So, what’s this all about? Basically, it’s closing the loophole of website requests being sent across the internet in plain text, which are open to interception putting users at risk. What this plain text naming system has done is drive exponential web growth, making it easy to use. But that ease of use means that spoofing website names or intercepting and manipulating traffic is easy. With so much of what we now do online being encrypted, this has become an anachronism. The way in which we access websites can be encrypted as well. This is DNS over HTTPS (DoH), bypassing local DNS nameservers, sending encrypted traffic to a central server instead.
“Providing encrypted DNS support without breaking existing Windows device admin configuration won’t be easy,” Microsoft acknowledges. “However, we believe we have to treat privacy as a human right—we have to have end-to-end cybersecurity built into technology.” But, in doing so, Microsoft wants to set the bar high. “Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier.”
So, what does Microsoft mean with that last point? Right now, the unencrypted DNS system is decentralised by default. Multiple copies of the same name details are held in lots of distributed locations. Shifting to an encrypted system risks concentrating user data with a handful of browser and apps (which can theoretically run their own DoH system). Microsoft argues that universal adoption, including Windows integration, will push for an alternative system of decentralisation instead.
This concentration risk is controversial. And so is the bypassing of local ISPs who will no longer be able to read the website addresses you send. U.K. communications giant BT has warned that DoH reduces the ability to derive cybersecurity intelligence from malware activity and DNS insight, opens new attack opportunities to hackers, and prevents government mandated regulation or court orders being executed.
And that’s not the only issue. Currently, ISPs and carriers can block content and websites where those sites and content might be seen as a danger. This includes child protection technologies, security restrictions for drugs, terrorism, trafficking. And, for the same reason, local law enforcement cannot intercept web traffic as the encrypted addresses bypass the local infrastructure and head directly to a core DNS.
Google came under fire from U.S. lawmakers for its own DoH plans in Chrome, with a fear that it was anti-competitive, would favour Google at the expense of ISPs and wireless carriers, and would provide the world’s largest data miner with even more data. A letter to lawmakers from a number of ISPs, warned that with the dominance of Chrome and Android, “Google could become the overwhelmingly predominant DNS lookup provider—inhibiting competitors and possibly foreclosing competition in advertising and other industries.”
Mozilla also saw criticism over its own plans for Firefox. It assured users that “after many experiments—we feel confident that enabling DoH by default is the right next step.” But that didn’t stop a U.K. ISP trade body awarding the company an “Internet Villain of the Year Award,” cautioning that “bringing in DoH by default would be harmful for online safety, cyber security and consumer choice.”
Microsoft appears to acknowledges this, and has said that it will leave control in the hands of its users and will not mandate new settings. “Today, “ the company says, “users and admins decide what DNS server to use by picking the network they join or specifying the server directly; this milestone won’t change anything about that.” That said, this is broadly the same as the other tech giants—all have said that settings will be changeable, DoH will be optional.
The issue, of course, is that with the setting promoted as a secure standard, most users will leave as is. But the flexibility from Microsoft is welcomed. “Many people use ISP or public DNS content filtering to do things like block offensive websites,” Microsoft says. “Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes.” Microsoft has also assured that it will move slowly, checking progress as it goes, being prepared to cycle back if required, if there are inadvertent consequences of the change.
As for the timing of the change, “with encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible,” Microsoft says, “we don’t want our customers wondering if their trusted platform will adopt modern privacy standards or not.” Or, as Sophos, puts it, “the shift to a more private online world appears to be underway whether its opponents like it or not. The battle now is to be on the inside of this change or risk being locked out forever.”