Microsoft joins encrypted DNS club with Windows 10 option
Microsoft is the latest browser vendor to join the encrypted DNS club by supporting DNS over HTTPS in Windows 10. In Build 19628 and higher, you’ll be able to encrypt your DNS traffic to prevent your geeky flatmate, that hoodie-wearing person in your local coffee shop, and possibly your ISP from snooping on your browsing destinations.
We’ve explained encrypted DNS before, but briefly, it encrypts DNS queries between your computer and the DNS resolver (which does the DNS lookup for you) so those in between can’t see which websites or other URLs you’re asking for. There are two types. One is DNS over TLS (DoT) which is tricky to implement on many networks. The other, which more networks are likely to play nicely with, is DNS over HTTPS (DoH). The latter is the version that Microsoft is using.
Encrypted DNS is better in some ways than the existing DNS, which operates in plain text, but as some Naked Security readers have pointed out, it still has some gotchas.
First, your DNS resolver has to support the technology. Second, that company can still see all your traffic, so you still have to trust someone who can see where you’re surfing to respect your privacy. Third, it stops any local cybersecurity tools from inspecting your DNS traffic to filter out malicious URLs. Your DoH-enabled DNS resolver might well have its own filtering, but that means you’re trusting it with just about everything, and makes it difficult to introduce multi-layered DNS filtering protection. It also stops the authorities from censoring certain sites or snooping on your traffic, which is a divisive issue.