When your web browser accesses a website, it needs to first translate the friendly URL (ex. stealthbits.com) to the public IP address of the server that hosts that website. This is known as a “DNS lookup”, and traditional DNS is unencrypted (unlike modern HTTPS web traffic that’s almost entirely secured via HTTPS these days).
Since HTTPS encrypts your communications with websites once you’ve established a connection, you may be wondering why it matters that DNS, the initial lookup of the website, remains unencrypted. With unencrypted DNS, attackers on the same network as you can view which websites you’re browsing and potentially re-route your DNS lookups to malicious websites and phishing scams.
To prevent this and increase security while browsing the internet, DNS over HTTPS (DoH) was introduced to pair the necessary workflow of DNS lookups with the encryption power of HTTPS. Traditional DNS lookups are performed unencrypted over port 53, but with DoH lookups instead occur inside HTTPS traffic over port 443. This prevents attackers from monitoring your browsing habits or re-directing you to malicious websites simply by snooping DNS traffic.
This is the simple, high-level view of DNS over HTTPS, but it’s all you really need to know from an end-user perspective. It’s a best practice to enable DNS over HTTPS when possible, which is what we’ll outline below for Windows 10.
While out of the scope of this blog, Apple has also announced DNS over HTTPS support for iOS/macOS, and Cloudflare offers their powerful 1.1.1.1 DNS resolver to add DNS lookup security to various mobile and desktop operating systems.
Many web browsers (ex. Firefox and Chrome-based browsers) also support DoH if you’d prefer to enable it on a per-application basis, rather than at the OS-level. However, enabling DoH in your OS benefits applications that don’t natively support DoH by giving them that ability. Plus, DNS lookups have traditionally been a function of the OS rather than web browsers.
Enabling DoH in Windows 10 provides the functionality for all users and applications requesting DNS lookups, including all web browsers. Keep in mind Windows 10 should be up to date to ensure the DoH feature is available (Build 19628 or higher to enable DoH via a registry edit and Build 20185 or higher to enable DoH via the Settings > Network & Internet menu).
Enabling DoH in the Windows 10 Registry
To enable DNS over HTTPS in the Windows 10 registry (Build 19628 or higher):
You’ll then need to change your network connection’s primary and alternate DNS servers to one of the following, under your adapter’s Internet Protocol Version 4 (TCP/IPv4) properties.
The following are currently supported for DNS over HTTPS in Windows 10:
Enabling DoH via the Windows 10 Settings > Network & Internet Menu
To enable DNS over HTTPS in the Settings > Network & Internet menu (Build 20185 or higher):
Per Microsoft, “Once encryption is enabled, you can confirm it’s working by looking at the applied DNS servers in the network properties and see them labelled as ‘(Encrypted)’ servers”.
IDENTIFY THREATS. SECURE DATA. REDUCE RISK.
Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.
For more information, please visit stealthbits.com.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2021 Stealthbits Technologies, Inc.
Leave a Reply