Microsoft plans to lock down Windows DNS like never before. Here’s how.


Wolfzz

Wolfzz

Well-known member
Power User
VIP
Local time
11:56 PM
Posts
488
Visit site
OS
Windows 11

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Build
    CPU
    Intel Core i9 12900KF
    Motherboard
    ASUS ROG Maximus Z690 Hero
    Memory
    Corsair 64GB DDR5 Vengeance C40 5200Mhz
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix OC 24GB
    Sound Card
    OnBoard
    Monitor(s) Displays
    Acer Predator XB323UGP 32" QHD G-SYNC-C 144Hz 1MS IPS LED
    Screen Resolution
    2560 x 1440
    Hard Drives
    1x Samsung 980 Pro Series Gen4 250GB M.2 NVMe
    1x Samsung 980 Pro Series Gen4 500GB M.2 NVMe
    2x Samsung 980 Pro Series Gen4 2TB M.2 NVMe
    PSU
    Corsair AX1200i 1200W 80PLUS Titanium Modular
    Case
    Corsair 4000D Black Case w/ Tempered Glass Side Panel
    Cooling
    Noctua NH-U12A Chromax Black CPU Cooler, 4x Noctua 120mm Fans
    Keyboard
    Logitech MK545
    Mouse
    Logitech MX Master 3
    Internet Speed
    Fixed Wireless 150mbps/75mbps
    Browser
    Firefox
    Antivirus
    Kaspersky
    Other Info
    Thrustmaster TS-PC RACER
    Fanatec CSL Elite Pedals with the Load Cell Kit
    Yamaha Amp with Bose Speakers
Great. MS screws up the BIOS, then Windows, now they're going for the hat trick by screwing up the internet too.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3593 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build: 22631.3374
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 1 x 24" LG M38H 1 x 32" LF6300 TV Monitor 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    2 x WD something Something 8TB HDD's / 2 x WD something Something 4TB HDD's / 1 x EVO 1TB SSD / 2 x QVO 1TB SSD's / 1 x EVO 250 GB SSD / 2 x QVO 1TB (External Hub) / 1 x EVO 1TB (Portable Backup Case)
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 22621.2215
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Graphics processor is an Intel Iris Xe
    Sound Card
    optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.
antspants said:
How so? Reads to me like an improvement?
Click to expand...


Any time there's a allowed list for anything... MS has the chance to censor things.
On the surface, these things "sound" OK, but in practice... they just screw things up.

It's gonna be like a hammer company, telling you what things you can hit with your hammer.
Or a publisher telling you what you can and can't read, including things that other companies publish.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3593 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
Ghot said:
Any time there's a allowed list for anything... MS has the chance to censor things.
On the surface, these things "sound" OK, but in practice... they just screw things up.

It's gonna be like a hammer company, telling you what things you can hit with your hammer.
Or a publisher telling you what you can and can't read, including things that other companies publish.
Click to expand...

Except it's not Microsoft administering the DNS servers. It's admins on the corporate network.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 [rev. 3447]
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
pseymour said:
Except it's not Microsoft administering the DNS servers. It's admins on the corporate network.
Click to expand...

And ISPs.

In house, in a corporation... fine, as long as the corporation is only controlling it's, computers and internet connections.
But MS wants to build a DNS block list into... Windows. A block list that MS has control over.

The internet and even cellular networks... aren't safe. That's a fact of life.
YOU have to be safe when using them... that's your protection.

MS saying they can make things safe... is BS.
Unless they control everything you or your computer does... there's no way to do that.


I can make any car 100% safe. I just take away the keys.
 
Last edited:

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3593 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
Where are you getting that Microsoft has control over a block list?

And your ISP already controls your traffic, so that ship sailed a long time ago.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 [rev. 3447]
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
pseymour said:
Where are you getting that Microsoft has control over a block list?

And your ISP already controls your traffic, so that ship sailed a long time ago.
Click to expand...


1. Maybe not on Windows XX Enterprise.

2. Congress seems to have more control over ISPs than they do over Microsoft.




techcommunity.microsoft.com

Deployment Considerations for Windows ZTDNS Client

A follow up to the ZTDNS private preview announcement explaining some considerations for future ZTDNS deployments
techcommunity.microsoft.com
 
Last edited:

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3593 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
Even if Microsoft had a bunch of public DNS servers under their control, no one has to use them, home or enterprise or whatever. Plenty of other DNS options exist outside your ISP or an alleged conspiracy theory MSFT DNS.

And again, that’s not what the zero trust DNS in the article is. It’s for enterprises running Windows DNS.

Actually, while I’m sure some people still do, I don’t personally know any enterprises using Windows DNS servers. Again, they probably exist, somewhere, but I haven’t seen one in forever.

You’re just saying a bunch of things with no backup or evidence. Maybe you’re trolling. I should probably assume so.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 [rev. 3447]
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
@pseymour

For me, reading the article linked in the OP, this sentence rings possible alarm bells:

By default, the firewall will deny resolutions to all domains except those enumerated in allow lists

Assumption here is that the "firewall" is inbuilt into the Windows OS. If so, who then proscribes these "allow" lists ?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s_du1xxx
    CPU
    Intel i5 10210U
    Motherboard
    85F1
    Memory
    16Gb
    Graphics Card(s)
    Intel UHD
    Sound Card
    Realtek
    Screen Resolution
    1920 x 1080
Maybe MS should start by forcing it's own services to run encrypted DNS first and not ignore it, like Edge does? 😒

capture_05042024_164306.jpg capture_05042024_164438.jpg

I tried every options I could find to disable the insecure DNS, yet 11 will not budge. I can only block it in the firewall.
Code: 
rem 1 - DNS interception checks enabled
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DNSInterceptionChecksEnabled" /t REG_DWORD /d "0" /f

rem 1 - DNS-based WPAD optimization (Web Proxy Auto-Discovery)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WPADQuickCheckEnabled" /t REG_DWORD /d "0" /f

rem Disable Discovery of Designated Resolvers (DDR), a mechanism for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableDdr" /t REG_DWORD /d "0" /f

rem 3 - Require DoH / 2 - Allow DoH / 1 - Prohibit DoH
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DoHPolicy" /t REG_DWORD /d "3" /f

rem Disable IDN (internationalized domain name)
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableIdnEncoding" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableIdnMapping" /t REG_DWORD /d "0" /f

rem 1 - Discovery of Network-designated Resolvers DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ)
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableDnr" /t REG_DWORD /d "0" /f

rem Disable smart multi-homed name resolution
rem https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableSmartNameResolution" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "DisableParallelAandAAAA" /t REG_DWORD /d "1" /f

rem Disable Multicast/mDNS repeater / https://f20.be/blog/mdns
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableMDNS" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f

rem Setup DNS over HTTPS (DoH)
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f

rem 1 - Disable Domain Name Devolution (DNS AutoCorrect) / 0 - Enabled (Default)
reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "UseDomainNameDevolution" /t REG_DWORD /d "0" /f
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz & FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge (No FB/Google) & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
ian50 said:
@pseymour

For me, reading the article linked in the OP, this sentence rings possible alarm bells:

By default, the firewall will deny resolutions to all domains except those enumerated in allow lists

Assumption here is that the "firewall" is inbuilt into the Windows OS. If so, who then proscribes these "allow" lists ?
Click to expand...


pseymour said:
Except it's not Microsoft administering the DNS servers. It's admins on the corporate network.
Click to expand...
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build: 22631.3374
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 1 x 24" LG M38H 1 x 32" LF6300 TV Monitor 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    2 x WD something Something 8TB HDD's / 2 x WD something Something 4TB HDD's / 1 x EVO 1TB SSD / 2 x QVO 1TB SSD's / 1 x EVO 250 GB SSD / 2 x QVO 1TB (External Hub) / 1 x EVO 1TB (Portable Backup Case)
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 22621.2215
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Graphics processor is an Intel Iris Xe
    Sound Card
    optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.
"Admins on the corporate network" is ok by me.

As long as Deep State bureaucrats stay out out of it (that includes the Aus, UK, EU ones as well) and don't start requesting built-in blockages ...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s_du1xxx
    CPU
    Intel i5 10210U
    Motherboard
    85F1
    Memory
    16Gb
    Graphics Card(s)
    Intel UHD
    Sound Card
    Realtek
    Screen Resolution
    1920 x 1080
This is meant for organizations, not you or I. We can already fully encrypt our DNS transactions with ECH (encrypted client hello) on windows 11 with the correct network settings. The problem with this is that organizations use the information contained in a DNS query to control which sites and domains their clients can access. They can no longer do this because that information is fully encrypted. This has been a thorny issue for adoption of ECH in DNS servers. Google and Cloudfare provide free DNS servers that support ECH. This is good for privacy so noone can find out the sites you are visiting.

It is not Microsoft messing up the internet. They are supplying their corporate and government clients with a solution so that they can use fully encrypted DNS while still controlling what sites and domains their organization can access.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY Photoshop/Game/tinker build
    CPU
    Intel i9 13900KS 5.7 P cores 4.4 GHz / E 5 /cache 5
    Motherboard
    Asus ROG Maximus Z790 Dark Hero
    Memory
    64GB (2x32) G.skill Trident Z5 RGB 6400 @6800 MT/s 32-40-40-52
    Graphics Card(s)
    Asus ROG Strix 4070 Ti OC
    Sound Card
    Onboard Audio, Vanatoo Transparent One; Klipsch R-12SWi Sub; Creative Pebble Pro Minimilist
    Monitor(s) Displays
    Eizo CG2730, ViewSonic VP2768
    Screen Resolution
    2560 x 1440p x 2
    Hard Drives
    WDC SN850 1TB nvme, SK-Hynix 2 TB P41 nvme, Raid 0: 1TB 850 EVO + 1TB 860 EVO SSD. Sabrent USB-C DS-SC5B 5-bay docking station: 6TB WDC Black, 6TB Ironwolf Pro; 2x 2TB WDC Black
    PSU
    850W Seasonic Vertex PX-850
    Case
    Fractal Design North XL Mesh, Black Walnut
    Cooling
    EKWB 360 Nucleus Dark AIO w/Phanteks T30-120 fans, 1 Noctua NF-A14 Chromax case fan, 1 T30-120 fan cooling memory
    Keyboard
    Glorious GMMK TKL mechanical, lubed modded -meh
    Mouse
    Logitech G305 wireless gaming
    Internet Speed
    380 Mb/s down, 12 Mb/s up
    Browser
    Firefox
    Antivirus
    Defender, Macrium Reflect 8 ;-)
    Other Info
    Runs hot. LOL
  • Computer type
    Laptop
    Manufacturer/Model
    Apple 13" Macbook Pro 2020 (m1)
    CPU
    Apple M1
    Screen Resolution
    2560x1600
    Browser
    Firefox
TairikuOkami said:
Maybe MS should start by forcing it's own services to run encrypted DNS first and not ignore it, like Edge does? 😒

View attachment 95387 View attachment 95388

I tried every options I could find to disable the insecure DNS, yet 11 will not budge. I can only block it in the firewall.
Code: 
rem 1 - DNS interception checks enabled
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DNSInterceptionChecksEnabled" /t REG_DWORD /d "0" /f

rem 1 - DNS-based WPAD optimization (Web Proxy Auto-Discovery)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WPADQuickCheckEnabled" /t REG_DWORD /d "0" /f

rem Disable Discovery of Designated Resolvers (DDR), a mechanism for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableDdr" /t REG_DWORD /d "0" /f

rem 3 - Require DoH / 2 - Allow DoH / 1 - Prohibit DoH
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DoHPolicy" /t REG_DWORD /d "3" /f

rem Disable IDN (internationalized domain name)
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableIdnEncoding" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableIdnMapping" /t REG_DWORD /d "0" /f

rem 1 - Discovery of Network-designated Resolvers DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ)
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableDnr" /t REG_DWORD /d "0" /f

rem Disable smart multi-homed name resolution
rem https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableSmartNameResolution" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "DisableParallelAandAAAA" /t REG_DWORD /d "1" /f

rem Disable Multicast/mDNS repeater / https://f20.be/blog/mdns
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableMDNS" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f

rem Setup DNS over HTTPS (DoH)
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f

rem 1 - Disable Domain Name Devolution (DNS AutoCorrect) / 0 - Enabled (Default)
reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "UseDomainNameDevolution" /t REG_DWORD /d "0" /f
Click to expand...
They already do. In settings, network. Your network. And setup DNS manually, use DNS server 1.1.1.1 with 1.0.0.1 as secondary. These are cloudflare DNS servers that support ECH. You will then be provided with options to encrypt or not.

If you still cannot post back here and I will walk you through it.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY Photoshop/Game/tinker build
    CPU
    Intel i9 13900KS 5.7 P cores 4.4 GHz / E 5 /cache 5
    Motherboard
    Asus ROG Maximus Z790 Dark Hero
    Memory
    64GB (2x32) G.skill Trident Z5 RGB 6400 @6800 MT/s 32-40-40-52
    Graphics Card(s)
    Asus ROG Strix 4070 Ti OC
    Sound Card
    Onboard Audio, Vanatoo Transparent One; Klipsch R-12SWi Sub; Creative Pebble Pro Minimilist
    Monitor(s) Displays
    Eizo CG2730, ViewSonic VP2768
    Screen Resolution
    2560 x 1440p x 2
    Hard Drives
    WDC SN850 1TB nvme, SK-Hynix 2 TB P41 nvme, Raid 0: 1TB 850 EVO + 1TB 860 EVO SSD. Sabrent USB-C DS-SC5B 5-bay docking station: 6TB WDC Black, 6TB Ironwolf Pro; 2x 2TB WDC Black
    PSU
    850W Seasonic Vertex PX-850
    Case
    Fractal Design North XL Mesh, Black Walnut
    Cooling
    EKWB 360 Nucleus Dark AIO w/Phanteks T30-120 fans, 1 Noctua NF-A14 Chromax case fan, 1 T30-120 fan cooling memory
    Keyboard
    Glorious GMMK TKL mechanical, lubed modded -meh
    Mouse
    Logitech G305 wireless gaming
    Internet Speed
    380 Mb/s down, 12 Mb/s up
    Browser
    Firefox
    Antivirus
    Defender, Macrium Reflect 8 ;-)
    Other Info
    Runs hot. LOL
  • Computer type
    Laptop
    Manufacturer/Model
    Apple 13" Macbook Pro 2020 (m1)
    CPU
    Apple M1
    Screen Resolution
    2560x1600
    Browser
    Firefox
www.elevenforum.com

Microsoft Announcing Zero Trust DNS (ZTDNS) Private Preview for Windows 11

Microsoft Networking Blog: In the modern world, useful network destinations are far more likely to be defined by long-lived domain names than long-lived IP addresses. However, enforcement of domain name boundaries (such as blocking traffic associated with a forbidden domain name) has always been...
www.elevenforum.com www.elevenforum.com
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
ian50 said:
@pseymour

For me, reading the article linked in the OP, this sentence rings possible alarm bells:

By default, the firewall will deny resolutions to all domains except those enumerated in allow lists

Assumption here is that the "firewall" is inbuilt into the Windows OS. If so, who then proscribes these "allow" lists ?
Click to expand...
From the same article: “This will allow administrators to define domain-name-based lockdown using policy-aware Protective DNS servers.”
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 [rev. 3447]
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
antspants said:
How so? Reads to me like an improvement?
Click to expand...
Because it is. It is a good improvement to security. The fear mongering of evil microsoft in here sometimes is a little insane to me.
pseymour said:
Except it's not Microsoft administering the DNS servers. It's admins on the corporate network.
Click to expand...
Exactly

pseymour said:
And your ISP already controls your traffic, so that ship sailed a long time ago.
Click to expand...

Exactly. You can use an alternate dns as well as an additional vpn to hide your traffic somewhat depending on the vpn provider. But regardless of what you do, you will and can be tracked. If not by your devices, you will be tracked by others around you. If your worried about all this stuff it is a little late for that.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 4GB Vram
    Screen Resolution
    1920 x 1080
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Windows 11
    Computer type
    Tablet
    Manufacturer/Model
    Lenovo ideapad flex 14API 2 in 1
    CPU
    Ryzen 5 3500u
    Motherboard
    LENOVO LNVNB161216 (FP5)
    Memory
    12GB DDR4
    Graphics card(s)
    AMD Radeon Vega 8 Graphics
    Hard Drives
    256 GB Samsung ssd nvme
Ghot said:
And ISPs.

In house, in a corporation... fine, as long as the corporation is only controlling it's, computers and internet connections.
But MS wants to build a DNS block list into... Windows. A block list that MS has control over.

The internet and even cellular networks... aren't safe. That's a fact of life.
YOU have to be safe when using them... that's your protection.

MS saying they can make things safe... is BS.
Unless they control everything you or your computer does... there's no way to do that.


I can make any car 100% safe. I just take away the keys.
Click to expand...
They aren't talking about home users, enthusiasts, etc.

Windows will be able to support and utilize the technology for organizations/companies where this type of control is expected/needed/desired.
1715185816772.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Beelink SEI8
    CPU
    Intel Core i5-8279u
    Motherboard
    AZW SEI
    Memory
    32GB DDR4 2666Mhz
    Graphics Card(s)
    Intel Iris Plus 655
    Sound Card
    Intel SST
    Monitor(s) Displays
    Asus ProArt PA278QV
    Screen Resolution
    2560x1440
    Hard Drives
    512GB NVMe
    PSU
    NA
    Case
    NA
    Cooling
    NA
    Keyboard
    NA
    Mouse
    NA
    Internet Speed
    500/50
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    Mini PC used for testing Windows 11.
  • Operating System
    Windows 10 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Ryzen 9 5900x
    Motherboard
    Asus Rog Strix X570-E Gaming
    Memory
    64GB DDR4-3600
    Graphics card(s)
    EVGA GeForce 3080 FT3 Ultra
    Sound Card
    Onboard
    Monitor(s) Displays
    ASUS TUF Gaming VG27AQ. ASUS ProArt Display PA278QV 27” WQHD
    Screen Resolution
    2560x1440
    Hard Drives
    2TB WD SN850 PCI-E Gen 4 NVMe
    2TB Sandisk Ultra 2.5" SATA SSD
    PSU
    Seasonic Focus 850
    Case
    Fractal Meshify S2 in White
    Cooling
    Dark Rock Pro CPU cooler, 3 x 140mm case fans
    Mouse
    Logitech G9 Laser Mouse
    Keyboard
    Corsiar K65 RGB Lux
    Internet Speed
    500/50
    Browser
    Chrome
    Antivirus
    Defender.
ian50 said:
@pseymour

For me, reading the article linked in the OP, this sentence rings possible alarm bells:

By default, the firewall will deny resolutions to all domains except those enumerated in allow lists

Assumption here is that the "firewall" is inbuilt into the Windows OS. If so, who then proscribes these "allow" lists ?
Click to expand...
Remember, Microsoft have multiple customer bases.

Home Users/enthusiasts use Windows and manage a lot of their own stuff.

Corporate organization use Windows and need to be able to lock down and control their systems to protect their assets.


Both sets of users have a "firewall" built into Windows that can be used. There isn't a concept of the home firewall and the corporate firewall built into Windows. Thus, corporations who setup and control what is included in the allowed lists have finer more granular control of their corporate windows devices. It's not Microsoft setting this up for people across their entire user base.


Corporate IT world is a lot different from enthusiast world.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Beelink SEI8
    CPU
    Intel Core i5-8279u
    Motherboard
    AZW SEI
    Memory
    32GB DDR4 2666Mhz
    Graphics Card(s)
    Intel Iris Plus 655
    Sound Card
    Intel SST
    Monitor(s) Displays
    Asus ProArt PA278QV
    Screen Resolution
    2560x1440
    Hard Drives
    512GB NVMe
    PSU
    NA
    Case
    NA
    Cooling
    NA
    Keyboard
    NA
    Mouse
    NA
    Internet Speed
    500/50
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    Mini PC used for testing Windows 11.
  • Operating System
    Windows 10 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Ryzen 9 5900x
    Motherboard
    Asus Rog Strix X570-E Gaming
    Memory
    64GB DDR4-3600
    Graphics card(s)
    EVGA GeForce 3080 FT3 Ultra
    Sound Card
    Onboard
    Monitor(s) Displays
    ASUS TUF Gaming VG27AQ. ASUS ProArt Display PA278QV 27” WQHD
    Screen Resolution
    2560x1440
    Hard Drives
    2TB WD SN850 PCI-E Gen 4 NVMe
    2TB Sandisk Ultra 2.5" SATA SSD
    PSU
    Seasonic Focus 850
    Case
    Fractal Meshify S2 in White
    Cooling
    Dark Rock Pro CPU cooler, 3 x 140mm case fans
    Mouse
    Logitech G9 Laser Mouse
    Keyboard
    Corsiar K65 RGB Lux
    Internet Speed
    500/50
    Browser
    Chrome
    Antivirus
    Defender.
You must log in or register to reply here.

Similar threads

  • Article
Users say Google One VPN app "breaks" Windows DNS settings
Replies
6
Views
1K
PGHammer
P
Windows DNS - SubDomain Blackhole
Replies
15
Views
2K
neemobeer
neemobeer
  • Article
Microsoft Announcing Zero Trust DNS (ZTDNS) Private Preview for Windows 11
Replies
2
Views
952
johnlgalt
johnlgalt
  • Article
Microsoft asks you to take a Windows DNS Client Survey
Replies
0
Views
499
Brink
Brink
Solved Resolve DNS Name - DNS Name Does Not Exist
Replies
6
Views
1K
FreeBooter
FreeBooter

Latest Support Threads

Latest Tutorials

Back
Top Bottom