windows%20by%20enabling%20the%20registry%20key%20in%20Windows%2010%20builds%2C%20however%20I%20neded%20up%20deleting%20the%20key%20to%20disable%20it%20because%20it%20seemed%20to%20increase%20latency%20when%20working%20over%20my%20company's%20RRAS%20SSTP%20VPN.%20I%20feel%20like%20I'm%20seeing%20the%20same%20slow%20down%20now%20in%20Windows%2011%20dev%20build%20and%20I'd%20like%20to%20be%20able%20to%20disable%20the%20feature%20and%20test%20to%20see%20if%20latency%20is%20improved.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2728017%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Insiders%20gain%20new%20DNS%20over%20HTTPS%20controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2728017%22%20slang%3D%22en-US%22%3E%3CP%3EI%20cannot%20see%20DNS%20over%20HTTPS%20in%20any%20preview%20builds%20for%20Windows%2010%20anymore.%20Is%20DoH%20going%20to%20be%20Windows%2011%20only%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jun 30 2021 08:14 AM
Updated by:
www.000webhost.com