Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Enabling DNS over HTTPS (DoH) on Windows 10

March 5, 2021 Windows 10

Enabling DNS over HTTPS (DoH) on Windows 10

DNS over HTTPS (DoH) support appeared on Windows 10 2004 build (May 2020 Update). Now Windows 10 can resolve names over HTTPS protocol using the built-in DoH client. In this article we’ll tell what DNS over HTTPS protocol is used for, how to enable and use it on latest Windows 10 builds.

When your computer connects to a DNS server to resolve names, it sends and receives DNS requests/responses over the Internet in clear text. An attacker can intercept your traffic, detect what resources you have visited or manipulate your DNS traffic using a man-in-the-middle type of attack. The DNS over HTTPS protects user data privacy by encrypting all DNS queries. The DoH protocol encapsulates DNS queries into HTTPS traffic and sends them to a DNS server (you need use use a special DNS server with DoH support).

Windows 10 2004 does’t yet have a GPO parameter or an option in the graphic interface to enable DNS-over-HTTPS. Currently, you can only enable DoH on latest Windows 10 builds via the registry:

  1. Run the regedit.exe;
  2. Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
  3. Create a new DWORD parameter with the name EnableAutoDoh and value 2;
    windows 10 enable dns over https via registry parameter EnableAutoDoh
    You can also create this registry parameter using the New-ItemProperty cmdlet:
    $EnableDNSoverHTTPSKey = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters'
    $EnableDNSoverHTTPSParameter = 'EnableAutoDoh'
    New-ItemProperty -Path $EnableDNSoverHTTPSKey -Name $EnableDNSoverHTTPSParameter -Value 2 -PropertyType DWord –Force

  4. Then restart the DNS client service. To do it, reboot your computer, since you won’t be able to restart the dnscase service normally (Restart-Service -Name Dnscache –force command returns the following error: Collection was modified; enumeration operation may not execute).

Then you will have to change the DNS settings of your network connection. You need to specify DNS servers with DNS over HTTPS support. Not all of DNS servers support DoH yet. The table below shows a list of public DNS servers with DNS over HTTPS support.

ProviderIP Addresses of DNS Servers With DNS over HTTP Support
Cloudflare1.1.1.1, 1.0.0.1
Google8.8.8.8, 8.8.4.4
Quad99.9.9.9, 149.112.112.112

Open the network connection window (Control Panel -> Network and Internet -> Network and Sharing Center or ncpa.cpl). Then change the current DNS server IP addresses to the addresses of DNS servers that support DoH in the network adapter properties.

change primary and alternative DNS server on windows to DNS over HTTPS IPs

You can change DNS server addresses in the network adapter settings using PowerShell (see the article on network configuration using PowerShell):

$PhysAdapter = Get-NetAdapter -Physical
$PhysAdapter | Get-DnsClientServerAddress -AddressFamily IPv4 | Set-DnsClientServerAddress -ServerAddresses '8.8.8.8', '1.1.1.1'

Then your DNS client will use HTTPS (443) protocol instead of standard UDP/TCP port 53 for DNS name resolution.

Using PktMon.exe, a tool to capture network traffic (we told about it earlier), you can make sure that no DNS request are sent from the computer over 53 port.

Remove all current Packet Monitor filters:

pktmon filter remove

Create a new filter for default DNS port (53):

pktmon filter add -p 53

Start real-time traffic monitoring (the traffic will be shown in the console):

pktmon start --etw -p 0 -l real-time

If you have configured DNS over HTTPS correctly, there will be no traffic on Port 53 (the screenshot below shows the console output with DoH enabled and disabled).

ispecting dns traffic over https

You can also check if DNS over HTTPS is working on your computer using the following online service (DNSSEC check): https://www.cloudflare.com/ssl/encrypted-sni/

cloudlflare perform dnssec test

In the last year, DNS over HTTPS has been implemented in all popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera). You can enable DoH support in each of them. Thus, all DNS queries from your browser will be encrypted (DNS traffic of other apps will still sent as a plain text).

DNS over HTTPS and DNS over TLS will create a lot of troubles for corporate network administrators, since it will be harder to restrict access to external resources from internal networks.

8 comments
1
Facebook Twitter Google + Pinterest
previous post
How to Uninstall Built-in UWP (APPX) Apps on Windows 10?
next post
Repairing Broken Trust Relationship Between Workstation and AD Domain

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

May 16, 2023

View Success and Failed Local Logon Attempts on...

May 2, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10 and 11?
  • How to Repair EFI/GPT Bootloader on Windows 10 or 11?
  • How to Restore Deleted EFI System Partition in Windows?
  • Network Computers are not Showing Up in Windows 10/11
  • How to Create a Wi-Fi Hotspot on your Windows PC?
  • Updating List of Trusted Root Certificates in Windows
  • How to Sign an Unsigned Device Driver in Windows?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top