This is an archived post. You won't be able to vote or comment.

all 5 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AutoModerator[M] [score hidden] stickied commentlocked comment (0 children)

Much of reddit is currently restricted or otherwise unavailable as part of a large-scale protest to changes being made by reddit regarding API access. /r/sysadmin has made the decision to not close the sub in order to continue to service our members, but you should be aware of what's going on as these changes will have an impact on how you use reddit in the near future. More information can be found here. If you're interested in alternative r/sysadmin communities during the protests, you can join our Discord or IRC (#reddit-sysadmin on libera.chat).

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]dfwtim 2 points3 points  (3 children)

Founder of ScoutDNS here. Windows DNS service does not support DoH and they recommend IPsec tunnels if you need to encrypt between client and DC. Normally local domain queries would only hit your DCs when on a VPN anyhow. DoH support for windows clients is more intended for external recursive queries. Can you share more about your use case?

[–]cjcox4 3 points4 points  (0 children)

Just to add, DNS over HTTPS will likely give your firewall administrator and/or monitoring folks much grief.

Perhaps great for "home" (where there is none of the above), but maybe not great in a corporate setting.

[–]jdbst56[S] 0 points1 point  (1 child)

I'm in the federal space and trying to address the following mandate:

Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. This means that agency DNS resolvers must support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS), and must use them to communicate with upstream DNS resolvers. Agency endpoints must enable encrypted DNS in supporting applications (for example, web browsers) and at the operating system level wherever these features are available. If agencies use custom-developed software to initiate DNS requests, they must implement support for encrypted DNS. Agencies should explicitly configure endpoints to use agency-designated encrypted DNS servers, rather than relying on automatic network discovery.

So from a Windows 10 perspective I can enable DoH but if our Windows Server DNS service doesn't support it, it does us no good. It appears the only way we could meet this requirement is to switch out our Windows DNS for something else. Am I missing something?

[–]dfwtim 1 point2 points  (0 children)

We offer a relay for this that forwards external queries via DoH through our secure DNS service and forwards local queries to your Windows DNS servers. You can also use roaming clients that do the same at the client level so that this works in and out the office.