DNS over HTTPS (DoH)

Il 17 novembre 2019 Microsoft nel post Windows will improve user privacy with DNS over HTTPS annunciava che avrebbe supportato la funzionalità DNS over HTTPS (DoH) descritta dall’RFC 8484.

Alcuni mesi dopo e precisamente il 13 maggio 2020 è stato annunciato nel Windows Insiders can now test DNS over HTTPS è stato annunciato che la funzionalità è ora disponibile in Windows 10 tramite il Windows Insider Program ovvero tramite il Fast ring con il quale è possibile ottenere le ultime Insider Preview build.

La versione di Windows 10 in cui è disponibile la funzionalità DoH è la 19628 o successive (è possibile controllare la versione tramite Settings app -> System -> About)

Come indicato in Windows Insiders can now test DNS over HTTPS al momento la funzionalità DoH è abilitabile tramite una chiave di registro, ma quando la funzionalità sarà disponibile nelle general release builds la configurazione mediante registro non sarà più suppprtata:

Once you know your Windows install has our DoH client, we need to activate it. You can do that by:

  • Opening the Registry Editor
  • Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
  • Create a new DWORD value named “EnableAutoDoh”
  • Set its value to 2

Please note: the registry keys and values described here are only for enabling DoH client testing on Insider builds. When the DoH client is made available in general release builds, registry configuration of DoH will not be supported.

Sempre in Windows Insiders can now test DNS over HTTPS è indicato che al momento i DNS pubblici in grado di supportare DoH sono i seguenti a cui va aggiunto OperDNS:

Sever IP v4 address IP v6 adress Support link
Cloudflare 1.1.1.1

1.0.0.1

2606:4700:4700::1111

2606:4700:4700::1001

DNS over HTTPS
Google 8.8.8.8

8.8.4.4

2001:4860:4860::8888

2001:4860:4860::8844

DNS-over-HTTPS (DoH)
Quad9 9.9.9.9

149.112.112.112

2620:fe::fe

2620:fe::fe:9

DoH with Quad9 DNS Servers
OpenDNS
Standard DNS
208.67.222.222

208.67.220.220

2620:119:35::35

2620:119:53::53

Using DNS over HTTPS (DoH) with OpenDNS
OpenDNS
FamilyShield
208.67.222.123

208.67.220.123

2620:119:35::123

2620:119:53::123

Using DNS over HTTPS (DoH) with OpenDNS

Dopo aver impostato il sistema ad utilizzare come DNS pubblici uno o più dei server precedenti è possibile monitorare tramite Packetmon, un network traffic analyzer incluso in Windows, se query DNS vengono eseguite tramite DoH seguendo la procedura indicata sempre in Windows Insiders can now test DNS over HTTPS:

Start by opening a new Command Prompt or PowerShell window. Run the following command to reset any network traffic filters PacketMon may already have in place.

pktmon filter remove

 

Run the following command to add a traffic filter for port 53, the port classic DNS uses (and which should now be silent since we’re only using DoH).

pktmon filter add -p 53

 

Run the following command to start a real-time logging of traffic. All port 53 packets will be printed to the command line. If your device is only configured with DoH servers, this should show little to no traffic.

pktmon start –etw -m real-time

 

If you’re trying to test a DoH server that isn’t already on our auto-promotion list, such as your ISP’s DoH servers, you can add it to our list manually using the command line. First, identify the IP address and the DoH URI template for the server you want to add. Then, run the following command as an administrator:

netsh dns add encryption server=<your-server’s-IP-address> dohtemplate=<your-server’s-DoH-URI-template>

 

You can verify the template was applied to the well-known DoH server list by running this command, which should show you the template being used for a given IP address:

netsh dns show encryption server=<your-server’s-IP-address>

 

Now when Windows is configured to use that IP address as a DNS server, it will use DoH instead of classic DNS.