Microsoft has added a privacy feature to Windows 11 called DNS-over-HTTPS, allowing users to perform encrypted DNS lookups to bypass censorship and Internet activity.

 

When connecting to a website or other host on the Internet, your computer must first query a domain name system (DNS) server for the IP address that is associated with the hostname.

 

DNS-over-HTTPS (DoH) allows your computer to perform these DNS lookups over an encrypted HTTPS connection rather than through normal plain text DNS lookups, which ISPs and governments can snoop on.

 

As some governments and ISPs block connections to sites by monitoring a user's DNS traffic, DoH will allow users to bypass censorship, prevent spoofing attacks, and increase privacy as their DNS requests cannot be as easily monitored.

 

Chromium-based browsers, such as Google Chrome and Microsoft Edge, and Mozilla Firefox, have already added support for DoH. Still, it is only used in the browser and not by other applications running on the computer.

 

This is why it is helpful for an operating system to support the feature, as then all DNS lookups on the device will be encrypted.

Windows 11 gets DNS-over-HTTPS

Microsoft first released DNS-over-HTTPS to use Windows Insiders for testing in Windows 10 preview build 20185, but they disabled it a few builds later.

 

With Windows 11, Microsoft has enabled the DoH feature again, and users can start testing it by going to Settings > Network & Internet > Ethernet/Wireless > Edit DNS server assignment.

 

If the device is currently configured to use a DNS server that is known to support DNS-over-HTTPS, you will see a new 'Preferred DNS encryption' where you can enable DoH, as shown below.

The preferred DNS encryption option offers the following choices:

 

• Unencrypted only - Use standard unencrypted DNS.
• Encrypted only (DNS over HTTPS) - Only use DoH servers.
• Encrypted preferred, unencrypted only - Try to use DoH servers, but if not available, fall back to standard unencrypted DNS.

 

At this time, Microsoft states that the following DNS servers are known to support DoH and can be used automatically by the Windows 11 DNS-over-HTTPS feature.

 

• Cloudflare: 1.1.1.1 and 1.0.0.1 DNS servers
• Google: 8.8.8.8 and 8.8.8.4 DNS servers
• Quad9: 9.9.9.9 and 149.112.112.112 DNS servers

 

To see the configured DNS-over-HTTPS definitions already configured in Windows 11, you can use the following commands:

Using netsh:
  netsh dns show encryption

Using PowerShell:
  Get-DnsClientDohServerAddress
 

Microsoft also allows administrators to create their own DoH server definitions using the following commands:

Using netsh:
  netsh dns add encryption server=[resolver-IP-address] dohtemplate=[resolver-DoH-template] autoupgrade=yes udpfallback=no

Using PowerShell:
  Add-DnsClientDohServerAddress -ServerAddress '[resolver-IP-address]' -DohTemplate '[resolver-DoH-template]' -AllowFallbackToUdp $False -AutoUpgrade $True
 

Microsoft says it would be better if the DoH server for a configured DNS server could be determined automatically, but it would cause a privacy risk.

 

"It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could we established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post.

 

"This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates."

 

In the future, Microsoft hopes to learn about new DoH server configurations from a DNS server using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which they have proposed to IETF ADD WG.

Manage DoH via group policies

Microsoft has also added the ability to manage the Windows 11 DNS-over-HTTPS settings through group policies.

 

With Windows 11, Microsoft has introduced a 'Configure DNS over HTTPS (DoH) name resolution' policy under Computer Configuration > Administrative Templates > Network > DNS Client.

This policy allows you to configure the machine to use standard unencrypted DNS, prefer DoH, or require DoH.