Testing Resolve-DnsName with DoH on Windows 10 20H2

[shem-sargent]

Steps to reproduce

#Requires -RunAsAdministrator
if([Environment]::OSVersion.Version.Build -lt 19628){
    'This script depends on Windows OS features that are not available in this build.'
    Exit
}
$AutoDohPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters'
$AutoDohKey  = 'EnableAutoDoh'
New-ItemProperty -Path $AutoDohPath -Name $AutoDohKey -Value 2 -PropertyType DWord -Force
# Reboot computer now if this setting is new; dnscache service cannot be normally restarted

# Test with Quad9 DoH resolvers
$PhysicalAdapter = Get-NetAdapter -Physical
$PhysicalAdapter | Get-DnsClientServerAddress -AddressFamily IPv4 | Set-DnsClientServerAddress -ServerAddresses '9.9.9.9', '149.112.112.112'
$PhysicalAdapter | Get-DnsClientServerAddress -AddressFamily IPv6 | Set-DnsClientServerAddress -ServerAddresses '2620:fe::fe', '2620:fe::fe:9'

Resolve-DnsName yahoo.com -DnsOnly -Verbose -DnssecOk
Resolve-DnsName yahoo.com -Server 9.9.9.9 -DnsOnly -Verbose -DnssecOk

Expected behavior

No port 53 traffic in either Resolve-DnsName call.

Actual behavior

Console output is identical, but network traffic is not.

• No port 53 traffic found in first Resolve-DnsName call.
• Unexpected port 53 traffic found in second Resolve-DnsName call that specifies Server IP address.

Environment data

PSVersion                      7.0.1
PSEdition                      Core
GitCommitId                    7.0.1
OS                             Microsoft Windows 10.0.19640
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

[KalleOlaviNiemitalo]

PowerShell Core does not have its own Resolve-DnsName cmdlet yet. It gets this cmdlet from the DnsClient module of Windows PowerShell. AFAIK, the module is not open source. In Windows, DnsQueryEx lets the caller specify the DNS servers, but I suspect that doing so may disable DNS over HTTP for that query.

In #6076 (comment), it was suggested that a cross-platform Resolve-DnsName cmdlet could be implemented for PowerShell Core by using DnsClient.NET. The current version of DnsClient.NET sends its DNS queries using UdpClient or TcpClient instead of using the Windows DNS functions, so it would not be affected by the EnableAutoDoh setting of Windows.

[shem-sargent]

@KalleOlaviNiemitalo, Thank you for the explanation of the underlying issues. Of course, it is early days for DoH support in Windows so it will be interesting to see if the issues you mentioned get resolved so that Resolve-DNSName can reliably implement DOH as well

I think that a client platform-level implementation of DoH should be as secure as the HTTPS in its name implies by preventing unintentional or inconsistent unencrypted DNS traffic. Until that happens, I'll keep using a third-party tool like DNSCrypt-proxy or YogaDNS.

[ghost]

This issue has been marked as answered and has not had any activity for 1 day. It has been closed for housekeeping purposes.