Making DoH Discoverable: Introducing DDR

Credit and thanks to Alexandru Jercaianu for implementation work

DNS over HTTPS (DoH) in the client exited preview and became a supported feature with the Windows and Windows 11 releases. Unlike plain-text , DoH requires a template in addition to knowing the IP address of the resolver. If only the DoH template is known, the domain name from the template must first be resolved (likely over plain-text DNS) before the DoH server can be used. To avoid the potential for attack on this bootstrapping query, Windows currently requires both the IP address and the DoH template to be known in advance.

What if the client wants to be able to discover the DoH template dynamically? In our previous post on encrypted DNS, we mentioned that we are coauthoring an IETF draft to do exactly that called Discovery of Designated Resolvers (DDR). We have co-developed an end-to-end implementation of DDR in partnership with Quad9 and Cisco's OpenDNS. This allows Windows to bootstrap a DoH connection when it is only given an IP address for a plain-text DNS recursive resolver.

Here is how it works: Windows starts knowing only about a plain-text DNS server (knowing only an IP address for a resolver). Hoping to encrypt its traffic, Windows sends a DNS SVCB query for “”, a new special use domain name that refers to the resolver receiving the query as opposed to a name within the DNS hierarchy. If an SVCB record is returned, it carries a DoH template along with either IP address hints or additional A/AAAA records for the DoH template name.

The DoH configuration cannot be immediately trusted because it arrived over plain-text DNS. To verify its validity, the client tries to make a connection to the DoH server. The connection is only used for DoH traffic in place of the original plain-text resolver if the certificate of the server can claim ownership of the original resolver IP address. This ensures that the DoH server and the original plain-text DNS server are both under control of the owner of the certificate.

Try out DDR in Windows by installing the latest Windows Insider build from the Dev channel then configuring one of the DDR-supporting resolvers from OpenDNS and Quad9 below using the Settings app or Control Panel. When using the Settings app, leave the “DNS over HTTPS” field to “Off”.

  • 2620:fe::fe

Run the following command in an elevated prompt to allow DDR globally.

netsh dns add global doh=yes ddr=yes

For each interface you want to test, run the following command with the interface name (list which interface names are available by using `netsh interface show interface`).

netsh dns add interface name=”” ddr=yes ddrfallback=no

If Windows should fall back to plain-text DNS when DDR fails, the ddrfallback parameter can be changed to “yes”. The settings should be picked up right away but try a reboot in the event of no change in DNS behavior.

Once DDR is configured, and if DDR succeeds, the only traffic over port 53 sent to that resolver should be the DDR SVCB queries for the DoH configuration. All other DNS queries should be going over an HTTPS connection to the DoH server designated by the configured server.

You can see an example of these DDR records below as captured by Wireshark. The selected and expanded record is the DoH configuration response from a Quad9 server. The other, unexpanded SVCB record is the same resolver's configuration for using DoT. Notice that the only packets revealed by a port 53 capture are DDR requests and responses.

A Wireshark capture of DDR queries showing both Quad9 and OpenDNS support and no other plain-text queries (all other queries are using DoH connections discovered by DDR).A Wireshark capture of DDR queries showing both Quad9 and OpenDNS support and no other plain-text queries (all other queries are using DoH connections discovered by DDR).

To reverse the DDR configuration and return Windows to its original state, simply run these commands.

netsh dns set global ddr=no
netsh dns set interface name=”” ddr=no ddrfallback=no

The full text of DDR can be found here. Discussion about DDR and other implementations can be found on the ADD WG mailing list (subscribe here). We encourage everyone to check it out, voice support, and look into adopting DDR for their own stub or recursive resolvers.

can`t update 1489 10/31/2021

win11 won`t update Install error – 0x800704c7


This article was originally published by Microsoft's Azure Security Blog. You can find the original article here.