Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Enabling DNS over HTTPS (DoH) on Windows 10

March 5, 2021 Windows 10

Enabling DNS over HTTPS (DoH) on Windows 10

DNS over HTTPS (DoH) support appeared on Windows 10 2004 build (May 2020 Update). Now Windows 10 can resolve names over HTTPS protocol using the built-in DoH client. In this article we’ll tell what DNS over HTTPS protocol is used for, how to enable and use it on latest Windows 10 builds.

When your computer connects to a DNS server to resolve names, it sends and receives DNS requests/responses over the Internet in clear text. An attacker can intercept your traffic, detect what resources you have visited or manipulate your DNS traffic using a man-in-the-middle type of attack. The DNS over HTTPS protects user data privacy by encrypting all DNS queries. The DoH protocol encapsulates DNS queries into HTTPS traffic and sends them to a DNS server (you need use use a special DNS server with DoH support).

Windows 10 2004 does’t yet have a GPO parameter or an option in the graphic interface to enable DNS-over-HTTPS. Currently, you can only enable DoH on latest Windows 10 builds via the registry:

  1. Run the regedit.exe;
  2. Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
  3. Create a new DWORD parameter with the name EnableAutoDoh and value 2;
    windows 10 enable dns over https via registry parameter EnableAutoDoh
    You can also create this registry parameter using the New-ItemProperty cmdlet:
    $EnableDNSoverHTTPSKey = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters'
    $EnableDNSoverHTTPSParameter = 'EnableAutoDoh'
    New-ItemProperty -Path $EnableDNSoverHTTPSKey -Name $EnableDNSoverHTTPSParameter -Value 2 -PropertyType DWord –Force

  4. Then restart the DNS client service. To do it, reboot your computer, since you won’t be able to restart the dnscase service normally (Restart-Service -Name Dnscache –force command returns the following error: Collection was modified; enumeration operation may not execute).

Then you will have to change the DNS settings of your network connection. You need to specify DNS servers with DNS over HTTPS support. Not all of DNS servers support DoH yet. The table below shows a list of public DNS servers with DNS over HTTPS support.

Provider IP Addresses of DNS Servers With DNS over HTTP Support
Cloudflare 1.1.1.1, 1.0.0.1
Google 8.8.8.8, 8.8.4.4
Quad9 9.9.9.9, 149.112.112.112

Open the network connection window (Control Panel -> Network and Internet -> Network and Sharing Center or ncpa.cpl). Then change the current DNS server IP addresses to the addresses of DNS servers that support DoH in the network adapter properties.

change primary and alternative DNS server on windows to DNS over HTTPS IPs

You can change DNS server addresses in the network adapter settings using PowerShell (see the article on network configuration using PowerShell):

$PhysAdapter = Get-NetAdapter -Physical
$PhysAdapter | Get-DnsClientServerAddress -AddressFamily IPv4 | Set-DnsClientServerAddress -ServerAddresses '8.8.8.8', '1.1.1.1'

Then your DNS client will use HTTPS (443) protocol instead of standard UDP/TCP port 53 for DNS name resolution.

Using PktMon.exe, a tool to capture network traffic (we told about it earlier), you can make sure that no DNS request are sent from the computer over 53 port.

Remove all current Packet Monitor filters:

pktmon filter remove

Create a new filter for default DNS port (53):

pktmon filter add -p 53

Start real-time traffic monitoring (the traffic will be shown in the console):

pktmon start --etw -p 0 -l real-time

If you have configured DNS over HTTPS correctly, there will be no traffic on Port 53 (the screenshot below shows the console output with DoH enabled and disabled).

ispecting dns traffic over https

You can also check if DNS over HTTPS is working on your computer using the following online service (DNSSEC check): https://www.cloudflare.com/ssl/encrypted-sni/

cloudlflare perform dnssec test

In the last year, DNS over HTTPS has been implemented in all popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera). You can enable DoH support in each of them. Thus, all DNS queries from your browser will be encrypted (DNS traffic of other apps will still sent as a plain text).

DNS over HTTPS and DNS over TLS will create a lot of troubles for corporate network administrators, since it will be harder to restrict access to external resources from internal networks.

8 comments
1
Facebook Twitter Google + Pinterest
previous post
How to Uninstall Built-in UWP (APPX) Apps on Windows 10?
next post
Repairing Broken Trust Relationship Between Workstation and AD Domain

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

8 comments

jkuo May 8, 2021 - 8:03 am

A correction to the last screenshot, DNSSEC is not the same as DNS-over-HTTPS. DNSSEC is for server-to-server, and DoT is for server-to-client. The Cloudflare web site is confirming that the Windows 10 is using DoT to communicate to its DNS resolver, and its DNS resolver has implemented the server-side DNSSEC features. The page is correct, you just need to highlight the Secure DNS box rather than the DNSSEC box.

Reply
PM May 19, 2021 - 11:22 am

Hello,
Thanks for your article. But It doesn’t work on my computer : there is always traffic on DNS port (53) even with a value of 2 for EnableAutoDoh, a good DNS (1.1.1.1) and after restart the computer.
Have you got an idea to resolve this ?
Thanks.

Reply
Fbi Fido July 1, 2021 - 5:11 am

“Create a new DWORD parameter with the name EnableAutoDoh and value 2; ‘
Can we set this to 3 ???

Reply
John 0 July 28, 2021 - 3:57 am

Doesn’t work with 21H1 in case anyone is trying. Probably need to wait till next year for the Public builds to get this.

Reply
Abraham October 11, 2021 - 11:23 pm

One question: Does the Windows Server 2022 DNS server support DNS over HTTPS (DoH)?

In an active directory network, all computers added to the domain have Active Directory DNS Server configured in the DNS client.

If I configure DNS over HTTPS (DoH) in the client but the Active Directory DNS Server does not support it …

Reply
admin October 26, 2021 - 11:34 am

You can only use DoH DNS client on Windows Server 2022:
DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol. This helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated. Learn more about configuring the DNS client to use DoH. https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support

Reply
James September 20, 2022 - 1:11 pm

Windows 10 does not support DNS over HTTPS and it doesn’t look like it ever will.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10 and 11?
  • How to Repair EFI/GPT Bootloader on Windows 10 or 11?
  • How to Restore Deleted EFI System Partition in Windows?
  • Network Computers are not Showing Up in Windows 10/11
  • How to Run Program without Admin Privileges and to Bypass UAC Prompt?
  • How to Create a Wi-Fi Hotspot on your Windows PC?
  • Updating List of Trusted Root Certificates in Windows
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top