Encrypted DNS (DoH) now on Win 10 - but better than dnscrypt-proxy?


  1. Posts : 318
    Dual-boot Win 7 & 10, both Pro 64-bit, now with a Hyper-V VM of Win 11
       #1

    Encrypted DNS (DoH) now on Win 10 - but better than dnscrypt-proxy?


    Per this article from a very good IT tech website -
    Enabling DNS over HTTPS (DoH) on Windows 10 | Windows OS Hub
    Win 10 (version 2004 and up) now has encrypted DNS lookups via DNS over HTTPS, also known as "DoH". The article describes a registry hack and a Network property setting to get it running.

    But is it better than other techniques out there? For three years I have been doing encrypted DNS lookups via DoH on my dual-boot Win 7 + 10 PC by running the service dnscrypt-proxy, which I set up on my PC using the app Simple DNSCrypt. I did the same on my iPhone by using the apps DNSCloak or Cloudflare's "WARP".

    DoH, Simple DNSCrypt, DNSCloak and the service dnscrypt-proxy are described on this great article at arstechnica:
    How to keep your ISPís nose out of your browser history with encrypted DNS | Ars Technica

    I think (not sure) that the advantage of the service dnscrypt-proxy over the new Win 10 native DoH is that dnscrypt-proxy stores a cache of DNS lookups on my PC at 127.0.0.1, making those connections even faster. dnscrypt-proxy doesn't go to a DNS server like 1.1.1.1 (even if the connection is now encrypted and checked) unless it needs to. I don't think Win 10's version of DoH does that.

    What do you think?
      My Computer


  2. Posts : 5,430
    Windows 11 Home
       #2

    So, another fake article about DNS, DNS is not VPN! ISP will not see encrypted DNS requests, but he will still see, to what domains has the user connected, most likely webpages as well, thanks to SNI.

    Cloudflare ESNI Checker | Cloudflare
    Good-bye ESNI, hello ECH!

    Encrypted DNS is great for security, that it can not be easily tampered with.
    As for privacy, it can not be snooped on by others (hackers) while transmitted.

    glnz said:
    dnscrypt-proxy doesn't go to a DNS server like 1.1.1.1 (even if the connection is now encrypted and checked) unless it needs to. I don't think Win 10's version of DoH does that.
    Windows uses DNS Cache for DoH as well. But honestly, I do not understand why people are obsessed about it, there is no place for DNS cache in 21st century (DNS requests take a few ms). It only creates vulnerabilities, it is abused by hackers and malware, but unfortunately, it can not be disabled, otherwise DoH will not work.

    glnz said:
    But is it better than other techniques out there?
    As far as security and reliability go, it is better to use UDP over TCP, no MITM and failed handshakes, but as always, we are not given much choice, it is either DoH or nothing (unencrypted DNS via port 53).

    I am looking forward to DoQ (QUIC), it uses UDP only, so it will be a great alternative to dnscrypt.
    DoT is better than DoH, but DoH is being pushed, because it can not be easily blocked by ISP.
      My Computer


  3. Posts : 582
    Windows 10 Pro 64 bit 19044.1706
       #3

    TairikuOkami said:
    Windows uses DNS Cache for DoH as well. But honestly, I do not understand why people are obsessed about it, there is no place for DNS cache in 21st century (DNS requests take a few ms).
    What if you read thousands of Philosophical/Scientific articles daily, that google marks you as bot ? I couldn't imagine waiting another 0.5s or what per each site...

    You know that DNS benchmarking tool. Performance between DNS servers differs greatly. I can tell so much difference between something like google DNS and Q.U.A.D. Also every DNS server performance differs per site. Ideally you want to use like 5 DNS servers, which you can still do even with DoT.

    TairikuOkami said:
    DoT is better than DoH, but DoH is being pushed, because it can not be easily blocked by ISP.
    I recently set up DoT, it was not easy to setup and then I lost connection once for some reason and had to restart DNS resolver. NLnet Labs - Unbound - Download
    At least it has forums.

    It is considerably slower tho (even with cache on)! There is this pesky delay when sites are loading. Honestly many sites are painfully slow today (not only due to corona). I remember old days of 6Mb/s internet and many sites were loaded instantly! Maybe because every site is this annoying scroll BS for tablets and phones and not optimized well? Hate these BTW!

    EDIT: I just noticed Firefox can do DNS over https and there are 2 servers by default, not sure if you can add custom. It is in general/network options. Also it is configured by default to use proxy, if set in windows LOL. But isn't DoT better?
    Last edited by empleat; 10 Mar 2021 at 20:23.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 04:28.
Find Us




Windows 10 Forums