DNS over HTTPS (DoH) is a security feature that safeguards the authenticity of DNS servers and hides requests from prying eyes. Microsoft long ago announced support for DoH in Windows, and in the current previews, it can finally be configured via GUI or GPO.

Preferred use cases for DoH are external (wireless) networks into which mobile users have logged in. There, they could become victims of a manipulated DNS server or a man-in-the-middle attack if DNS requests are transmitted in plain text.

To date, this technology is mainly supported by cloud providers such as Google or Cloudflare; Windows Server does not offer it natively. However, for private use, there are open-source implementations, such as DNSProxy or lambDoH.

If you want to play around with DoH in PowerShell, then the following simple HTTP-Get call uses the JSON-API:

DoH support in web browsers ^

The current versions of all major browsers already support DoH. With most of them, you select a public service from providers such as Google or NextDNS from a predefined list. Alternatively, you can enter the IP of another service that offers DNS over HTTPS.

In Microsoft Edge DoH can be configured independently of the operating system

In Microsoft Edge DoH can be configured independently of the operating system

The browser then uses its own integrated DNS client to resolve the addresses. This can be configured in Chromium-based programs via group policies so that they even use a different DNS server than the one set in the OS, if necessary.

While Chrome does not currently support DoH if the computer is a member of an AD domain, Edge offers its own settings in the group policies to control the use of DNS over HTTPS and to define DoH URI templates.

Configuring DNS over HTTPS for Microsoft Edge via Group Policy

Configuring DNS over HTTPS for Microsoft Edge via Group Policy

DoH support in the operating system ^

In many cases, however, it would be preferable to use DoH at the operating system level. On the one hand, all applications would then benefit from it; on the other hand, the DNS servers could be configured in one place.

Microsoft is now getting closer to this goal in the previews for Windows 10 21H2 and Windows 11. While this feature still had to be activated by setting registry keys in the early previews, a corresponding option is now available in the Settings app.

Option to configure DoH in the Windows 11 settings app

Option to configure DoH in the Windows 11 settings app

It can be found under Network and internet if you edit the Ethernet or WiFi settings there. You have to switch from DHCP to Manual and explicitly set the DNS server. In this case, Windows allows you to select an option for DNS encryption if the server supports this feature.

Registering the DNS server with DoH support ^

The operating system does not currently detect on its own whether a DNS server supports DoH. Therefore, you have to teach the OS which DNS servers are available for such a connection and under which URL they can be reached.

Microsoft has predefined some of these in the system; they can be queried with

List of predefined DoH compatible DNS servers and the URLs under which they can be reached

List of predefined DoH compatible DNS servers and the URLs under which they can be reached

To add your own DoH services, use the cmdlet

Existing entries can be changed with Set-DnsClientDohServerAddress. In addition, netsh.exe can maintain the list of DNS servers for DoH with new parameters.

New parameters for netsh.exe for configuring DoH

New parameters for netsh.exe for configuring DoH

In the future, this manual configuration of the DoH templates will not be necessary if clients can inquire on their own whether a server supports DNS over HTTPS. Microsoft is submitting a corresponding proposal to the IETF for standardization.

Controlling DoH via group policies ^

For the central administration of DoH, the current previews of Windows 10 and 11 already contain a setting for group policies. It can be found under Computer Configuration > Policies > Administrative Templates > Network > DNS Client and is called Configure DNS over HTTPS (DoH) name resolution.

Group policy for the central configuration of DNS over HTTPS

Group policy for the central configuration of DNS over HTTPS

Here, you can either force DoH for all requests or disallow it in general. In most cases, the option Allow DoH is probably the most suitable because it allows a fallback to an unencrypted request if the server does not support DoH.

Conclusion ^

After some delay, Microsoft is now getting serious about supporting DNS over HTTPS in the operating system. There, it will be available to all applications, and in the medium term, the separate DoH support of web browsers should also become unnecessary. In managed environments, this feature can be controlled via group policies.

Subscribe to 4sysops newsletter!

DoH certainly offers the greatest benefit for users who work outside the secured corporate network, for example, when they connect to a public WiFi.

0
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account