Microsoft has put its weight behind the DNS-over-HTTPS (DoH) security protocol, greatly increasing the likelihood of it becoming a default internet standard.
In a post published Sunday on its networking blog, Microsoft engineers confirmed plans to adopt DoH as a default, explaining that it would “close one of the last remaining plain-text domain name transmissions in common web traffic.”
The DoH protocol encrypts requests from people’s browsers and as such prevents - or, more accurately, greatly limits - malicious actors ability to hijack, read and redirect people’s browser traffic. However, it has fallen foul of other internet companies - particularly ISPs - who will no longer be able to see their own customers’ traffic.
ISPs complain that they use the ability to see DNS queries to counter and filter content and have warned that DoH would end up centralizing the vast data pile that global browsing produces, which could potentially be worth huge sums of money, especially to a company like Google whose entire business model works on compiling data.
In its post, Microsoft acknowledges but dismisses this criticism. “We believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier,” it notes, adding: “There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal.”
Keeping it in house
Although Google has implied it will use its own DoH service - which will route Chrome traffic through its own servers - Mozilla has said it will open up its Firefox DoH provider to any company that promises not to sell the data and to delete it after 24 hours.
Microsoft is implying that it will adopt the Mozilla model, particularly when it notes that it “will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.”
But it hasn’t committed to being equitable and there is clear value to Microsoft having its own DoH service as a default. The blog post also acknowledges another issue with DoH: its complexity and likelihood or interfering with existing applications and network setups.
“Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that ‘we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology’."
It notes that it also needs to keep the process simple noting that “Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS.”
Microsoft acknowledges that it is going to be difficult to introduce DoH in a way that is simple for users and that it may take a while before it can make the system available to the ordinary Windows user.
But Redmond said that it “felt it was important to make our intentions clear as early as possible. We don’t want our customers wondering if their trusted platform will adopt modern privacy standards or not.”
Despite apparently going all-in on DoH, the blog stresses that it is also going to adopt the other main DNS encryption protocol - DNS over TLS (DoT) that ISPs prefer because it gives them continued access to unencrypted DNS traffic.
“As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future. For now, we're prioritizing DoH support as the most likely to provide immediate value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.”
The decision effectively makes DoH an internet default - something that is unlikely to please the UK’s ISPA which named Mozilla an “internet villain” for its support of DoH, or the US cable industry which, somewhat wildly, insisted the DoH would break the internet. Which is nonsense. ®
Want This Type Of Article Delivered To Your Inbox? Subscribe To Our tech Newsletter. Enter Your Email Address Below: