Microsoft announced that it's working on adding support for the privacy-focused DNS over HTTPS (DoH) protocol in a future Windows 10 release, while also keeping the addition of DNS over TLS (DoT) on the table.

DoH is designed to allow DNS resolution over encrypted HTTPS connections, while DoT encrypts and wraps DNS queries via the Transport Layer Security (TLS) protocol instead of using plain text DNS lookups.

By adding DoH to the Windows 10 Core Networking, Microsoft wants to boost its customers' security and privacy on the Internet by encrypting all the DNS queries they make and thus removing the plain-text domain names normally appearing in unsecured web traffic.

"There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal," Microsoft said.

"To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS."

Microsoft DoH adoption principles

Redmond is currently prioritizing the adoption of DoH in Windows 10 since it considers it the choice that will "provide immediate value to everyone," while it will also make it possible for the company to make use of already existing HTTPS infrastructure for faster DNS encryption rollout.

"As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future," Microsoft added.

The company also highlighted the following principles it used to decide exactly what DNS encryption protocol support to built within Windows 10 as well as the way to configure it:

• Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user’s browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.

• Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.

• Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.

• Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

The first milestone

As part of the first step to implementing DoH in Windows 10, Microsoft will automatically encrypt DNS queries for users if the DNS resolvers they use come with support for encryption over HTTPS.

However, Redmond also says that it will not change the DNS servers on any Windows 10 devices, leaving it to the users and the device or enterprise administrators to choose the DNS servers they want to use to resolve their DNS queries.

"Many people use ISP or public DNS content filtering to do things like block offensive websites," Microsoft says while listing the benefits behind their chosen pathway to implementing Windows 10 DoH support.

"Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes."

They list the following advantages users and admins will get after the initial DoH support milestone is reached:

• We will not be making any changes to which DNS server Windows was configured to use by the user or network. Today, users and admins decide what DNS server to use by picking the network they join or specifying the server directly; this milestone won’t change anything about that.

• Many users and applications that want privacy will start getting the benefits without having to know about DNS. In line with principle 1, the DNS queries become more private with no action from either apps or users. When both endpoints support encryption, there’s no reason to wait around for permission to use encryption!

• We can start seeing the challenges in enforcing the line on preferring resolution failure to unencrypted fallback. In line with principle 4, this DoH use will be enforced so that a server confirmed by Windows to support DoH will not be consulted via classic DNS. If this preference for privacy over functionality causes any disruption in common web scenarios, we’ll find out early.

As part of future milestones, Windows 10 users and admins will also be able to set up DoH servers explicitly using a dedicated interface within the Windows DNS settings.

"Why announce our intentions in advance of DoH being available to Windows Insiders? With encrypted DNS gaining more attention, we felt it was important to make our intentions clear as early as possible," Microsoft concluded.

"We don’t want our customers wondering if their trusted platform will adopt modern privacy standards or not."