Unfortunately, like many “for the users” moves, don’t assume it’s all sunshine and roses. This means ad networks that they own can also make secure DNS requests, rendering devices like PiHoles obsolete. (The PiHole is already obsolete for YouTube for iOS, as it is now impossible to block it’s DNS requests, and there’s nothing you can do about it except jailbreak and install a modded version of the app) Where you might see this happen first is Skype and Metro apps with ads.
Same can apply for Windows Updates. If it’s blocked at the network level with the typical DNS blocks, it can be bypassed this way.
PiHoie should be scared. Very scared. But they haven’t made any progress on preventing these workarounds DNS-wise so the PiHole’s days are numbered.
If you have systems not under WSUS, you should also be scared.
“We will not be making any changes to which DNS server Windows was configured to use by the user or network.”
Therefore, pihole users will be totally unaffected.
This is like HTTPS support in a browser, if the address selected supports encrypted traffic, then the connection will be encrypted. If it does not support encryption, then behavior will not change.
Yes, for most webpages, it will be optional. But the first move they’ll make is mandating it for ad networks like the one Skype and Metro apps use. They’re dealing with more people knowing about PiHole, so this effectively kills the PiHole from being able to block the requests.
At that point, there’s nothing you can do over the network. You have to reverse engineer, and patch the apps to prevent ads in the first place, which defeats the purpose of a PiHole.
Windows Update currently has a peer-to-peer service, so that if a computer with cached updates migrates to a network administrated to prevent Windows Updates NOT through WSUS, updates are uploaded from one peer to any computer requesting it. This is a nightmare forcing you to WSUS all your systems, which just isn’t possible for consumer demo units at a store that could be sold later as a demo. If I’m wrong about this, here’s the article explaining it:
Now imagine if it could ignore DNS rules in those networks where you still want customers to access the internet on demo units, but don’t want it to automatically update in an out of box state. With DoH and similar, that will be impossible without modifying the machine making the requests by low-level patching Windows Update.
If a browser plays nice, there’s nothing to worry about…
But, for the “Microsoft” way of doing ads, their first attack vector is mandating countermeasures to circumventing ads. (Skype is an excellent example, where each countermeasure has been patched out one by one)
Your browser won’t see the changes, but Skype and Metro apps that don’t use standard browsers are likely where they’ll start.
They’re not supporting the DNS requests from the YouTube servers, because they gave up on network based YouTube ad blocking from the official apps and Chromecast. First the app started using hard coded DNS, then the servers became identical to the CDNs serving real videos, making blocking on a network level impossible.
This does not inspire confidence they’ll be able to “man-in-the-middle” these requests.
They don’t care about YouTube anymore, so others following suit with secure DNS methods mean they won’t be able to cope without introducing a security risk.
DNS requests. YouTube secured their DNS requests to ensure ads get delivered to their apps.
Microsoft following suit may be a privacy benefit in this PR blitz, but in reality they’re making plans to bolster their ad network to ensure guaranteed delivery.
We’re not talking about traditional browsers. Ad networks will use specialized thin browsers to ensure stability and delivery. At the first chance, they will adopt tech to prevent stuff like PiHole from blocking the requests.
Spotify goes even further. If you use a PiHole, you’re banned:
I’m choosing to eventually run Windows 10 only as a GPU Passthrough VM where it’s networking has no physical access to a NIC and has to go through a pfsense VM with physical access to a NIC with pfsense managing the internal QEMU network which the Windows 10 VM uses.
Any chance I have to keep network requests sanitary I will take for Windows 10.