Insider DNS over TLS (DoT) now available to Windows Insiders in Windows 11


  • Staff
DNS over TLS (DoT) is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). Where DoH treats DNS traffic as one more HTTPS data stream over port 443, DoT dedicates port 853 to encrypted DNS traffic and runs directly over a TLS tunnel without HTTP layering underneath. This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide.

Client support for DoH was shipped in Windows 11 and Windows Server 2022. Starting today, the latest Windows Insider builds also offer client support for DoT.

How to evaluate DoT on Insider builds​

First things first: install the latest Windows Insider build (25158 or higher). DoT support is not yet available to non-Insider builds of Windows.


Next, configure a DoT-providing DNS resolver as the primary and only resolver (this will ensure no accidental fallback covers up DoT failures). This can be done by following these steps:
  1. Go to Settings -> Network (this should load the view for the current default network connection)
  2. Click on Wi-Fi or Ethernet (likely the top row)
  3. Click “Hardware properties” (likely the bottom row)
  4. On the “DNS server assignment:” row, click the “Edit” button
  5. Turn on the “IPv4” and/or “IPv6” switches
  6. Type the IP address of the DoT server to test into the “Preferred DNS” text box
  7. Save and confirm that “<resolver-IP-address> (Unencrypted)” shows up on the “IPv4 DNS servers:” row in the list of configurations near the bottom of this view
large


large


large


large


Next, in an elevated command line prompt, run the following commands:

Code:
netsh dns add global dot=yes
netsh dns add encryption server=<the-ip-address-configured-as-the-DNS-resolver> dothost=: autoupgrade=yes
ipconfig /flushdns

Note that the “dothost” field equal to “:” means that the default DoT port will be used (853) and the domain name presented in the server’s TLS certificate will not be validated. To ensure proper validation of the connection, provide the expected domain name of the DoT server (the connection will use DoT’s designated port 853 without needing to specify it, as custom ports are not supported yet).

These settings should take effect immediately without a reboot. Packet captures should show heavy traffic on port 853 and minimal traffic on port 53.

What to check if it does not work​

If this results in a loss of Internet connectivity, here are some things to check to make sure no steps were missed. First, verify the build of Windows supports DoT (DoT is only supported on Insider builds 25158 or later).

Next, run the following command

netsh dns show global

The output should include a line that says “DoT settings: enabled”. If not, re-run this command:

netsh dns add global dot=yes

Next, run this command:

netsh dns show encryption

The output should contain “Encryption settings for <the-IP-address-for-the-configured-DoT-resolver>” with a DNS over TLS host, auto-upgrade set to yes, and UDP fallback set to no. If not, be sure the “netsh dns add encryption” command ran without errors and the parameters correctly specify the properties of the DoT resolver.

Next, review the DNS configuration view to see that the Settings app has the expected DNS resolver configured. Note that even if DoT is working, the text will still say “<resolver-IP-address> (Unencrypted)”; this is expected.

Next, verify the network being used does not perform port 853 blocking and that the resolvers do indeed support DoT. The public resolvers provided by Quad9, Cloudflare, Cisco (OpenDNS), and Google have been tested and are known to work.

If DoT is still not working, connectivity can be restored by changing the configured resolvers or by setting DNS configuration back to automatic to get DNS configuration from the network.

Source:
 

Attachments

  • DNS.png
    DNS.png
    23.2 KB · Views: 0
Last edited:

atinfo

Well-known member
Member
VIP
Local time
3:21 PM
Posts
547
OS
Win 11 Enterprise
Hi @Brink :-)

Is there a way to enter a custom DNS (IPv4) just by clicking on a file? I mean changing the DNS (to my custom DNS) by clicking on a file (script/bat file) and changing the DNS to dynamic mode (DHCP) by clicking again on it.

I use a specific DNS from time to time. I have to enter the DNS address manually (by going to Settings...).
 

My Computer

System One

  • OS
    Win 11 Enterprise
    Computer type
    Laptop
    CPU
    i7
    Hard Drives
    SSD

TairikuOkami

Brony
Power User
VIP
Local time
12:51 PM
Posts
590
OS
Windows 11 Home
Is there a way to enter a custom DNS (IPv4) just by clicking on a file?
You can use WMIC, but it is probably smoother to use an app.
Code:
wmic nicconfig where DHCPEnabled=TRUE call SetDNSServerSearchOrder ("9.9.9.9","149.112.112.112")
 

My Computer

System One

  • OS
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Wired Desktop 320K Keyboard (04/22)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Edge with Neeva (No FB/Google) + Brave for YouTube + LibreWolf for FB
    Antivirus
    Panda Free + Binisoft WFC + NextDNS
    Other Info
    Headphones: Sennheiser RS170 (09/10)

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
5:51 AM
Posts
6,645
OS
Windows 11 Pro for Workstations
Hi @Brink :-)

Is there a way to enter a custom DNS (IPv4) just by clicking on a file? I mean changing the DNS (to my custom DNS) by clicking on a file (script/bat file) and changing the DNS to dynamic mode (DHCP) by clicking again on it.

I use a specific DNS from time to time. I have to enter the DNS address manually (by going to Settings...).

Hello mate, :-)

You could use a command option with an elevated BAT file below to change the DNS for specific network adapters like that.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium

atinfo

Well-known member
Member
VIP
Local time
3:21 PM
Posts
547
OS
Win 11 Enterprise
You can use WMIC, but it is probably smoother to use an app.
Code:
wmic nicconfig where DHCPEnabled=TRUE call SetDNSServerSearchOrder ("9.9.9.9","149.112.112.112")
Thanks :thumbsup:. It worked. But I didn't understand why your commands on 10F (Mr Brink tut, link above) don't work! (SS below). Can you tell me how I can set that to DHCP with WMIC command you mentioned above (the CMD command from 10F tut did that for me, SS below)?

Hello mate, :-)

You could use a command option with an elevated BAT file below to change the DNS for specific network adapters like that.

Many thanks :shawn:. That was a great tutorial but a bit complicated for me (I mean the commands) :woozy:. I don't know why some of them didn't work (SS below).

ss.png
 

My Computer

System One

  • OS
    Win 11 Enterprise
    Computer type
    Laptop
    CPU
    i7
    Hard Drives
    SSD

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
5:51 AM
Posts
6,645
OS
Windows 11 Pro for Workstations
Thanks :thumbsup:. It worked. But I didn't understand why your commands on 10F (Mr Brink tut, link above) don't work! (SS below). Can you tell me how I can set that to DHCP with WMIC command you mentioned above (the CMD command from 10F tut did that for me, SS below)?

Many thanks :shawn:. That was a great tutorial but a bit complicated for me (I mean the commands) :woozy:. I don't know why some of them didn't work (SS below).

Not sure without seeing the full unedited command, but usually an "element not found" could be from a command error.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium

atinfo

Well-known member
Member
VIP
Local time
3:21 PM
Posts
547
OS
Win 11 Enterprise
I just copied your command. The DNS IPs are blurred, not the commands. :think:
 

My Computer

System One

  • OS
    Win 11 Enterprise
    Computer type
    Laptop
    CPU
    i7
    Hard Drives
    SSD

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
5:51 AM
Posts
6,645
OS
Windows 11 Pro for Workstations
I just copied your command. The DNS IPs are blurred, not the commands. :think:
Ah, ok. I didn't see "static" in the command before the DNS address.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium
Top Bottom