Microsoft is testing support for the Discovery of Network-designated Resolvers internet standard, which enables automated client-side discovery of encrypted DNS servers on local area networks. This feature allows users to automatically configure devices to reach encrypted DNS resolvers and use encrypted DNS protocols like DNS over TLS, DNS over HTTPS, and DNS over QUIC without requiring manual configuration1.
Microsoft is currently testing this feature on Windows 11 1. The feature is called Discovery of Network-designated Resolvers (DNR) and it enables automated client-side discovery of encrypted DNS servers on local area networks 1. Without DNR support, users must manually enter the info of encrypted DNS servers on their local area network within the network settings 1.
When a device with client-side DNR enabled joins a new network, it queries the local DHCP server, requesting an IP address and DNR-specific options. The server, operating server-side DNR, responds with encrypted DNS details, including server IP, supported protocols, port numbers, and authentication data, allowing the client to establish an encrypted DNS tunnel automatically using the provided info 1.
Secure DNS is a way of encrypting DNS queries and responses to protect them from being read or modified by anyone who can monitor the network traffic. Regular DNS, on the other hand, sends DNS queries and responses in plaintext, which means they are exposed and vulnerable to attacks.
Secure DNS works like this:
- The client (such as a browser or an app) sends a DNS query to a secure DNS resolver using either DNS over TLS (DoT) or DNS over HTTPS (DoH) protocols. These protocols use TLS encryption to secure the communication between the client and the resolver.
- The secure DNS resolver validates the query and forwards it to the authoritative DNS server that has the information about the domain name requested by the client. The resolver may also use DoT or DoH to communicate with the authoritative server, if it supports them.
- The authoritative DNS server responds with the IP address of the domain name, or an error message if the domain name does not exist or is blocked. The response is also encrypted by DoT or DoH and sent back to the secure DNS resolver.
- The secure DNS resolver decrypts the response and verifies its authenticity using digital signatures. The resolver then sends the response back to the client, again using DoT or DoH encryption.
- The client decrypts the response and connects to the IP address of the domain name.
The main differences between secure DNS and regular DNS are:
- Secure DNS uses encryption and authentication to protect DNS queries and responses from being intercepted, modified, or spoofed by attackers. Regular DNS does not have any security mechanisms and relies on trust between the client, the resolver, and the authoritative server.
- Secure DNS uses different ports and protocols than regular DNS. DoT uses port 853 and UDP, while DoH uses port 443 and HTTP or HTTP/2. Regular DNS uses port 53 and UDP or TCP.
- Secure DNS can improve privacy by preventing ISPs, governments, or other third parties from seeing or logging what websites or services a user is accessing. Regular DNS exposes this information to anyone who can monitor the network traffic.