Network and Internet Enable DNS over HTTPS (DoH) in Windows 11


  • Staff
DoH_banner.png

A DNS (Domain Name System) server is the service that makes it possible for you to open a web browser, type a domain name and load your favorite websites.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver.

See also:

This tutorial will show you how to change your DNS Server address and enable DNS over HTTPS (DoH) in Windows 11.


You must be signed in as an administrator to change the DNS server address and enable DoH.




Here's How:

1 Open Settings (Win+I).

2 Click/tap on Network & internet on the left side, and click/tap on Properties of the connected network you want to enable DoH for at the top on the right side. (see screenshot below)

Open Network & internet settings

DoH-1.png

3 Click/tap on the Edit button under DNS server assignment on the right side. (see screenshots below)

If you have a red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then click/tap on the Change DNS settings for all Wi-Fi networks type link instead, and then click/tap on the Edit button like in step 3.


DoH-2.jpg
DoH-5.png

4 Select Manual in the drop menu at the top. (see screenshots below step 8)

5 Enable DoH for IPv4

A) Turn on IPv4. (see screenshots below step 8)

B) Type a Preferred DNS you want to use that supports DoH. (see table below)

DNS server​
Preferred DNS for IPv4​
Cloudflare1.1.1.1
Google Public DNS8.8.8.8
Quad99.9.9.9

C) Perform one of the following actions depending on which setting is available to you:
  • If you do not have an Insider Dev build installed, select Encrypted only (DNS over HTTPS) from the Preferred DNS encryption drop menu under IPv4.
  • If you do have an Insider Dev build installed, select On (automatic template) from the DNS over HTTPS drop menu under IPv4. Leave Fallback to paintext turned off.

If you do not have a Preferred DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv4 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.


D) Type an Alternate DNS you want to use that supports DoH. (see table below)

DNS server​
Alternate DNS for IPv4​
Cloudflare1.0.0.1
Google Public DNS8.8.4.4
Quad9149.112.112.112

E) Perform one of the following actions depending on which setting is available to you:
  • If you do not have an Insider Dev build installed, select Encrypted only (DNS over HTTPS) from the Preferred DNS encryption drop menu under IPv4.
  • If you do have an Insider Dev build installed, select On (automatic template) from the DNS over HTTPS drop menu under IPv4. Leave Fallback to paintext turned off.

If you do not have a Alternate DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv4 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.



6 Enable DoH for IPv6

A) Turn on IPv6. (see screenshots below step 8)

B) Type a Preferred DNS you want to use that supports DoH. (see table below)

DNS server​
Preferred DNS for IPv6​
Cloudflare2606:4700:4700::1111
Google Public DNS2001:4860:4860::8888
Quad92620:fe::fe

C) Perform one of the following actions depending on which setting is available to you:
  • If you do not have an Insider Dev build installed, select Encrypted only (DNS over HTTPS) from the Preferred DNS encryption drop menu under IPv6.
  • If you do have an Insider Dev build installed, select On (automatic template) from the DNS over HTTPS drop menu under IPv6. Leave Fallback to paintext turned off.

If you do not have a Preferred DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv6 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.


D) Type an Alternate DNS you want to use that supports DoH. (see table below)

DNS server​
Alternate DNS for IPv6​
Cloudflare2606:4700:4700::1001
Google Public DNS2001:4860:4860::8844
Quad92620:fe:::9

E) Perform one of the following actions depending on which setting is available to you:
  • If you do not have an Insider Dev build installed, select Encrypted only (DNS over HTTPS) from the Preferred DNS encryption drop menu under IPv6.
  • If you do have an Insider Dev build installed, select On (automatic template) from the DNS over HTTPS drop menu under IPv6. Leave Fallback to paintext turned off.

If you do not have a Alternate DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv4 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.



7 When finished, click/tap on Save.

8 You can now close Settings if you like.

DoH-3.png
DoH-4.png


DoH-3B.png
DoH-4B.png



That's it,
Shawn Brink


 

Attachments

  • DNS.png
    DNS.png
    24.2 KB · Views: 104
Last edited:

Josey Wales

Endeavor to Persevere
Power User
VIP
Local time
8:26 AM
Posts
789
Location
USA-Ohio
OS
Win 11 Pro 22000.708
I am having Problems trying to do this. Can someone lend me a Hand?
 

My Computer

System One

  • OS
    Win 11 Pro 22000.708
    Computer type
    PC/Desktop
    Manufacturer/Model
    Digital Storm Velox
    CPU
    Intel Core i9-10940X
    Motherboard
    MSI X299 PRO (Intel X299 Chipset) (Up to 4x PCI-E Devices)
    Memory
    128 GB DDR4 3200 MHz Corsair Vengance LPX
    Graphics Card(s)
    EVGA GeForce RTX 2080 Ti Black
    Sound Card
    Integrated Motherboard Audio-Realtek
    Monitor(s) Displays
    Dell S3221QS
    Screen Resolution
    3840 X 2160
    Hard Drives
    2x SSD M.2 (1TB Digital Storm M.2 Performance Series)(Crucial)
    1x Storage (6TB Western Digital
    1x Samsung 860 Pro
    1x 1TB Samsung 860 EVO External Storage
    PSU
    Corsair / EVGA / Thermaltake (Modular) (80 Plus Gold)
    Case
    VELOX
    Cooling
    H20: Stage 2: Digital Storm Vortex Liquid CPU Cooler (Dual Fan) (Fully Sealed + No Maintenance)
    Keyboard
    Corsair Strafe
    Mouse
    Corsair M65 Pro
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 100
    Antivirus
    Windows Defender
    Other Info
    Cyberpower CP1350AVRLCD -UPS

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
7:26 AM
Posts
3,815
OS
Windows 11 Pro for Workstations

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium

TairikuOkami

Brony
Power User
VIP
Local time
2:26 PM
Posts
405
Location
Trnava, SK
OS
Windows 11 Home
I am having Problems trying to do this. Can someone lend me a Hand?
11 includes 3 DoH DNS services by default, you can add a custom one with a command, for example cleanbrowsing:
Code:
netsh dns add encryption server=185.228.168.10 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
netsh dns add encryption server=185.228.169.11 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
Then you open Ethernet/WiFi settings, add custom IPs and then select Encrypted, UAC can ask you to confirm it (twice at max). Afterwards you can check via a firewall or a network monitor, if svchost is making DNS requests via port 443 to the specified IP.
 

Attachments

  • capture_07022021_230105.jpg
    capture_07022021_230105.jpg
    90.1 KB · Views: 144
  • capture_07022021_230531.jpg
    capture_07022021_230531.jpg
    350.7 KB · Views: 131

My Computer

System One

  • OS
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Wired Desktop 320K Keyboard (04/22)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10)

Laker775

Member
Local time
8:26 AM
Posts
2
Location
Southern Ontario
OS
Windows 11 Pro Build 10.0.22000.51
I'm also am unable to set the Alternate DNS encryption drop menu. It is greyed out after following instructions to first set DNS settings via Control Panel.

I have set both IPv4 & IPv6 thru the control panel. First just IPv4 and then after no change IPv6. Flushing DNS, renewing IP & adapter also didn't solve. And neither did a simple restart.

Suggestions?
 

My Computer

System One

  • OS
    Windows 11 Pro Build 10.0.22000.51
    Computer type
    Laptop
    Manufacturer/Model
    Huawei Matebook X Pro
    CPU
    Intel I7-8550U
    Memory
    16GB
    Graphics Card(s)
    Nvidia MX150
    Monitor(s) Displays
    13.9"
    Screen Resolution
    3000 x 2000 Multi-Touch
    Hard Drives
    512GB NMVe
    Internet Speed
    1000 / 30
    Browser
    Brave / Firefox
    Antivirus
    Window Security

Josey Wales

Endeavor to Persevere
Power User
VIP
Local time
8:26 AM
Posts
789
Location
USA-Ohio
OS
Win 11 Pro 22000.708
11 includes 3 DoH DNS services by default, you can add a custom one with a command, for example cleanbrowsing:
Code:
netsh dns add encryption server=185.228.168.10 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
netsh dns add encryption server=185.228.169.11 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
Then you open Ethernet/WiFi settings, add custom IPs and then select Encrypted, UAC can ask you to confirm it (twice at max). Afterwards you can check via a firewall or a network monitor, if svchost is making DNS requests via port 443 to the specified IP.
Thank You very Much.
 

My Computer

System One

  • OS
    Win 11 Pro 22000.708
    Computer type
    PC/Desktop
    Manufacturer/Model
    Digital Storm Velox
    CPU
    Intel Core i9-10940X
    Motherboard
    MSI X299 PRO (Intel X299 Chipset) (Up to 4x PCI-E Devices)
    Memory
    128 GB DDR4 3200 MHz Corsair Vengance LPX
    Graphics Card(s)
    EVGA GeForce RTX 2080 Ti Black
    Sound Card
    Integrated Motherboard Audio-Realtek
    Monitor(s) Displays
    Dell S3221QS
    Screen Resolution
    3840 X 2160
    Hard Drives
    2x SSD M.2 (1TB Digital Storm M.2 Performance Series)(Crucial)
    1x Storage (6TB Western Digital
    1x Samsung 860 Pro
    1x 1TB Samsung 860 EVO External Storage
    PSU
    Corsair / EVGA / Thermaltake (Modular) (80 Plus Gold)
    Case
    VELOX
    Cooling
    H20: Stage 2: Digital Storm Vortex Liquid CPU Cooler (Dual Fan) (Fully Sealed + No Maintenance)
    Keyboard
    Corsair Strafe
    Mouse
    Corsair M65 Pro
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 100
    Antivirus
    Windows Defender
    Other Info
    Cyberpower CP1350AVRLCD -UPS

Laker775

Member
Local time
8:26 AM
Posts
2
Location
Southern Ontario
OS
Windows 11 Pro Build 10.0.22000.51
Well I decided to use my brain and used the solution @TairikuOkami posted and like @Josey Wales I'm sorted.

11 includes 3 DoH DNS services by default, you can add a custom one with a command, for example cleanbrowsing:
Code:
netsh dns add encryption server=185.228.168.10 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
netsh dns add encryption server=185.228.169.11 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
Then you open Ethernet/WiFi settings, add custom IPs and then select Encrypted, UAC can ask you to confirm it (twice at max). Afterwards you can check via a firewall or a network monitor, if svchost is making DNS requests via port 443 to the specified IP.

Thank you very much! (again just like JW)
 

My Computer

System One

  • OS
    Windows 11 Pro Build 10.0.22000.51
    Computer type
    Laptop
    Manufacturer/Model
    Huawei Matebook X Pro
    CPU
    Intel I7-8550U
    Memory
    16GB
    Graphics Card(s)
    Nvidia MX150
    Monitor(s) Displays
    13.9"
    Screen Resolution
    3000 x 2000 Multi-Touch
    Hard Drives
    512GB NMVe
    Internet Speed
    1000 / 30
    Browser
    Brave / Firefox
    Antivirus
    Window Security

TairikuOkami

Brony
Power User
VIP
Local time
2:26 PM
Posts
405
Location
Trnava, SK
OS
Windows 11 Home
For the record, Windows stores DOH servers at this location.
Code:
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers
Active interface at this location, you can enable DNS by using a command like that, once DNS is registered.:
Code:
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{da9e43ac-0335-4747-a5d1-f645dd7d3a39}\DohInterfaceSettings\Doh\9.9.9.9" /v "DohFlags" /t REG_QWORD /d "1" /f
I think it is only a matter of time till hackers take notice and change it. You will setup 9.9.9.9, but malware will use smthg like:

capture_07032021_173117.jpg
 

My Computer

System One

  • OS
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Wired Desktop 320K Keyboard (04/22)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10)

TairikuOkami

Brony
Power User
VIP
Local time
2:26 PM
Posts
405
Location
Trnava, SK
OS
Windows 11 Home
I have managed to add mine DNS via reg directly, since netsh command does not work for me anymore.
Code:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.28.91" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.30.91" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx" /f
 

Attachments

  • capture_07092021_210410.jpg
    capture_07092021_210410.jpg
    97.2 KB · Views: 113

My Computer

System One

  • OS
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Wired Desktop 320K Keyboard (04/22)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10)

Genshii

Member
Local time
8:26 AM
Posts
5
OS
Windows 11
For anyone looking to automatically set DNS servers and enable DoH for every relevant network interface, I wrote the following batch script:

Code:
@echo off

rem Set the DNS servers to be applied to each interface.
set IPv4PrimaryDNS=1.1.1.1
set IPv4SecondaryDNS=1.0.0.1
set IPv6PrimaryDNS=2606:4700:4700::1111
set IPv6SecondaryDNS=2606:4700:4700::1001

rem Checks for administrative permissions.
net.exe session 1>NUL 2>NUL || (echo This script requires administrative permissions. Please run as administrator. & pause & exit /B 1)

echo Using the following DNS servers:
echo IPv4:
echo Primary - %IPv4PrimaryDNS%
echo Secondary - %IPv4SecondaryDNS%
echo/
echo IPv6:
echo Primary - %IPv6PrimaryDNS%
echo Secondary - %IPv6SecondaryDNS%
echo/

rem Clears existing DoH settings.
reg delete "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters" /f 1>NUL
echo Cleared any existing DoH settings.
echo/

rem The following for loops get a given interface's InterfaceIndex and GUID. We use the InterfaceIndex to set DNS, and the GUID to set DoH in the registry.
rem We only care about network interfaces that have a GUID.
for /f %%X in ('wmic nic where "GUID!=NULL" Get InterfaceIndex /value') do (
    rem We have to use a second for loop to remove the extra carrige returns from wmic output.
    rem InterfaceIndex is stored at %%I.
    for /f "tokens=1* delims==" %%H in ("%%X") do (
        for /f %%X in ('wmic nic where "InterfaceIndex=%%I" Get GUID /value') do (
            rem GUID is stored at %%G.
            for /f "tokens=1* delims==" %%F in ("%%X") do (

                rem Prints the name of the interface being modified.
                for  /f "tokens=*" %%X in ('wmic nic where "InterfaceIndex=%%I" Get NetConnectionID /value') do (
                    for /f "tokens=1* delims==" %%B in ("%%X") do (
                        for  /f "tokens=*" %%X in ('wmic nic where "InterfaceIndex=%%I" Get Name /value') do (
                            for /f "tokens=1* delims==" %%M in ("%%X") do echo %%C ^(%%N^):
                        )
                    )
                )
                echo/

                rem Clears existing DNS servers.
                netsh interface ipv4 set dnsservers %%I dhcp 1>NUL
                echo Cleared any existing IPv4 DNS servers.
                netsh interface ipv6 set dnsservers %%I dhcp 1>NUL
                echo Cleared any existing IPv6 DNS servers.
                echo/

                netsh interface ipv4 set dnsservers %%I static %IPv4PrimaryDNS% primary no 1>NUL
                echo Set primary IPv4 DNS server to: %IPv4PrimaryDNS%
                netsh interface ipv4 add dnsservers %%I %IPv4SecondaryDNS% index=2 no 1>NUL
                echo Set secondary IPv4 DNS server to: %IPv4SecondaryDNS%
                echo/

                netsh interface ipv6 set dnsservers %%I static %IPv6PrimaryDNS% primary no 1>NUL
                echo Set primary IPv6 DNS server to: %IPv6PrimaryDNS%
                netsh interface ipv6 add dnsservers %%I %IPv6SecondaryDNS% index=2 no 1>NUL
                echo Set secondary IPv6 DNS server to: %IPv6SecondaryDNS%
                echo/

                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh\%IPv4PrimaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh\%IPv4SecondaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                echo Enabled DoH for IPv4.

                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh6\%IPv6PrimaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh6\%IPv6SecondaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                echo Enabled DoH for IPv6.
                echo/
            )
        
        )
    )
)

ipconfig /flushdns 1>NUL
echo Flushed DNS.
echo/

pause

If you want to use a DoH service that's not included with Windows 11, you can of course combine this with what @TairikuOkami provided above.
 

My Computer

System One

  • OS
    Windows 11

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
7:26 AM
Posts
3,815
OS
Windows 11 Pro for Workstations
Tutorial updated for changes made to DNS over HTTPS settings in Insider Dev Channel builds. :)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium

windoc

New member
Local time
9:26 AM
Posts
10
OS
Windows 10
settings -> network and internet -> Wi-Fi -> hardware properties -> DNS server assignment. Then go ahead and edit DNS settings. There are 4 entries for IPv4 and 4 entries for IPv6. A preferred DNS, alternate DNS, and then the preferred encryption for each. I have set my encryption for all DNS servers to Encrypted Only (DNS over HTTPS).

The above steps worked for me flawlessly. I verified that the new DNS servers are working using dns browser leaks. Finally encrypted DNS at the system level. No more messing with alternate programs. Whooaa.
 

My Computer

System One

  • OS
    Windows 10

Kol12

Active member
Member
VIP
Local time
12:26 AM
Posts
252
OS
Windows 11 - Release Preview channel
Does this override the DNS servers configured in your router? My router is configured to use the ISP DNS so I'm wondering if the encrypted DNS servers we enter in Windows Ethernet settings override the router?
 

My Computer

System One

  • OS
    Windows 11 - Release Preview channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kol's custom ROG Z590
    CPU
    Intel 10900K @ 5.1 Ghz
    Motherboard
    Asus ROG Maximus XIII Hero Z590
    Memory
    Corsair Dominator Platinum RGB 32GB (4x8) OC to 3866Mhz CL 16
    Graphics Card(s)
    Asus ROG Strix 3080 OC edition
    Sound Card
    SoundBlaster X-AE5
    Monitor(s) Displays
    Asus ROG PG349Q 34" 120hz Gysnc
    Screen Resolution
    3440x1440
    Hard Drives
    Samsung 980 Pro 500GB
    860 EVO's
    Adata SX2000 Pro 1TB
    External RAID enclosure - Seagate 3TB HDD's
    PSU
    Seasonic Prime Ultra 1300W Platinum
    Case
    Phanteks Eclipse P600S
    Cooling
    Custom water cooling. EK Velocity (CPU), EK Quantum Vector (GPU), EK Quantum D5 Pump, 360 + 280 mm rads, 3x120mm Corsair LL, 3x 140mm Corsair LL fans
    Keyboard
    Corsair K70 MK.2 SE
    Mouse
    Corsair Dark Core Pro Wireless
    Antivirus
    Windows Defender

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
7:26 AM
Posts
3,815
OS
Windows 11 Pro for Workstations
Does this override the DNS servers configured in your router? My router is configured to use the ISP DNS so I'm wondering if the encrypted DNS servers we enter in Windows Ethernet settings override the router?

Hello mate, :)

Usually, the DNS set in Windows will override the router.

You can check at the link below for What's my DNS Server to verify the DNS and ISP (ex: "CLOUDFLARENET") is correct.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium

Kol12

Active member
Member
VIP
Local time
12:26 AM
Posts
252
OS
Windows 11 - Release Preview channel
Hello mate, :)

Usually, the DNS set in Windows will override the router.

You can check at the link below for What's my DNS Server to verify the DNS and ISP (ex: "CLOUDFLARENET") is correct.

Thanks Shawn. I checked the link and it detected the DNS servers I've configured in Windows. It's Matt from Ten Forums BTW. :)
 

My Computer

System One

  • OS
    Windows 11 - Release Preview channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kol's custom ROG Z590
    CPU
    Intel 10900K @ 5.1 Ghz
    Motherboard
    Asus ROG Maximus XIII Hero Z590
    Memory
    Corsair Dominator Platinum RGB 32GB (4x8) OC to 3866Mhz CL 16
    Graphics Card(s)
    Asus ROG Strix 3080 OC edition
    Sound Card
    SoundBlaster X-AE5
    Monitor(s) Displays
    Asus ROG PG349Q 34" 120hz Gysnc
    Screen Resolution
    3440x1440
    Hard Drives
    Samsung 980 Pro 500GB
    860 EVO's
    Adata SX2000 Pro 1TB
    External RAID enclosure - Seagate 3TB HDD's
    PSU
    Seasonic Prime Ultra 1300W Platinum
    Case
    Phanteks Eclipse P600S
    Cooling
    Custom water cooling. EK Velocity (CPU), EK Quantum Vector (GPU), EK Quantum D5 Pump, 360 + 280 mm rads, 3x120mm Corsair LL, 3x 140mm Corsair LL fans
    Keyboard
    Corsair K70 MK.2 SE
    Mouse
    Corsair Dark Core Pro Wireless
    Antivirus
    Windows Defender

thljcl

New member
Local time
8:26 PM
Posts
4
OS
Windows 11
Some public doh provider does not give IP address for their DOH servers in the instruction.
Web browser such as Edge and Brave only requires the URL of DOH template to connect to DOH server.
If Windows itself is using classical non-encrypted DNS, Windows has to do DNS look up on the URL of DOH template via unencrypted DNS.
Including IP address directly in the configuration can use DOH exclusively without having to refer to unencrypted DNS.
There is a public list of DOH providers used by latest Chrome (Canary) at https://bit.ly/3g1K5yH
Mozilla has a short list of DOH providers at Security/DOH-resolver-policy - MozillaWiki
In both cases, we only see URL of DOH templates for some DOH providers.
It does not mean that they are meant only for browser.
Theoretically, any DOH client, including Windows built-in DNS client, could be configured to connect to them but we do need to look for their associated IP addresses.
The associated IP addresses of a domain name are actually in public record, we only need to know where to look.
There are a couple of free DNS look up web sites.
The one I used was DNS Checker (DNS Lookup - Check DNS All Records)
Take NextDNS as an example.
The URL given by Mozilla is https://firefox.dns.nextdns.io
Do not ping the URL directly as it would point to the IP of nearest server instead of the associated IP in public DNS record.
The DNS query would be sent to different server of different IP depending on your location and the availability of server.
DOH providers may have global network of servers which have different IPs.
Only the associated IP in the DNS record would be able to redirect you the “best” server.
The found IP addresses are:
ipv4
207.246.91.188
162.220.223.23

ipv6
2a00:11c0:46:4::5
2001:19f0:5:663d:5400:2ff:fece:2f14
If you attempt the use netsh command in command prompt to manually add encryption of NextDNS by using the given url of DOH template by Mozilla, it would fail
netsh dnsclient add encryption server="207.246.91.188" dohtemplate="https://firefox.dns.nextdns.io " autoupgrade="yes" udpfallback="no"
The trick here is that some DOH provider deliberately gave none-standard URL, which would not work generally.
The DOH RCF is publicly available at RFC 8484 - DNS Queries over HTTPS (DoH).
Basically, the standard URL template for a DOH server is like:
For NextDNS, it would become:
Yes, Windows would only accept it via netsh command if the URL template is in “standard form”.
The the command would be:
netsh dnsclient add encryption server="207.246.91.188" dohtemplate="https://firefox.dns.nextdns.io/dns-query" autoupgrade="yes" udpfallback="no"
Then, you would see the encryption is added successfully.
Remember to open command prompt as administrator to use netsh command.
You can show the list of configured DOH addresses using this command:
powershell -command (get-dnsclientdohserveraddress)
If you actually visit the web site of NextDNS, it would offer you to register to get IP addresses and url of DOH template even for the free plan.
The official version offers more customization and more features.
However, what it does not tell you is that you do not need to register or even download the official app.
 

My Computer

System One

  • OS
    Windows 11

Similar Windows 11 Tutorials

Top Bottom