DNS over HTTPS (DoH)
Il 17 novembre 2019 Microsoft nel post Windows will improve user privacy with DNS over HTTPS annunciava che avrebbe supportato la funzionalità DNS over HTTPS (DoH) descritta dall’RFC 8484.
Alcuni mesi dopo e precisamente il 13 maggio 2020 è stato annunciato nel Windows Insiders can now test DNS over HTTPS è stato annunciato che la funzionalità è ora disponibile in Windows 10 tramite il Windows Insider Program ovvero tramite il Fast ring con il quale è possibile ottenere le ultime Insider Preview build.
La versione di Windows 10 in cui è disponibile la funzionalità DoH è la 19628 o successive (è possibile controllare la versione tramite Settings app -> System -> About)
Come indicato in Windows Insiders can now test DNS over HTTPS al momento la funzionalità DoH è abilitabile tramite una chiave di registro, ma quando la funzionalità sarà disponibile nelle general release builds la configurazione mediante registro non sarà più suppprtata:
Once you know your Windows install has our DoH client, we need to activate it. You can do that by:
- Opening the Registry Editor
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
- Create a new DWORD value named “EnableAutoDoh”
- Set its value to 2
Please note: the registry keys and values described here are only for enabling DoH client testing on Insider builds. When the DoH client is made available in general release builds, registry configuration of DoH will not be supported.
Sempre in Windows Insiders can now test DNS over HTTPS è indicato che al momento i DNS pubblici in grado di supportare DoH sono i seguenti a cui va aggiunto OperDNS:
Sever | IP v4 address | IP v6 adress | Support link |
Cloudflare | 1.1.1.1
1.0.0.1 |
2606:4700:4700::1111
2606:4700:4700::1001 |
DNS over HTTPS |
8.8.8.8
8.8.4.4 |
2001:4860:4860::8888
2001:4860:4860::8844 |
DNS-over-HTTPS (DoH) | |
Quad9 | 9.9.9.9
149.112.112.112 |
2620:fe::fe
2620:fe::fe:9 |
DoH with Quad9 DNS Servers |
OpenDNS Standard DNS |
208.67.222.222
208.67.220.220 |
2620:119:35::35
2620:119:53::53 |
Using DNS over HTTPS (DoH) with OpenDNS |
OpenDNS FamilyShield |
208.67.222.123
208.67.220.123 |
2620:119:35::123
2620:119:53::123 |
Using DNS over HTTPS (DoH) with OpenDNS |
Dopo aver impostato il sistema ad utilizzare come DNS pubblici uno o più dei server precedenti è possibile monitorare tramite Packetmon, un network traffic analyzer incluso in Windows, se query DNS vengono eseguite tramite DoH seguendo la procedura indicata sempre in Windows Insiders can now test DNS over HTTPS:
Start by opening a new Command Prompt or PowerShell window. Run the following command to reset any network traffic filters PacketMon may already have in place.
pktmon filter remove
Run the following command to add a traffic filter for port 53, the port classic DNS uses (and which should now be silent since we’re only using DoH).
pktmon filter add -p 53
Run the following command to start a real-time logging of traffic. All port 53 packets will be printed to the command line. If your device is only configured with DoH servers, this should show little to no traffic.
pktmon start –etw -m real-time
If you’re trying to test a DoH server that isn’t already on our auto-promotion list, such as your ISP’s DoH servers, you can add it to our list manually using the command line. First, identify the IP address and the DoH URI template for the server you want to add. Then, run the following command as an administrator:
netsh dns add encryption server=<your-server’s-IP-address> dohtemplate=<your-server’s-DoH-URI-template>
You can verify the template was applied to the well-known DoH server list by running this command, which should show you the template being used for a given IP address:
netsh dns show encryption server=<your-server’s-IP-address>
Now when Windows is configured to use that IP address as a DNS server, it will use DoH instead of classic DNS.