In a post yesterday to the Microsoft Tech Community blog, Microsoft Windows Core Networking team members Tommy Jensen, Ivan Pashov, and Gabriel Montenegro announced that Microsoft is planning to adopt support for encrypted Domain Name System queries in order to “close one of the last remaining plain-text domain name transmissions in common web traffic.”
That support will first take the form of integration with DNS over HTTPS (DoH), a standard proposed by the Internet Engineering Task Force and supported by Mozilla, Google, and Cloudflare, among others. “As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future,” wrote Jensen, Pashov, and Montenegro. “For now, we’re prioritizing DoH support as the most likely to provide immediate value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.”
But Microsoft is being careful about how it deploys this compatibility given the current political fight over DoH being waged by Internet service providers concerned that they’ll lose a lucrative source of customer behavior data.
This clearly isn’t the sexiest of subjects, but there’s an important tug of war happening here between ISPs and privacy advocates.
I’ve got no issue with encrypted DNS initiatives, but I’m really not a fan of HTTP(S) becoming the new TCP which everything else needs to be funneled through. Direct TCP/IP connections are already becoming problematic due to the increasing use of IPv4 address translation and firewalls that ban ports. These are creating evolutionary pressure to build everything on top of HTTP and disregard the rest of TCP/IP. Browser makers are ok with this because it forces everything on the internet to revolve around browser technology. If we step back I’m not so sure it’s a good idea for the internet technologically speaking. Websockets are a prime example of a how basic TCP socket technology is being replaced by a convoluted HTTP based protocol adding lots of overhead and complexity. The result is more complex socket handing and reliance on additional HTTPification daemons. The way things are going, HTTP/HTTPS may as well become kernel-space primitives alongside TCP to eliminate the overhead of routing everything through a user space HTTP gateway.
Since everything will be running over HTTP, a new version of iptables is needed for HTTP, called “httptables”…this is only half funny, because you know it’s only a matter of time.
Not just between privacy advocates and ISPs. I have kids in the house and I like to control which services are available work at different times. So if it’s time for homework I can block netflix and youtube. However with DNS over HTTPS it’s MUCH harder to block a service. After all numerous web services use one of the large clouds, so you can’t easily block by IP address.