DNS-over-HTTPS is a privacy feature in Windows 11 that allows users to evade censorship and Internet activity by doing encrypted DNS lookups. Your computer must first query a domain name system (DNS) server for the IP address associated with the hostname before connecting to a website or other host on the Internet.
The method aims to improve user privacy and security by avoiding eavesdropping and DNS data modification by man-in-the-middle attacks by encrypting data between the DoH client and the DoH-based DNS resolver using the HTTPS protocol. Google and the Mozilla Foundation began testing DNS over HTTPS versions in March 2018. For users in the United States, Firefox switched to DNS over HTTPS by default in February 2020.
The IETF published RFC 8484 (October 2018) as a proposed standard for DoH. It leverages HTTP/2 and HTTPS, and it accepts wire format DNS response data in an HTTPS payload with the MIME type application/dns-message, as returned in existing UDP responses. If HTTP/2 is implemented, the server may also communicate items that it predicts the client will find valuable in advance via HTTP/2 server push.
As some governments and ISPs prohibit access to websites by monitoring a user's DNS traffic, DoH will help users to avoid censorship, reduce spoofing attacks, and increase privacy because their DNS requests will be more difficult to track. Microsoft has re-enabled the DoH capability in Windows 11, and users who are currently utilizing DNS servers from Cloudflare, Google, or Quad9 can begin testing it again.
It would be preferable if the DoH server for a configured DNS server could be identified automatically, according to Microsoft, however, this would pose a privacy concern. "It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could be established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post.
"This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates." Using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which Microsoft has submitted to the IETF ADD WG, Microsoft aims to learn about new DoH server configurations from a DNS server in the future.
