Jump to content
  • Windows 11 includes the DNS-over-HTTPS privacy feature - How to use


    • 4 minutes

    • 4 minutes

    Windows 11 includes the DNS-over-HTTPS privacy feature - How to use


    Microsoft has added a privacy feature to Windows 11 called DNS-over-HTTPS, allowing users to perform encrypted DNS lookups to bypass censorship and Internet activity.


    When connecting to a website or other host on the Internet, your computer must first query a domain name system (DNS) server for the IP address that is associated with the hostname.


    DNS-over-HTTPS (DoH) allows your computer to perform these DNS lookups over an encrypted HTTPS connection rather than through normal plain text DNS lookups, which ISPs and governments can snoop on.


    As some governments and ISPs block connections to sites by monitoring a user's DNS traffic, DoH will allow users to bypass censorship, prevent spoofing attacks, and increase privacy as their DNS requests cannot be as easily monitored.


    Chromium-based browsers, such as Google Chrome and Microsoft Edge, and Mozilla Firefox, have already added support for DoH. Still, it is only used in the browser and not by other applications running on the computer.


    This is why it is helpful for an operating system to support the feature, as then all DNS lookups on the device will be encrypted.

    Windows 11 gets DNS-over-HTTPS

    Microsoft first released DNS-over-HTTPS to use Windows Insiders for testing in Windows 10 preview build 20185, but they disabled it a few builds later.


    With Windows 11, Microsoft has enabled the DoH feature again, and users can start testing it by going to Settings > Network & Internet > Ethernet/Wireless > Edit DNS server assignment.


    If the device is currently configured to use a DNS server that is known to support DNS-over-HTTPS, you will see a new 'Preferred DNS encryption' where you can enable DoH, as shown below.

    Windows 11 DNS over HTTPS settings
    Windows 11 DNS over HTTPS settings

    The preferred DNS encryption option offers the following choices:


    • Unencrypted only - Use standard unencrypted DNS.
    • Encrypted only (DNS over HTTPS) - Only use DoH servers.
    • Encrypted preferred, unencrypted only - Try to use DoH servers, but if not available, fall back to standard unencrypted DNS.


    At this time, Microsoft states that the following DNS servers are known to support DoH and can be used automatically by the Windows 11 DNS-over-HTTPS feature.


    • Cloudflare: and DNS servers
    • Google: and DNS servers
    • Quad9: and DNS servers


    To see the configured DNS-over-HTTPS definitions already configured in Windows 11, you can use the following commands:

    Using netsh:
      netsh dns show encryption
    Using PowerShell:

    Microsoft also allows administrators to create their own DoH server definitions using the following commands:

    Using netsh:
      netsh dns add encryption server=[resolver-IP-address] dohtemplate=[resolver-DoH-template] autoupgrade=yes udpfallback=no
    Using PowerShell:
      Add-DnsClientDohServerAddress -ServerAddress '[resolver-IP-address]' -DohTemplate '[resolver-DoH-template]' -AllowFallbackToUdp $False -AutoUpgrade $True

    Microsoft says it would be better if the DoH server for a configured DNS server could be determined automatically, but it would cause a privacy risk.


    "It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could we established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post.


    "This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates."


    In the future, Microsoft hopes to learn about new DoH server configurations from a DNS server using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which they have proposed to IETF ADD WG.

    Manage DoH via group policies

    Microsoft has also added the ability to manage the Windows 11 DNS-over-HTTPS settings through group policies.


    With Windows 11, Microsoft has introduced a 'Configure DNS over HTTPS (DoH) name resolution' policy under Computer Configuration > Administrative Templates > Network > DNS Client.

    New Configure DNS over HTTPS (DoH) name resolution policy
    New Configure DNS over HTTPS (DoH) name resolution policy

    This policy allows you to configure the machine to use standard unencrypted DNS, prefer DoH, or require DoH.



    Windows 11 includes the DNS-over-HTTPS privacy feature - How to use

    • Like 2
    • Thanks 1

    User Feedback

    Recommended Comments

    There are no comments to display.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...