9/7/2023 0 Comments Windows template 5371![]() Hoping to encrypt its traffic, Windows sends a DNS SVCB query for “resolver.arpa”, a new special use domain name that refers to the resolver receiving the query as opposed to a name within the DNS hierarchy. Here is how it works: Windows starts knowing only about a plain-text DNS server (knowing only an IP address for a resolver). This allows Windows to bootstrap a DoH connection when it is only given an IP address for a plain-text DNS recursive resolver. We have co-developed an end-to-end implementation of DDR in partnership with Quad9 and Cisco’s OpenDNS. What if the client wants to be able to discover the DoH template dynamically? In our previous post on encrypted DNS, we mentioned that we are coauthoring an IETF draft to do exactly that called Discovery of Designated Resolvers (DDR). To avoid the potential for attack on this bootstrapping query, Windows currently requires both the IP address and the DoH template to be known in advance. If only the DoH template is known, the domain name from the template must first be resolved (likely over plain-text DNS) before the DoH server can be used. Unlike plain-text DNS, DoH requires a template in addition to knowing the IP address of the resolver. ![]() ![]() Credit and thanks to Alexandru Jercaianu for implementation workĭNS over HTTPS (DoH) in the DNS client exited preview and became a supported feature with the Windows Server 2022 and Windows 11 releases. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |