Microsoft is planning to adopt domain name system queries over the encrypted hypertext transfer protocol (DoH) in the Windows 10 resolver, to boost end to end security and privacy for users.
Windows Core Networking engineers Tommy Jensen, Ivan Pasho and Gabriel Montenegro said DoH in Windows "will close one of the last remaining plain-text domain name transmissions in common web traffic."
The trio warned that support for encrypted DNS queries won't be easy to provide without breaking existing Windows device admin configuration; however, MIcrosoft. stated it believes it has to treat privacy as a human right, and has to have end to end cybersecurity built into products."
DoH has is not a fully-baked Internet Engineering Task Force standard yet, and has been met with protests from internet providers, security vendors and enterprise admins who say the encrypted queries will make filtering of undesirable content impossible, and lead to the distributed DNS becoming centralised.
However, Microsoft says widely adopted encrypted DNS will ensure it won't need to be centralised, and instead make the overall internet ecosystem healthier.
In the United States, Mozilla already offers DoH in its Firefox web browser, with Cloudflare as the DNS provider.
Other providres who agree to a legally binding resolver policy that strictly limits their data use and retention, are able to join the list.
Firefox also offers a workarounds for ISPs that provide DNS filtering and blocking for parental controls.
Users can disable DoH in Firefox to handle situations such as enterprise split-horizon DNS where a domain resolves differently depending on where the query originates from.
Google is also experimenting with DoH for Chrome as of version 78, released in September-October this year.
While Microsoft is focusing on DoH currently, it is also open to having other options such as DNS over transport layer security (DoT) in the future.
For now, DoH allows Microsoft to resuse its existing HTTPS infrastructure and provide immediate value for everyone.
DNS guru Paul Vixie is no fan of DoH, calling it "an over the top bypass of enterprise and other private networks".
Vixie believes DNS is part of the network control plane and that operators must be able to monitor and filter that traffic. Therefore, people should use DoT and never DoH, Vixie said.