When your web browser accesses a website, it needs to first translate the friendly URL (ex. stealthbits.com) to the public IP address of the server that hosts that website. This is known as a “DNS lookup”, and traditional DNS is unencrypted (unlike modern HTTPS web traffic that’s almost entirely secured via HTTPS these days).
Since HTTPS encrypts your communications with websites once you’ve established a connection, you may be wondering why it matters that DNS, the initial lookup of the website, remains unencrypted. With unencrypted DNS, attackers on the same network as you can view which websites you’re browsing and potentially re-route your DNS lookups to malicious websites and phishing scams.
To prevent this and increase security while browsing the internet, DNS over HTTPS (DoH) was introduced to pair the necessary workflow of DNS lookups with the encryption power of HTTPS. Traditional DNS lookups are performed unencrypted over port 53, but with DoH lookups instead occur inside HTTPS traffic over port 443. This prevents attackers from monitoring your browsing habits or re-directing you to malicious websites simply by snooping DNS traffic.
This is the simple, high-level view of DNS over HTTPS, but it’s all you really need to know from an end-user perspective. It’s a best practice to enable DNS over HTTPS when possible, which is what we’ll outline below for Windows 10.
While out of the scope of this blog, Apple has also announced DNS over HTTPS support for iOS/macOS, and Cloudflare offers their powerful 1.1.1.1 DNS resolver to add DNS lookup security to various mobile and desktop operating systems.
Many web browsers (ex. Firefox and Chrome-based browsers) also support DoH if you’d prefer to enable it on a per-application basis, rather than at the OS-level. However, enabling DoH in your OS benefits applications that don’t natively support DoH by giving them that ability. Plus, DNS lookups have traditionally been a function of the OS rather than web browsers.
How To Enable DNS over HTTPS in Windows 10
Enabling DoH in Windows 10 provides the functionality for all users and applications requesting DNS lookups, including all web browsers. Keep in mind Windows 10 should be up to date to ensure the DoH feature is available (Build 19628 or higher to enable DoH via a registry edit and Build 20185 or higher to enable DoH via the Settings > Network & Internet menu).
Enabling DoH in the Windows 10 Registry
To enable DNS over HTTPS in the Windows 10 registry (Build 19628 or higher):
- Open Registry Editor
- Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- Create a new DWORD named “EnableAutoDoh”, with a value of 2
- Reboot the host
You’ll then need to change your network connection’s primary and alternate DNS servers to one of the following, under your adapter’s Internet Protocol Version 4 (TCP/IPv4) properties.
The following are currently supported for DNS over HTTPS in Windows 10:
- Cloudflare – Primary: 1.1.1.1, Alternate: 1.0.0.1
- Google – Primary:8.8.8.8, Alternate: 8.8.4.4
- Quad9 – Primary: 9.9.9.9, Alternate: 149.112.112.112
Enabling DoH via the Windows 10 Settings > Network & Internet Menu
To enable DNS over HTTPS in the Settings > Network & Internet menu (Build 20185 or higher):
- Open Settings
- Search for and open Network status
- Under Network status, open the Properties menu for the desired internet connection
- Click Edit under DNS settings
- Select the Manual option, and then specify Preferred DNS and Alternate DNS IP addresses. DoH providers currently supported by Windows 10 are:
- Cloudflare – Primary: 1.1.1.1, Alternate: 1.0.0.1
- Google – Primary:8.8.8.8, Alternate: 8.8.4.4
- Quad9 – Primary: 9.9.9.9, Alternate: 149.112.112.112
- Select Encrypted only (DNS over HTTPS) for encryption under Preferred DNS and Alternate DNS
- If desired, you can configure the same for IPv6 (the previous steps were for IPv4)
Per Microsoft, “Once encryption is enabled, you can confirm it’s working by looking at the applied DNS servers in the network properties and see them labelled as ‘(Encrypted)’ servers”.
Stealthbits Technologies
IDENTIFY THREATS. SECURE DATA. REDUCE RISK.
Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.
For more information, please visit stealthbits.com.
Dan Piazza is a Technical Product Manager at Stealthbits, now part of Netwrix, responsible for PAM, file systems auditing and sensitive data auditing solutions. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, automation, and code. Prior to his current role he worked as a Product Manager and Systems Engineer for a data storage software company, managing and implementing both software and hardware B2B solutions.
Related Posts
- Using Docker and Windows Subsystem for Linux to Learn and Experiment with New Information Security Tools
- Commando VM: Using the Testing Platform
- What is the Kerberos PAC?
- Commando VM: Installation & Configuration
- Commando VM: Introduction
- What is Unstructured Data?
- WDigest Clear-Text Passwords: Stealing More Than a Hash
- RID Hijacking: When Guests Become Admins
Leave a Reply