Windows 10 introducing DNS over HTTPS (PiHole users beware)

Unfortunately, like many “for the users” moves, don’t assume it’s all sunshine and roses. This means ad networks that they own can also make secure DNS requests, rendering devices like PiHoles obsolete. (The PiHole is already obsolete for YouTube for iOS, as it is now impossible to block it’s DNS requests, and there’s nothing you can do about it except jailbreak and install a modded version of the app) Where you might see this happen first is Skype and Metro apps with ads.

Same can apply for Windows Updates. If it’s blocked at the network level with the typical DNS blocks, it can be bypassed this way.

PiHoie should be scared. Very scared. But they haven’t made any progress on preventing these workarounds DNS-wise so the PiHole’s days are numbered.

If you have systems not under WSUS, you should also be scared.



“We will not be making any changes to which DNS server Windows was configured to use by the user or network.”

Therefore, pihole users will be totally unaffected.

This is like HTTPS support in a browser, if the address selected supports encrypted traffic, then the connection will be encrypted. If it does not support encryption, then behavior will not change.


Buy a better router that has a decent firewall and block it there.

DOH will be optional. Ms would get huge backlash if it were required. Many businesses run their own dns and they wont all magically support ssl.


Nope, Not for the YouTube app for iOS. That won’t work neither.

Yes, for most webpages, it will be optional. But the first move they’ll make is mandating it for ad networks like the one Skype and Metro apps use. They’re dealing with more people knowing about PiHole, so this effectively kills the PiHole from being able to block the requests.

At that point, there’s nothing you can do over the network. You have to reverse engineer, and patch the apps to prevent ads in the first place, which defeats the purpose of a PiHole.

Windows Update currently has a peer-to-peer service, so that if a computer with cached updates migrates to a network administrated to prevent Windows Updates NOT through WSUS, updates are uploaded from one peer to any computer requesting it. This is a nightmare forcing you to WSUS all your systems, which just isn’t possible for consumer demo units at a store that could be sold later as a demo. If I’m wrong about this, here’s the article explaining it:

Now imagine if it could ignore DNS rules in those networks where you still want customers to access the internet on demo units, but don’t want it to automatically update in an out of box state. With DoH and similar, that will be impossible without modifying the machine making the requests by low-level patching Windows Update.

If a browser plays nice, there’s nothing to worry about…

But, for the “Microsoft” way of doing ads, their first attack vector is mandating countermeasures to circumventing ads. (Skype is an excellent example, where each countermeasure has been patched out one by one)

Your browser won’t see the changes, but Skype and Metro apps that don’t use standard browsers are likely where they’ll start.

Are you high?

Edit: Oh yeah and all your fears will be mute once you realize that Pihole will likely support DoH or DoT in the future

They’re not supporting the DNS requests from the YouTube servers, because they gave up on network based YouTube ad blocking from the official apps and Chromecast. First the app started using hard coded DNS, then the servers became identical to the CDNs serving real videos, making blocking on a network level impossible.

This does not inspire confidence they’ll be able to “man-in-the-middle” these requests.

They don’t care about YouTube anymore, so others following suit with secure DNS methods mean they won’t be able to cope without introducing a security risk.

What does Microsoft have to do with a youtube app?

1 Like

DNS requests. YouTube secured their DNS requests to ensure ads get delivered to their apps.

Microsoft following suit may be a privacy benefit in this PR blitz, but in reality they’re making plans to bolster their ad network to ensure guaranteed delivery.

That wouldn’t work??? Firefox already has DoH support and will do HTTPS requests to cloudflare if you enable it

Edit: I will ask again, are you high?

1 Like

We’re not talking about traditional browsers. Ad networks will use specialized thin browsers to ensure stability and delivery. At the first chance, they will adopt tech to prevent stuff like PiHole from blocking the requests.

Spotify goes even further. If you use a PiHole, you’re banned:

Lets keep it calm guys.

yes its a little :tinfoil: but criticize ideas, not people.


It really is best to let people see whatever demons in the broom cupboard they want, makes my head less sore.

1 Like

I’m choosing to eventually run Windows 10 only as a GPU Passthrough VM where it’s networking has no physical access to a NIC and has to go through a pfsense VM with physical access to a NIC with pfsense managing the internal QEMU network which the Windows 10 VM uses.

Any chance I have to keep network requests sanitary I will take for Windows 10.

1 Like

@FurryJackman Please do not fear-monger this post.

Thank you.

1 Like

Are you implying the os and programs will ignore the dns server address supplied by your router?