Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 11 / Enabling DNS over HTTPS (DoH) on Windows 11

November 6, 2024 PowerShellWindows 10Windows 11Windows Server 2022

Enabling DNS over HTTPS (DoH) on Windows 11

The latest versions of Windows support the DNS over HTTPS (DoH) protocol, which allows domain name resolution (DNS queries) to be performed over an encrypted HTTPS connection. In this article, we’ll look at what the DNS over HTTPS protocol is used for, and how to use it in Windows.

Contents:
  • How to Enable DNS over HTTPS from the Windows GUI
  • DNS over HTTPS Configuration on Windows 11 via Command Prompt
  • How to verify that DNS over HTTPS works on Windows

By default, DNS traffic is not encrypted. All queries from your computer to a DNS server to resolve names are sent over the network in plain text. Third parties can intercept your DNS traffic, determine what resources you have visited, or manipulate DNS responses in main-in-the-middle attacks. The DoH protocol can encapsulate DNS queries in an encrypted HTTPS connection and send them to a DNS server (a DNS server with DoH support is required).

How to Enable DNS over HTTPS from the Windows GUI

Windows 11 and Windows Server 2022 have built-in DNS-over-HTTPS (DoH) support in the DNS client. The client will use DoH to encrypt DNS traffic if you have specified the IP address of the DNS server that supports DoH in the settings of the network adapter.

Use PowerShell to list the IP addresses of public DNS servers that support DoH:

Get-DNSClientDohServerAddress

Get-DNSClientDohServerAddress - list available DNS servers with DNS-over-HTTPS support

ProviderIP addresses of public DNS servers supporting DNS-over-HTTPS
Cloudflare1.1.1.1, 1.0.0.1
Google8.8.8.8, 8.8.4.4
Quad99.9.9.9, 149.112.112.112

Specify the IPv4 or IPv6 address of one of these DNS servers in the network interface settings (or the address of an alternative DNS server with DoH support, after you have added it as described below.)

  1. Navigate to Settings -> Network & Internet -> Ethernet (or Wi-Fi)
  2. DNS traffic is not encrypted in this case.unencrypted DNS in network connection settings
  3. Click the Edit
  4. Enter the IP address of the DNS server and select -> On (automatic template) for the DNS over HTTPS parameter.  enable dns over https template in windows 11
  5. Save the changes. Now the DNS queries from the computer will be encrypted.Check if encrypted DNS is used in Windows 11 network settings

Windows Server 2022 DNS client also supports DoH (however, the DNS Server service itself does not support DoH in this release.).

Specify the DNS server IP address in the network interface settings and enable the Encrypted only (DNS over HTTPS) mode.

Enable Encrypted only DNS-over-HTTPS on Windows Server

None of the Windows 10 releases currently support the DoH protocol. In one of the Insider Windows 10 releases (Insider Preview OS Build 19628), this protocol could be enabled via the registry.  To enable DoH support, you had to create a registry parameter by using the New-ItemProperty cmdlet:

$AutoDohPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters'
$AutoDohKey = 'EnableAutoDoh'
New-ItemProperty -Path $AutoDohPath -Name $AutoDohKey -Value 2 -PropertyType DWord -Force

windows 10 enable dns over https via registry parameter EnableAutoDoh

However, this feature has not been implemented in the final release of Windows 10!

DNS over HTTPS Configuration on Windows 11 via Command Prompt

On Windows, you can use the command line interface to enable and configure DNS over HTTPS.

First, add the IP address of the DoH server to the list of known DNS servers. For example, to add Cloudflare Family alternative DNS servers 1.1.1.3 and 1.0.0.3 (used to filter malware and adult content), run:

$DNSServer="1.1.1.3"
Add-DnsClientDohServerAddress -ServerAddress $DNSServer -DohTemplate "https://family.cloudflare-dns.com/dns-query" -AllowFallbackToUdp $False -AutoUpgrade $True

Add-DnsClientDohServerAddress - add new DoH template IP address

After you register the template for the DoH DNS server, assign that IP as the preferred DNS server in the network interface settings using the following PowerShell command:

Set-DnsClientServerAddress Ethernet0 -ServerAddresses ($DNSServer)

Then enable mandatory use of DNS over HTTPS for the network interface:

$i = Get-NetAdapter -Physical -Name Ethernet0
$s1 = "HKLM:System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\" + $i.InterfaceGuid + "\DohInterfaceSettings\Doh\$DNSServer"
New-Item -Path $s1 -Force | New-ItemProperty -Name "DohFlags" -Value 1 -PropertyType QWORD
Clear-DnsClientCache

Enable DNS-over-HTTPS with PowerShell

Or use a separate GPO setting to enforce using DoH:

  1. Open the local GPO editor (gpedit.msc)
  2. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Network -> DNS Client section
  3. Enable the policy Configure DNS over HTTPS (DoH) name resolution and set the value to Require DoH.GPO: Enable DNS-over-HTTPS name resolution

How to verify that DNS over HTTPS works on Windows

To verify that the DNS client is using the encrypted HTTPS (443) protocol for name resolution instead of the default UDP/TCP port 53, use the built-in network traffic capture tool named PktMon.exe.

Remove all current Packet Monitor filters:

pktmon filter remove

Create a new filter for the default DNS port (53):

pktmon filter add -p 53

Start real-time traffic monitoring (traffic will be output to the console):

pktmon start --etw -m real-time

There should be no traffic on port 53 if you have properly configured DNS over HTTPS. This means that all DNS queries are sent in an encrypted HTTPS session (the screenshot below shows the console output with DoH disabled and enabled).

ispecting dns traffic over https

You can also check if DNS over HTTPS is working on your computer using the following online service (Secure DNS check): https://www.cloudflare.com/ssl/encrypted-sni/

Check if Secure DNS is used on Windows computer

DNS over HTTPS support is implemented in all popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera). You can enable DoH support in any of them. This encrypts your browser’s DNS queries (DNS traffic from other apps will still sent as plain text).

DNS over HTTPS and DNS over TLS will cause problems for corporate network administrators by making it more difficult to restrict access to external resources from internal networks.

9 comments
3
Facebook Twitter Google + Pinterest
previous post
How to Uninstall Built-in UWP (APPX) Apps on Windows 10 or 11
next post
Repairing the Domain Trust Relationship Between Workstation and Active Directory

Related Reading

Configure NTP Time Source for Active Directory Domain

May 6, 2025

How to Cancel Windows Update Pending Restart Loop

May 6, 2025

View Windows Update History with PowerShell (CMD)

April 30, 2025

Cannot Install Network Adapter Drivers on Windows Server

April 29, 2025

Change BIOS from Legacy to UEFI without Reinstalling...

April 21, 2025

9 comments

jkuo May 8, 2021 - 8:03 am

A correction to the last screenshot, DNSSEC is not the same as DNS-over-HTTPS. DNSSEC is for server-to-server, and DoT is for server-to-client. The Cloudflare web site is confirming that the Windows 10 is using DoT to communicate to its DNS resolver, and its DNS resolver has implemented the server-side DNSSEC features. The page is correct, you just need to highlight the Secure DNS box rather than the DNSSEC box.

Reply
PM May 19, 2021 - 11:22 am

Hello,
Thanks for your article. But It doesn’t work on my computer : there is always traffic on DNS port (53) even with a value of 2 for EnableAutoDoh, a good DNS (1.1.1.1) and after restart the computer.
Have you got an idea to resolve this ?
Thanks.

Reply
Fbi Fido July 1, 2021 - 5:11 am

“Create a new DWORD parameter with the name EnableAutoDoh and value 2; ‘
Can we set this to 3 ???

Reply
John 0 July 28, 2021 - 3:57 am

Doesn’t work with 21H1 in case anyone is trying. Probably need to wait till next year for the Public builds to get this.

Reply
Abraham October 11, 2021 - 11:23 pm

One question: Does the Windows Server 2022 DNS server support DNS over HTTPS (DoH)?

In an active directory network, all computers added to the domain have Active Directory DNS Server configured in the DNS client.

If I configure DNS over HTTPS (DoH) in the client but the Active Directory DNS Server does not support it …

Reply
admin October 26, 2021 - 11:34 am

You can only use DoH DNS client on Windows Server 2022:
DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol. This helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated. Learn more about configuring the DNS client to use DoH. https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support

Reply
James September 20, 2022 - 1:11 pm

Windows 10 does not support DNS over HTTPS and it doesn’t look like it ever will.

Reply
PraterHerbs September 27, 2023 - 4:56 am

Very Good Post . It Solved My Problem After Changing Internet Connection.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMware
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025
  • How to Write Logs to the Windows Event Viewer from PowerShell/CMD

    March 3, 2025
  • How to Hide (Block) a Specific Windows Update

    February 25, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)
  • How to Download Offline Installer (APPX/MSIX) for Microsoft Store App
  • Configuring Port Forwarding in Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Adding Drivers into VMWare ESXi Installation Image
  • Tracking and Analyzing Remote Desktop Connection Logs in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top