Does Windows have a native private DNS setting like Android does?

Patrick wrote:

> Does Windows have a native private DNS setting like Android does?

Win10 and Win11 both do (not sure the minimum build versions)

edit your wifi or ethernet NIC properties
change from automatic DNS assignment to manual
enable IPv4 (IPv6 too if required),
turn on DNS over HTTPS,
enter your preferred server (cloudflare/quad9 etc)

Patrick <patrick@oleary.com> wrote:

> Does Windows have a native private DNS setting like Android does?

Run ncpa.cpl.
Right-click on your network connection, and select Properties.
Select "Internet Protocol Version 4", and click Properties.
In the General tab, you can define 2 DNS servers (primary & secondary).
Click on Advanced, DNS tab, and you can define several for fallback.

In order, I have the following DNS servers defined for IPv4:
- 1.1.1.1 (Cloudflare)
- 208.67.222.222 (OpenDNS)
- 8.8.8.8 (Google)
- 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)

My router gets its WAN-side IP address from my ISP's DHCP server which
also tells my router my ISP's DNS server, so pointing to my router
merely has, if used, my ISP's DNS server get used. However, there is
some caching in my router, so DNS lookups are a bit quicker on cached
entries.

Back in the Ethernet Properties dialog, select "Internet Protocol
Version 6", and click Properties.

In order, I have the following DNS servers defined for IPv6:
2606:4700:4700::1111 (Cloudflare)
2620:119:35::35 (OpenDNS)
2001:4860:4860:8888 (Google)

My router doesn't support IPv6 for its internal pass-through DNS server.

In most setups, the router and intranet hosts are configured for
automatic DNS config which means they get the DNS server from the
upstream DHCP server. For the intranet hosts, that's your router's DNS
server. For the router, that's your ISP's DNS server. You can choose
to use other DNS servers. While better in the past few years, my ISP
had the nasty habit of DNS failures about twice per year on average
which would last 1 to 3 days. That was unacceptable, and when I looked
into me deciding which DNS servers to use.

Windows had has the ability to let users select which DNS server(s) they
want to use since Windows 3.1 (c.1992).

Without rooting, Android allowed users to specify their choice of DNS
server since Android 9 (c.2018).

I don't know why the Chromium folks or Google thought "private" was a
proper name for a setting to let users define which DNS server to use.
DNS requests are hardly private. They are sent unencrypted. Anyone,
including your ISP or cell carrier can see for what domains the DNS
lookup was requested. Firefox added DoH (DNS Over HTTPS) to encrypt the
DNS requests to prevent spying on where you wanted to go (except, of
course, by the DNS provider themself).

https://en.wikipedia.org/wiki/DNS_over_HTTPS

So does Microsoft Edge-C (I don't know about the old Edge, and
definitely not Internet Explorer). Instead of DoH, Microsoft hides it
under the name "Secure DNS", because that is also the same setting name
used by Google in Chrome.

You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
mentioned above, and your choice might even include DNS servers that
filter out phish and malware sites, and block spam sources, but they are
still using plain DNS requests that anyone can intercept. Windows can
support DoH, but it is not enabled by default. You have to enable DoH
using a policy, or a registry edit (since all policies are registry
entries). See:

https://blog.netwrix.com/2022/10/11/dns-over-https/

"Patrick" <patrick@oleary.com> wrote

| Does Windows have a native private DNS setting like Android does?

As Vanguard explained, you can change the DNS server
in Network settings. (That's what he means by ncpa.cpl.
You don't have to type in a Run window. Just go to Network
settings by the route of your choice.)

You can pick an adblocker DNS or just a non-spyware
DNS. You can also use a DNS proxy, which is handy. Unbound
is one. Acrylic is much easier to set up. Either way, they
run as a service. You set your DNS to 127.0.0.1 in IPv4
and to ::1 in IPv6, directing Acrylic to call your own machine
for DNS resolution. Then you set your DNS server choices
in Acrylic settings.

The nice thing about that is that you can then use a special
Acrylic HOSTS file that allows wildcards. So, for example, you
add the these lines:

127.0.0.1 *.doubleclick.com
127.0.0.1 *.doubleclick.net

That blocks your computer from ever visiting any doubleclick
server because it's being told that doubleclick is local -- your
own computer. All OSs can use a HOSTS file. It's often used
for resolving local network addresses in corporate settings. But
spy/ad companies get around being blocked by using myriad
subdomain addresses, such as abc1.doubleclick.com. The native
HOSTS file can't differentiate subdomains.

I have only about 300 entries in my HOSTS files with Acrylic,
yet it blocks most spying because the spy/ad industry is so
centralized. Google and Facebook are the worst. (Doubleclick
is just one of Google's operations.) Then there are various minor
entities.

VanguardLH wrote:

> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
> mentioned above, and your choice might even include DNS servers that
> filter out phish and malware sites, and block spam sources, but they are
> still using plain DNS requests that anyone can intercept. Windows can
> support DoH, but it is not enabled by default. You have to enable DoH
> using a policy, or a registry edit

Win10 requires a registry setting, Win11 doesn't

<http://andyburns.uk/misc/Win11-DNSoverHTTPS1.png>
<http://andyburns.uk/misc/Win11-DNSoverHTTPS2.png>

On 3/3/2024 6:08 AM, VanguardLH wrote:

> In order, I have the following DNS servers defined for IPv4:
> - 1.1.1.1 (Cloudflare)
> - 208.67.222.222 (OpenDNS)
> - 8.8.8.8 (Google)
> - 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)

Can someone explain why the Private DNS is set to a fqdn in Android
but it's apparently set as an IP address on Windows in the registry?

On Sun, 3 Mar 2024 13:59:24 -0500, Larry Wolff wrote:

> On 3/3/2024 6:08 AM, VanguardLH wrote:
>
>> In order, I have the following DNS servers defined for IPv4:
>> - 1.1.1.1 (Cloudflare)
>> - 208.67.222.222 (OpenDNS)
>> - 8.8.8.8 (Google)
>> - 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)
>
> Can someone explain why the Private DNS is set to a fqdn in Android
> but it's apparently set as an IP address on Windows in the registry?

I had never heard of Private DNS until recently so all below can be wrong.

Here's what I think I know (which isn't much, I admit).
1. You set the Android Private DNS to p2.freedns.controld.com
2. Somehow Android inherently knows what IP address that is
tracert p2.freedns.controld.com
Tracing route to p2.freedns.controld.com [76.76.2.11]
3. Somehow Android inherently knows the port & protocol (DNS over TLS)
telnet p2.freedns.controld.com 53
4. Somehow Android sets up an encrypted DoT connection over that port
5. And then when an Android app asks to connect to a fqdn,
that DoT encrypted connection returns the IP address to that app
(unless that PrivateDNS fqdn decides to filter out the IP as an ad)

Here's what I'm going to guess happens when an app inside
of Android makes a query to an advertisement web site.

1. The app makes the call to the advertisement site fqdn.
2. The DNS query on port 53 goes through the Private DNS fqdn.
3. That goes to p2.freedns.controld.com 76.76.2.11:53
4. Which, since it's an advertisement, returns null (I guess).

Is that guess as to how it works even close to how it works?

Nick Cine wrote:

> On Sun, 3 Mar 2024 13:59:24 -0500, Larry Wolff wrote:
>
>> On 3/3/2024 6:08 AM, VanguardLH wrote:
>>
>>> In order, I have the following DNS servers defined for IPv4:
>>> - 1.1.1.1 (Cloudflare)
>>> - 208.67.222.222 (OpenDNS)
>>> - 8.8.8.8 (Google)
>>> - 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)
>>
>> Can someone explain why the Private DNS is set to a fqdn in Android
>> but it's apparently set as an IP address on Windows in the registry?
>
> I had never heard of Private DNS until recently so all below can be wrong.
>
> Here's what I think I know (which isn't much, I admit).
> 1. You set the Android Private DNS to p2.freedns.controld.com
> 2. Somehow Android inherently knows what IP address that is
> tracert p2.freedns.controld.com
> Tracing route to p2.freedns.controld.com [76.76.2.11]
> 3. Somehow Android inherently knows the port & protocol (DNS over TLS)
> telnet p2.freedns.controld.com 53
> 4. Somehow Android sets up an encrypted DoT connection over that port
> 5. And then when an Android app asks to connect to a fqdn,
> that DoT encrypted connection returns the IP address to that app
> (unless that PrivateDNS fqdn decides to filter out the IP as an ad)
>
> Here's what I'm going to guess happens when an app inside
> of Android makes a query to an advertisement web site.
>
> 1. The app makes the call to the advertisement site fqdn.
> 2. The DNS query on port 53 goes through the Private DNS fqdn.
> 3. That goes to p2.freedns.controld.com 76.76.2.11:53
> 4. Which, since it's an advertisement, returns null (I guess).
>
> Is that guess as to how it works even close to how it works?

I think Windows uses port 853 by default for any FQDN set up in Windows as
the Private DNS provider name (note the Private DNS provider is a FQDN,
not an IP address which is what you'd normally expect for a DNS provider).
https://isc.sans.edu/diary/Whats+up+with+TCP+853+DNS+over+TLS/25438

https://datatracker.ietf.org/doc/html/rfc7858
https://datatracker.ietf.org/doc/html/rfc8094
https://datatracker.ietf.org/doc/html/rfc8484

In addition, it seems Google and Mozilla skip everything you've carefully
done and use their own private DNS services out of their infinite wisdom.

But you can upend all that carefully crafted mess using stunnel.
https://kb.isc.org/docs/aa-01386
[dns]
accept = 853
connect = 127.0.0.1:53
cert = dns.crt
key = dns.key

Nobody really knows how it works though, except for the getdns developers.
https://getdnsapi.net

Andy Burns wrote:
> VanguardLH wrote:
>
>> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>> mentioned above, and your choice might even include DNS servers that
>> filter out phish and malware sites, and block spam sources, but they are
>> still using plain DNS requests that anyone can intercept.  Windows can
>> support DoH, but it is not enabled by default.  You have to enable DoH
>> using a policy, or a registry edit
>
> Win10 requires a registry setting, Win11 doesn't

No it doesn't, it is just Windows 10 still uses legacy interface via the
Control Panel:

Control Panel > Network and Internet > Network Connections

Right-click on connection > select Properties

Select Internet Protocol Version 4 and|or Version 6

Right-click > select Properties

Select option Use the following DNS server addresses:

Fill in the IPs of the servers

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

On Sun, 3 Mar 2024 16:01:52 -0500, Jonathan N. Little wrote:

> Andy Burns wrote:
>> VanguardLH wrote:
>>
>>> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>>> mentioned above, and your choice might even include DNS servers that
>>> filter out phish and malware sites, and block spam sources, but they are
>>> still using plain DNS requests that anyone can intercept.� Windows can
>>> support DoH, but it is not enabled by default.� You have to enable DoH
>>> using a policy, or a registry edit
>>
>> Win10 requires a registry setting, Win11 doesn't
>
> No it doesn't, it is just Windows 10 still uses legacy interface via the
> Control Panel:
>
> Control Panel > Network and Internet > Network Connections
>
> Right-click on connection > select Properties
>
> Select Internet Protocol Version 4 and|or Version 6
>
> Right-click > select Properties
>
> Select option Use the following DNS server addresses:
>
> Fill in the IPs of the servers

But how do you tell Windows 10 to use DNS over TLS on port 853?

"Jonathan N. Little" <lws4art@gmail.com> wrote:

> Andy Burns wrote:
>> VanguardLH wrote:
>>
>>> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>>> mentioned above, and your choice might even include DNS servers that
>>> filter out phish and malware sites, and block spam sources, but they are
>>> still using plain DNS requests that anyone can intercept.  Windows can
>>> support DoH, but it is not enabled by default.  You have to enable DoH
>>> using a policy, or a registry edit
>>
>> Win10 requires a registry setting, Win11 doesn't
>
> No it doesn't, it is just Windows 10 still uses legacy interface via the
> Control Panel:
>
> Control Panel > Network and Internet > Network Connections
>
> Right-click on connection > select Properties
>
> Select Internet Protocol Version 4 and|or Version 6
>
> Right-click > select Properties
>
> Select option Use the following DNS server addresses:
>
> Fill in the IPs of the servers

That is for defining which DNS servers to use, not to enable/disable DoH
(DNS over HTTPS) when connecting to those servers (so you also have to
pick DNS servers that support DoH).

In Win10, and rather than edit the registry, and because DoH only
matters to me when using a web browser on my desktop PC, I only bother
with using DoH in Firefox which supports it whether the OS does or not.

Andy Burns <usenet@andyburns.uk> wrote:

> VanguardLH wrote:
>
>> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>> mentioned above, and your choice might even include DNS servers that
>> filter out phish and malware sites, and block spam sources, but they are
>> still using plain DNS requests that anyone can intercept. Windows can
>> support DoH, but it is not enabled by default. You have to enable DoH
>> using a policy, or a registry edit
>
> Win10 requires a registry setting, Win11 doesn't
>
> <http://andyburns.uk/misc/Win11-DNSoverHTTPS1.png>
> <http://andyburns.uk/misc/Win11-DNSoverHTTPS2.png>

Is the GUI setting for DoH exposed in Win11 Home, or only in Win11 Pro?

VanguardLH <V@nguard.LH> wrote:

> "Jonathan N. Little" <lws4art@gmail.com> wrote:
>
>> Andy Burns wrote:
>>
>>> VanguardLH wrote:
>>>
>>>> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>>>> mentioned above, and your choice might even include DNS servers that
>>>> filter out phish and malware sites, and block spam sources, but they are
>>>> still using plain DNS requests that anyone can intercept.  Windows can
>>>> support DoH, but it is not enabled by default.  You have to enable DoH
>>>> using a policy, or a registry edit
>>>
>>> Win10 requires a registry setting, Win11 doesn't
>>
>> No it doesn't, it is just Windows 10 still uses legacy interface via the
>> Control Panel:
>>
>> Control Panel > Network and Internet > Network Connections
>>
>> Right-click on connection > select Properties
>>
>> Select Internet Protocol Version 4 and|or Version 6
>>
>> Right-click > select Properties
>>
>> Select option Use the following DNS server addresses:
>>
>> Fill in the IPs of the servers
>
> That is for defining which DNS servers to use, not to enable/disable DoH
> (DNS over HTTPS) when connecting to those servers (so you also have to
> pick DNS servers that support DoH).
>
> In Win10, and rather than edit the registry, and because DoH only
> matters to me when using a web browser on my desktop PC, I only bother
> with using DoH in Firefox which supports it whether the OS does or not.

In addition, per:

https://blog.netwrix.com/2022/10/11/dns-over-https/

The traditional Control Panel applet (ncpa.cpl) you and I mentioned does
not show the DoH enable option. The article mentions the registry edit
which is what gets altered by the other method. The other method
mentioned is to use Settings -> Network & Internet -> Status -> click
Properties on a NIC, and supposedly there is a "Preferred DNS
encryption" option where you can pick "Encrypted only (DNS over HTTPS)".

Not there in my Windows 10 Home x64 22H2 build 19045.4123. Perhaps the
author neglected to mention he is using the Pro edition instead of the
the Home edition of Windows 10, or conflated Win11 settings with Win10
settings. For my Windows 10 Home, it's a registry edit to enable DoH.

On Sun, 3 Mar 2024 22:02:03 -0600, VanguardLH wrote:

> VanguardLH <V@nguard.LH> wrote:
>
>> "Jonathan N. Little" <lws4art@gmail.com> wrote:
>>
>>> Andy Burns wrote:
>>>
>>>> VanguardLH wrote:
>>>>
>>>>> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>>>>> mentioned above, and your choice might even include DNS servers that
>>>>> filter out phish and malware sites, and block spam sources, but they are
>>>>> still using plain DNS requests that anyone can intercept.� Windows can
>>>>> support DoH, but it is not enabled by default.� You have to enable DoH
>>>>> using a policy, or a registry edit
>>>>
>>>> Win10 requires a registry setting, Win11 doesn't
>>>
>>> No it doesn't, it is just Windows 10 still uses legacy interface via the
>>> Control Panel:
>>>
>>> Control Panel > Network and Internet > Network Connections
>>>
>>> Right-click on connection > select Properties
>>>
>>> Select Internet Protocol Version 4 and|or Version 6
>>>
>>> Right-click > select Properties
>>>
>>> Select option Use the following DNS server addresses:
>>>
>>> Fill in the IPs of the servers
>>
>> That is for defining which DNS servers to use, not to enable/disable DoH
>> (DNS over HTTPS) when connecting to those servers (so you also have to
>> pick DNS servers that support DoH).
>>
>> In Win10, and rather than edit the registry, and because DoH only
>> matters to me when using a web browser on my desktop PC, I only bother
>> with using DoH in Firefox which supports it whether the OS does or not.
>
> In addition, per:
>
> https://blog.netwrix.com/2022/10/11/dns-over-https/
>
> The traditional Control Panel applet (ncpa.cpl) you and I mentioned does
> not show the DoH enable option. The article mentions the registry edit
> which is what gets altered by the other method. The other method
> mentioned is to use Settings -> Network & Internet -> Status -> click
> Properties on a NIC, and supposedly there is a "Preferred DNS
> encryption" option where you can pick "Encrypted only (DNS over HTTPS)".
>
> Not there in my Windows 10 Home x64 22H2 build 19045.4123. Perhaps the
> author neglected to mention he is using the Pro edition instead of the
> the Home edition of Windows 10, or conflated Win11 settings with Win10
> settings. For my Windows 10 Home, it's a registry edit to enable DoH.

That's what I was trying to tell them when I had asked
"But how do you tell Windows 10 to use DNS over TLS on port 853?"

Everybody thinks DNS over HTTP (or DNS over TLS) is the same as DNS.
It's not.

On Sun, 3 Mar 2024 22:02:03 -0600, VanguardLH wrote:

> The traditional Control Panel applet (ncpa.cpl) you and I mentioned does
> not show the DoH enable option. The article mentions the registry edit
> which is what gets altered by the other method. The other method
> mentioned is to use Settings -> Network & Internet -> Status -> click
> Properties on a NIC, and supposedly there is a "Preferred DNS
> encryption" option where you can pick "Encrypted only (DNS over HTTPS)".

When I press Windows+I > Network and Internet > Status > eth0 > Properties
there is nothing related to encryption anywhere on the resulting forms.

Neither is there anything related to encryption when I right click on the
adapter > Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties
graphical user interface in Windows 10 Pro.

Anyone who says there is didn't check it first.
I wouldn't have asked the question if it was tha t obviously easy.

> Not there in my Windows 10 Home x64 22H2 build 19045.4123. Perhaps the
> author neglected to mention he is using the Pro edition instead of the
> the Home edition of Windows 10, or conflated Win11 settings with Win10
> settings. For my Windows 10 Home, it's a registry edit to enable DoH.

Mine is Pro & there is nothing about encryption in any of the suggested
forms so far. Winver => Version 22H2 (OS Build 19045.4046)

> In addition, per:
> https://blog.netwrix.com/2022/10/11/dns-over-https/

How To Enable DNS over HTTPS in Windows 10
a. First, it says DoH is using port 443 (not port 53 which DNS uses).
b. Then it says you need Build 19628 or higher (mine is 19045.4046).
c. It says to add a new 32-bit DWORD named EnableAutoDoh set to hex 2 here
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

Which, in case I need it later, I saved as a registry favorite named
"Enable DNS over HTTP on port 443"

I just did that while I was typing this up, which means I can't do the
next step yet, which is to reboot & then changing the Windows 10 network
configuration "Internet Protocol Version 4 (TCP/IPv4)" properties to
a DNS server that can handle the encrypted connections over port 443.
Cloudflare Primary: 1.1.1.1, Alternate: 1.0.0.1
Google Primary: 8.8.8.8, Alternate: 8.8.4.4
Quad9 Primary: 9.9.9.9, Alternate: 149.112.112.112

But this still doesn't solve the problem even if it does work.
I want to set the Windows the same way as Android.

But Android doesn't use an IP address for the Private DNS setting.
Android uses a FQDN instead of an IP address for Private DNS setup.

I ran a tracert so I know what the IP address is of the FQDN.
But that IP address can change over time and I'm just guessing.

Some Android examples that I'd like to replicate on Windows are
easy to figure out since you can guess at what their IP address is.
one.one.one.one
1dot1dot1dot1.cloudflare-dns.com
dns.google

But many (most actually) of the ad blocking DNS servers aren't
in the articles for Windows so you have to guess at the IP address.
adblock.doh.mullvad.net
dns.adguard.con
p2.freedns.controld.com
dns.Cleanbrowsing.com
dns.quad9.net
doh.mullvad.net

To make it more confusing, Android uses DNS over TLS, not DNS over HTTP.
So it might be that the Android DoT DNS servers are completely different
from Windows DoH servers for all I know.

So it's not that simple to answer the questions asked, which are now:
Anyone here know why Android uses a FQDN while Windows uses an IP?
Anyone here know if specifying a DoT server works with Windows DoH?

Jonathan N. Little wrote:
> Andy Burns wrote:
>
>> Win10 requires a registry setting, Win11 doesn't
>
> No it doesn't, it is just Windows 10 still uses legacy interface via the
> Control Panel:
>
> Control Panel > Network and Internet > Network Connections
>
> Right-click on connection > select Properties
>
> Select Internet Protocol Version 4 and|or Version 6
>
> Right-click > select Properties
>
> Select option Use the following DNS server addresses:
>
> Fill in the IPs of the servers

I don't have a Win10 installation to check, but isn't that simply
setting a *different* DNS server to your LAN's default? Where are you
telling it to use *encrypted* DNS?

VanguardLH wrote:

> Andy Burns wrote:
>
>> <http://andyburns.uk/misc/Win11-DNSoverHTTPS1.png>
>> <http://andyburns.uk/misc/Win11-DNSoverHTTPS2.png>
>
> Is the GUI setting for DoH exposed in Win11 Home, or only in Win11 Pro?

Both, that was from Home.

Here's a before and after of outbound DNS requests ...

C:\Users\Andy>netstat -an | findstr ":53"
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 192.168.1.22:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5355 *:*
UDP [::1]:5353 *:*

C:\Users\Andy>netstat -an | findstr "9.9.9.9"

C:\Users\Andy>ping something.not.cached
Ping request could not find host something.not.cached. Please check the
name and try again.

C:\Users\Andy>netstat -an | findstr ":53"
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 192.168.1.22:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5355 *:*
UDP [::1]:5353 *:*

C:\Users\Andy>netstat -an | findstr "9.9.9.9"
TCP 192.168.1.22:61239 9.9.9.9:443 ESTABLISHED

Patrick wrote:

[snip]

> So it's not that simple to answer the questions asked, which are now:
> Anyone here know why Android uses a FQDN while Windows uses an IP?

As you suggested, the IP address may change, so the FQDN allows for
this, at the cost of the time delay for an additional DNS lookup.

[snip]

--
Graham J

Harry S Robins <stanleyrobins@nothere.uk> wrote:

> On Sun, 3 Mar 2024 22:02:03 -0600, VanguardLH wrote:
>
>> VanguardLH <V@nguard.LH> wrote:
>>
>>> "Jonathan N. Little" <lws4art@gmail.com> wrote:
>>>
>>>> Andy Burns wrote:
>>>>
>>>>> VanguardLH wrote:
>>>>>
>>>>>> You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>>>>>> mentioned above, and your choice might even include DNS servers that
>>>>>> filter out phish and malware sites, and block spam sources, but they are
>>>>>> still using plain DNS requests that anyone can intercept.  Windows can
>>>>>> support DoH, but it is not enabled by default.  You have to enable DoH
>>>>>> using a policy, or a registry edit
>>>>>
>>>>> Win10 requires a registry setting, Win11 doesn't
>>>>
>>>> No it doesn't, it is just Windows 10 still uses legacy interface via the
>>>> Control Panel:
>>>>
>>>> Control Panel > Network and Internet > Network Connections
>>>>
>>>> Right-click on connection > select Properties
>>>>
>>>> Select Internet Protocol Version 4 and|or Version 6
>>>>
>>>> Right-click > select Properties
>>>>
>>>> Select option Use the following DNS server addresses:
>>>>
>>>> Fill in the IPs of the servers
>>>
>>> That is for defining which DNS servers to use, not to enable/disable DoH
>>> (DNS over HTTPS) when connecting to those servers (so you also have to
>>> pick DNS servers that support DoH).
>>>
>>> In Win10, and rather than edit the registry, and because DoH only
>>> matters to me when using a web browser on my desktop PC, I only bother
>>> with using DoH in Firefox which supports it whether the OS does or not.
>>
>> In addition, per:
>>
>> https://blog.netwrix.com/2022/10/11/dns-over-https/
>>
>> The traditional Control Panel applet (ncpa.cpl) you and I mentioned does
>> not show the DoH enable option. The article mentions the registry edit
>> which is what gets altered by the other method. The other method
>> mentioned is to use Settings -> Network & Internet -> Status -> click
>> Properties on a NIC, and supposedly there is a "Preferred DNS
>> encryption" option where you can pick "Encrypted only (DNS over HTTPS)".
>>
>> Not there in my Windows 10 Home x64 22H2 build 19045.4123. Perhaps the
>> author neglected to mention he is using the Pro edition instead of the
>> the Home edition of Windows 10, or conflated Win11 settings with Win10
>> settings. For my Windows 10 Home, it's a registry edit to enable DoH.
>
> That's what I was trying to tell them when I had asked
> "But how do you tell Windows 10 to use DNS over TLS on port 853?"
>
> Everybody thinks DNS over HTTP (or DNS over TLS) is the same as DNS.
> It's not.

The "over whatever" is the transport protocol, not the DNS traffic it
carries. You're encrypting the DNS traffic, not generating it.

Graham J wrote:

> Patrick wrote:
>
> [snip]
>
>> So it's not that simple to answer the questions asked, which are now:
>> Anyone here know why Android uses a FQDN while Windows uses an IP?
>
> As you suggested, the IP address may change, so the FQDN allows for
> this, at the cost of the time delay for an additional DNS lookup.

It may allow the DNS over HTTP provider to direct you to a
geographically close server ... anycast is used to do the same thing for
access to root DNS servers over UDP

Patrick <patrick@oleary.com> wrote:

> VanguardLH wrote:
>
>> In addition, per:
>> https://blog.netwrix.com/2022/10/11/dns-over-https/
>
> How To Enable DNS over HTTPS in Windows 10
> a. First, it says DoH is using port 443 (not port 53 which DNS uses).

Not when HTTPS is used. The port is for the transport, not the traffic
within. HTTP uses port 80. HTTPS uses port 443. DNS *without* an
encryption transport uses port 53.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

> b. Then it says you need Build 19628 or higher (mine is 19045.4046).

Mine is 19045.4123. That's for Win 10 22H2. Build 19628 was an Insider
fast ring build for 20H2; see:

https://blogs.windows.com/windows-insider/2020/05/13/announcing-windows-10-insider-preview-build-19628/
https://betawiki.net/wiki/Windows_10_build_19628

So, the author is mentioning non-released versions of Win10. Often the
Insider builds have features that are not present in the released
versions. The 2nd article (betawiki) also mentions the same registry
key to edit, so even in the author's Insider build there was no exposed
config settings, and users had to do a registry edit. That's why I
suspect the author is conflating settings available in Server or Win11
builds.

> But this still doesn't solve the problem even if it does work.
> I want to set the Windows the same way as Android.

Please be careful when burying humor in staid construction. Some folks
may think you really expect Windows and Android to be that similar.

> To make it more confusing, Android uses DNS over TLS, not DNS over
> HTTP.

DNS over TLS is easier to setup than DNS over HTTPS, but DNS over HTTPS
is more secure. DoT uses port 853, so anyone interrogating your network
traffic will know you are issuing DoT lookups. The payload is
encrypted, not the target IP address, so anyone doing packet inspection
can see you have DoT on port 853, and to which DNS server. They just
cannot see what was the hostname the client sent the DNS server, and
what IP address the DNS server sent back to the client.

With DoH, that's the same port 443 that HTTPS uses for, say, your web
browser. Someone seeing traffic on port 443 doesn't know it's being
uses also for DNS traffic. However, again, they can use packet
inspection to see to where you send your HTTPS traffic, so they can see
to which hosts you connnect whether a web server or DNS server. The
source and destination are not encrypted, just the payload.

> So it's not that simple to answer the questions asked, which are now:
> Anyone here know why Android uses a FQDN while Windows uses an IP?
> Anyone here know if specifying a DoT server works with Windows DoH?

As you recall, I figured an IP address was needed to find a DNS server.
Apparently Google did some magic in the Android OS, and probably
untoward magic, like they still use the default DNS server to submit a
host to it to get back an IP address to then find the DoT server. Could
also be they use a hosts file to do a local lookup from hostname to IP
address, and might be why there is a specific list of DoT servers.

Also, it could be a matter of providing auto-private DNS selection.
That means the OS can still use regular DNS should DoT not work. In
Windows, using group policy (all policies are registry entries), you can
elect one of the following for DoH:

Prohibit DoH: No DoH name resolution will be performed.

Allow DoH: Perform DoH queries if the configured DNS servers support
it. If they don't support it, try classic name
resolution.

Require DoH: Allow only DoH name resolution. If there are no DoH
capable DNS servers configured, name resolution will fail.

In the registry edit, you set the value to 2, so maybe that matches on
the 2nd policy setting above (Allow DoH). That provides a fallback to
non-encrypted DNS traffic.

Google loves to track, so they might still use regular DNS to resolve a
hostname for another DNS server, or Google doesn't really get that a DNS
server, encrypted or not, should be found using only an IP address.

Andy Burns <usenet@andyburns.uk> wrote:

> Jonathan N. Little wrote:
>> Andy Burns wrote:
>>
>>> Win10 requires a registry setting, Win11 doesn't
>>
>> No it doesn't, it is just Windows 10 still uses legacy interface via the
>> Control Panel:
>>
>> Control Panel > Network and Internet > Network Connections
>>
>> Right-click on connection > select Properties
>>
>> Select Internet Protocol Version 4 and|or Version 6
>>
>> Right-click > select Properties
>>
>> Select option Use the following DNS server addresses:
>>
>> Fill in the IPs of the servers
>
> I don't have a Win10 installation to check, but isn't that simply
> setting a *different* DNS server to your LAN's default? Where are you
> telling it to use *encrypted* DNS?

By editing the registry setting to enable DoH. Once enabled, the DNS
servers you specify in the IPv4 and IPv6 DNS settings must point to DNS
servers that support DoH (DNS over HTTPS). You have to coording the
registry setting to the specified DNS servers.

Patrick <patrick@oleary.com> wrote:
[...]

> To make it more confusing, Android uses DNS over TLS, not DNS over HTTP.

As I mentioned in the 'sister' thread "blocking ads in apps" in
comp.mobile.android:

Android (11 and higher) can use *both* DNS over TLS and DNS over HTTPS.

Android 9 and 10 have only DNS over TLS.

See

<https://developers.cloudflare.com/1.1.1.1/setup/android/#configure-1111-manually>

[...]

VanguardLH <V@nguard.lh> wrote:
[...]

> As you recall, I figured an IP address was needed to find a DNS server.
> Apparently Google did some magic in the Android OS, and probably
> untoward magic, like they still use the default DNS server to submit a
> host to it to get back an IP address to then find the DoT server. Could
> also be they use a hosts file to do a local lookup from hostname to IP
> address, and might be why there is a specific list of DoT servers.
>
> Also, it could be a matter of providing auto-private DNS selection.
> That means the OS can still use regular DNS should DoT not work.

AFAICT, no case of "magic" or "untoward".

As you say, I think the default DNS server is still known/configured,
because Private DNS needs to be able to switched back from 'Private DNS
provider hostname' to Automatic or Off. Without knowning the default DNS
server, such a switch is impossible,

I had a little look in Wikipedia, but I didn't see how the name of the
DoT/DoH server is resolved to its IP address, so until proven otherwise,
I stick with my/your explanation.

[...]

W Mon, 4 Mar 2024 09:35:16 +0000, Andy Burns napisal:

>>> So it's not that simple to answer the questions asked, which are now:
>>> Anyone here know why Android uses a FQDN while Windows uses an IP?
>>
>> As you suggested, the IP address may change, so the FQDN allows for
>> this, at the cost of the time delay for an additional DNS lookup.
>
> It may allow the DNS over HTTP provider to direct you to a
> geographically close server ... anycast is used to do the same thing for
> access to root DNS servers over UDP

Are you sure that Android is using the fqdn instead of the IP address for
the DNS over encryption server?

How does Android know what the IP address is of that fqdn is then?