Windows 11

​Microsoft has added a privacy feature to Windows 11 called DNS-over-HTTPS, allowing users to perform encrypted DNS lookups to bypass censorship and Internet activity.

When connecting to a website or other host on the Internet, your computer must first query a domain name system (DNS) server for the IP address that is associated with the hostname.

DNS-over-HTTPS (DoH) allows your computer to perform these DNS lookups over an encrypted HTTPS connection rather than through normal plain text DNS lookups, which ISPs and governments can snoop on.

As some governments and ISPs block connections to sites by monitoring a user's DNS traffic, DoH will allow users to bypass censorship, prevent spoofing attacks, and increase privacy as their DNS requests cannot be as easily monitored.

Chromium-based browsers, such as Google Chrome and Microsoft Edge, and Mozilla Firefox, have already added support for DoH. Still, it is only used in the browser and not by other applications running on the computer.

This is why it is helpful for an operating system to support the feature, as then all DNS lookups on the device will be encrypted.

Windows 11 gets DNS-over-HTTPS

Microsoft first released DNS-over-HTTPS to Windows Insiders for testing in Windows 10 preview build 20185, but they disabled it a few builds later.

With Windows 11, Microsoft has enabled the DoH feature again, and users can start testing it again if they are currently using DNS servers from Cloudflare, Google, or Quad9.

If the device is currently configured to use a Cloudflare, Google, or Quad9 DNS server, you can configure DNS-over-HTTPS using the following steps:

  1. Open the Windows 10 Settings app and go to Network & Internet.
  2. At the Network & Internet page, click on either Ethernet or Wireless depending on the network connection you have.
    Network & Internet settings page
    Network & Internet settings page
  3. You will now be at the Ethernet or Wireless options page, where you should click the Edit button next to DNS server assignment.
    Ethernet networking options
    Ethernet networking options
  4. If you are using a DNS server that is known to support DNS-over-HTTPS, you will see a new 'Preferred DNS encryption' option where you can enable DoH, as shown below. Information about the different preferred DNS encryption options can be found below. 
    Windows 11 DNS over HTTPS settings
    Windows 11 DNS over HTTPS settings
  5. You can now press the Save button to enable DoH in Windows 11. 
  6. Close the Settings app.

The preferred DNS encryption option offers the following choices:

  • Unencrypted only - Use standard unencrypted DNS.
  • Encrypted only (DNS over HTTPS) - Only use DoH servers.
  • Encrypted preferred, unencrypted only - Try to use DoH servers, but if not available, fall back to standard unencrypted DNS.

At this time, Microsoft states that the following DNS servers are known to support DoH and can be used automatically by the Windows 11 DNS-over-HTTPS feature.

  • Cloudflare: 1.1.1.1 and 1.0.0.1 DNS servers
  • Google: 8.8.8.8 and 8.8.8.4 DNS servers
  • Quad9: 9.9.9.9 and 149.112.112.112 DNS servers

To see the configured DNS-over-HTTPS definitions already configured in Windows 11, you can use the following commands:

Using netsh:
  netsh dns show encryption

Using PowerShell:
  Get-DnsClientDohServerAddress

Microsoft also allows administrators to create their own DoH server definitions using the following commands: 

Using netsh:
  netsh dns add encryption server=[resolver-IP-address] dohtemplate=[resolver-DoH-template] autoupgrade=yes udpfallback=no

Using PowerShell:
  Add-DnsClientDohServerAddress -ServerAddress '[resolver-IP-address]' -DohTemplate '[resolver-DoH-template]' -AllowFallbackToUdp $False -AutoUpgrade $True

Microsoft says it would be better if the DoH server for a configured DNS server could be determined automatically, but it would cause a privacy risk.

"It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could we established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post.

"This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates."

In the future, Microsoft hopes to learn about new DoH server configurations from a DNS server using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which they have proposed to IETF ADD WG.

Manage DoH via group policies

Microsoft has also added the ability to manage the Windows 11 DNS-over-HTTPS settings through group policies.

With Windows 11, Microsoft has introduced a 'Configure DNS over HTTPS (DoH) name resolution' policy under Computer Configuration > Administrative Templates > Network > DNS Client.

New Configure DNS over HTTPS (DoH) name resolution policy
New Configure DNS over HTTPS (DoH) name resolution policy

This policy allows you to configure the machine to use standard unencrypted DNS, prefer DoH, or require DoH.

Related Articles:

Microsoft now testing app ads in Windows 11's Start menu

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs

Windows 11 KB5036893 update released with 29 changes, Moment 5 features

The new features coming in Windows 11 24H2, expected this fall

New Windows driver blocks software from changing default web browser