Earlier this week, MS released Build 25158 into the Dev Channel. Among the many notes in this build’s announcements, you’ll find an item that starts off “DNS over TLS testing is now available for Windows DNS client query protection.” Thus, when Build 25158 gains DNS over TLS support, that means improved security for DNS traffic on networks everywhere. Given that DNS is a constant focus for direct and indirect attack, this is a good thing. So, how can you try this new feature out?
Putting Build 25158 Gains DNS Over TLS Support to Work
For brevity and convenience, DNS over TLS is usually abbreviated as DoT. Two ingredients are needed to take DoT for a spin:
1. You need to point your IP stack at a DoT DNS server. You’ll find a list of same at the DNS Privacy Project. It provided the lead-in graphic for this story, in fact. For the nonce, I’m using Google’s 18.104.22.168 and 22.214.171.124 addresses (and associated domain names for certificate authentication). There are several other options available.
2. A series of configuration tweaks, including Settings changes, and netsh and ipconfig commands, are required to set this up and make it work. Fortunately, all those details are covered in an MS Networking Blog post entitled “DNS over TLS available to Windows Insiders.” Therein, Tommy Jensen provides nicely illustrated step-by-step instructions to get you through the process.
More to Follow After Additional Try-Outs
I have two (2) test machines running Build 25158. I’ll try DoT on both of them, and let you know what happens. Mr. Jensen’s post on setting things up includes a potentially scary phrase. That is “This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide” (italic emphasis mine).
I’m afraid I know what this means. Indeed, I’ll be curious to see what’s still working — and what’s not — after experimenting with these changes. Given an upcoming out of office adventure, I might wait until week after next to put this to a real test. Stay tuned! In the meantime, you might find this Wikipedia article about DoT worth a quick read-through (good discussion and lots of good additional references there).