Network and Internet Enable DNS over HTTPS (DoH) in Windows 11

  • Staff
DoH_banner.png

A DNS (Domain Name System) server is the service that makes it possible for you to open a web browser, type a domain name and load your favorite websites.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver.

See also: Windows Insiders gain new DNS over HTTPS controls

This tutorial will show you how to enable DNS over HTTPS (DoH) in Windows 11.

You must be signed in as an administrator to change the DNS server address and enable DoH.



Here's How:

1 Open Settings (Win+I).

2 Click/tap on Network & internet on the left side, and click/tap on Properties of the connected network you want to enable DoH for at the top on the right side. (see screenshot below)

DoH-1.png

3 Click/tap on the Edit button under DNS server assignment on the right side. (see screenshots below)

If you have a red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then click/tap on the Change DNS settings for all Wi-Fi networks type link instead, and then click/tap on the Edit button like in step 3.


DoH-2.jpg
DoH-5.png

4 Select Manual in the drop menu at the top. (see screenshots below step 8)


5 Enable DoH for IPv4

A) Turn on IPv4. (see screenshots below step 8)

B) Type a Preferred DNS you want to use that supports DoH. (see table below)

DNS serverPreferred DNS for IPv4
Cloudflare1.1.1.1
Google Public DNS8.8.8.8
Quad99.9.9.9

C) Select Encrypted only (DNS over HTTPS) from the Preferred DNS encryption drop menu under IPv4.

If you do not have a Preferred DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv4 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.


D) Type an Alternate DNS you want to use that supports DoH. (see table below)

DNS serverAlternate DNS for IPv4
Cloudflare1.0.0.1
Google Public DNS8.8.4.4
Quad9149.112.112.112

E) Select Encrypted only (DNS over HTTPS) from the Alternate DNS encryption drop menu under IPv4.

If you do not have a Alternate DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv4 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.



6 Enable DoH for IPv6

A) Turn on IPv6. (see screenshots below step 8)

B) Type a Preferred DNS you want to use that supports DoH. (see table below)

DNS serverPreferred DNS for IPv6
Cloudflare2606:4700:4700::1111
Google Public DNS2001:4860:4860::8888
Quad92620:fe::fe

C) Select Encrypted only (DNS over HTTPS) from the Preferred DNS encryption drop menu under IPv6.

If you do not have a Preferred DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv6 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.


D) Type an Alternate DNS you want to use that supports DoH. (see table below)

DNS serverAlternate DNS for IPv6
Cloudflare2606:4700:4700::1001
Google Public DNS2001:4860:4860::8844
Quad92620:fe::fe:9

E) Select Encrypted only (DNS over HTTPS) from the Alternate DNS encryption drop menu under IPv6.

If you do not have a Alternate DNS encryption drop menu option to select Encrypted only (DNS over HTTPS), then close Settings, change the IPv4 DNS address for this connected network adapter in the Control Panel, and start over at step 1.

You will now have the red The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. message at step 3.



7 When finished, click/tap on Save.

8 You can now close Settings if you like.

DoH-3.png
DoH-4.png



That's it,
Shawn Brink
 

Attachments

  • DNS.png
    DNS.png
    24.2 KB · Views: 36
Last edited:

Josey Wales

Endeavor to Persevere
Power User
VIP
Local time
11:25 PM
Posts
429
Location
USA-Ohio
I am having Problems trying to do this. Can someone lend me a Hand?
 

My Computer

System One

  • Operating System
    Windows 11 Pro 22000.258
    Computer type
    PC/Desktop
    Manufacturer/Model
    Digital Storm Velox
    CPU
    Intel Core i9-10940X
    Motherboard
    MSI X299 PRO (Intel X299 Chipset) (Up to 4x PCI-E Devices)
    Memory
    128 GB DDR4 3200 MHz Corsair Vengance LPX
    Graphics Card(s)
    EVGA GeForce RTX 2080 Ti Black
    Sound Card
    Integrated Motherboard Audio-Realtek
    Monitor(s) Displays
    Dell S2419HGF
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x SSD M.2 (1TB Digital Storm M.2 Performance Series)(Crucial)
    1x Storage (2TB Seagate
    1x Samsung 860 Pro
    1x 1TB Samsung 860 EVO External Storage
    PSU
    Corsair / EVGA / Thermaltake (Modular) (80 Plus Gold)
    Case
    VELOX
    Cooling
    H20: Stage 2: Digital Storm Vortex Liquid CPU Cooler (Dual Fan) (Fully Sealed + No Maintenance)
    Keyboard
    EVGA Z10 RGB
    Mouse
    EVGA X17 Gaming Mouse
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 93
    Antivirus
    Windows Defender
    Other Info
    Cyberpower CP1350AVRLCD -UPS

Brink

Administrator
Staff member
MVP
Local time
10:25 PM
Posts
1,312
  • Thread starter
  • Staff
  • #3

My Computers

System One System Two

  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium

TairikuOkami

Well-known member
Member
VIP
Local time
5:25 AM
Posts
153
Location
Trnava, SK
I am having Problems trying to do this. Can someone lend me a Hand?
11 includes 3 DoH DNS services by default, you can add a custom one with a command, for example cleanbrowsing:
Code:
netsh dns add encryption server=185.228.168.10 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
netsh dns add encryption server=185.228.169.11 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
Then you open Ethernet/WiFi settings, add custom IPs and then select Encrypted, UAC can ask you to confirm it (twice at max). Afterwards you can check via a firewall or a network monitor, if svchost is making DNS requests via port 443 to the specified IP.
 

Attachments

  • capture_07022021_230105.jpg
    capture_07022021_230105.jpg
    90.1 KB · Views: 70
  • capture_07022021_230531.jpg
    capture_07022021_230531.jpg
    350.7 KB · Views: 63

My Computer

System One

  • Operating System
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1H5 (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Pavilion Wireless Keyboard 600 (05/21)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    300/30 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10) + Software: https://tinyurl.com/7hkjyhsj

Laker775

Member
Local time
11:25 PM
Posts
2
Location
Southern Ontario
I'm also am unable to set the Alternate DNS encryption drop menu. It is greyed out after following instructions to first set DNS settings via Control Panel.

I have set both IPv4 & IPv6 thru the control panel. First just IPv4 and then after no change IPv6. Flushing DNS, renewing IP & adapter also didn't solve. And neither did a simple restart.

Suggestions?
 

My Computer

System One

  • Operating System
    Windows 11 Pro Build 10.0.22000.51
    Computer type
    Laptop
    Manufacturer/Model
    Huawei Matebook X Pro
    CPU
    Intel I7-8550U
    Memory
    16GB
    Graphics Card(s)
    Nvidia MX150
    Monitor(s) Displays
    13.9"
    Screen Resolution
    3000 x 2000 Multi-Touch
    Hard Drives
    512GB NMVe
    Internet Speed
    1000 / 30
    Browser
    Brave / Firefox
    Antivirus
    Window Security

Josey Wales

Endeavor to Persevere
Power User
VIP
Local time
11:25 PM
Posts
429
Location
USA-Ohio
11 includes 3 DoH DNS services by default, you can add a custom one with a command, for example cleanbrowsing:
Code:
netsh dns add encryption server=185.228.168.10 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
netsh dns add encryption server=185.228.169.11 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
Then you open Ethernet/WiFi settings, add custom IPs and then select Encrypted, UAC can ask you to confirm it (twice at max). Afterwards you can check via a firewall or a network monitor, if svchost is making DNS requests via port 443 to the specified IP.
Thank You very Much.
 

My Computer

System One

  • Operating System
    Windows 11 Pro 22000.258
    Computer type
    PC/Desktop
    Manufacturer/Model
    Digital Storm Velox
    CPU
    Intel Core i9-10940X
    Motherboard
    MSI X299 PRO (Intel X299 Chipset) (Up to 4x PCI-E Devices)
    Memory
    128 GB DDR4 3200 MHz Corsair Vengance LPX
    Graphics Card(s)
    EVGA GeForce RTX 2080 Ti Black
    Sound Card
    Integrated Motherboard Audio-Realtek
    Monitor(s) Displays
    Dell S2419HGF
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x SSD M.2 (1TB Digital Storm M.2 Performance Series)(Crucial)
    1x Storage (2TB Seagate
    1x Samsung 860 Pro
    1x 1TB Samsung 860 EVO External Storage
    PSU
    Corsair / EVGA / Thermaltake (Modular) (80 Plus Gold)
    Case
    VELOX
    Cooling
    H20: Stage 2: Digital Storm Vortex Liquid CPU Cooler (Dual Fan) (Fully Sealed + No Maintenance)
    Keyboard
    EVGA Z10 RGB
    Mouse
    EVGA X17 Gaming Mouse
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 93
    Antivirus
    Windows Defender
    Other Info
    Cyberpower CP1350AVRLCD -UPS

Laker775

Member
Local time
11:25 PM
Posts
2
Location
Southern Ontario
Well I decided to use my brain and used the solution @TairikuOkami posted and like @Josey Wales I'm sorted.

11 includes 3 DoH DNS services by default, you can add a custom one with a command, for example cleanbrowsing:
Code:
netsh dns add encryption server=185.228.168.10 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
netsh dns add encryption server=185.228.169.11 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no
Then you open Ethernet/WiFi settings, add custom IPs and then select Encrypted, UAC can ask you to confirm it (twice at max). Afterwards you can check via a firewall or a network monitor, if svchost is making DNS requests via port 443 to the specified IP.

Thank you very much! (again just like JW)
 

My Computer

System One

  • Operating System
    Windows 11 Pro Build 10.0.22000.51
    Computer type
    Laptop
    Manufacturer/Model
    Huawei Matebook X Pro
    CPU
    Intel I7-8550U
    Memory
    16GB
    Graphics Card(s)
    Nvidia MX150
    Monitor(s) Displays
    13.9"
    Screen Resolution
    3000 x 2000 Multi-Touch
    Hard Drives
    512GB NMVe
    Internet Speed
    1000 / 30
    Browser
    Brave / Firefox
    Antivirus
    Window Security

TairikuOkami

Well-known member
Member
VIP
Local time
5:25 AM
Posts
153
Location
Trnava, SK
For the record, Windows stores DOH servers at this location.
Code:
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers
Active interface at this location, you can enable DNS by using a command like that, once DNS is registered.:
Code:
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{da9e43ac-0335-4747-a5d1-f645dd7d3a39}\DohInterfaceSettings\Doh\9.9.9.9" /v "DohFlags" /t REG_QWORD /d "1" /f
I think it is only a matter of time till hackers take notice and change it. You will setup 9.9.9.9, but malware will use smthg like:

capture_07032021_173117.jpg
 

My Computer

System One

  • Operating System
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1H5 (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Pavilion Wireless Keyboard 600 (05/21)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    300/30 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10) + Software: https://tinyurl.com/7hkjyhsj

TairikuOkami

Well-known member
Member
VIP
Local time
5:25 AM
Posts
153
Location
Trnava, SK
I have managed to add mine DNS via reg directly, since netsh command does not work for me anymore.
Code:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.28.91" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.30.91" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx" /f
 

Attachments

  • capture_07092021_210410.jpg
    capture_07092021_210410.jpg
    97.2 KB · Views: 49

My Computer

System One

  • Operating System
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1H5 (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Pavilion Wireless Keyboard 600 (05/21)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    300/30 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10) + Software: https://tinyurl.com/7hkjyhsj

Genshii

Member
Local time
11:25 PM
Posts
4
For anyone looking to automatically set DNS servers and enable DoH for every relevant network interface, I wrote the following batch script:

Code:
@echo off

rem Set the DNS servers to be applied to each interface.
set IPv4PrimaryDNS=1.1.1.1
set IPv4SecondaryDNS=1.0.0.1
set IPv6PrimaryDNS=2606:4700:4700::1111
set IPv6SecondaryDNS=2606:4700:4700::1001

rem Checks for administrative permissions.
net.exe session 1>NUL 2>NUL || (echo This script requires administrative permissions. Please run as administrator. & pause & exit /B 1)

echo Using the following DNS servers:
echo IPv4:
echo Primary - %IPv4PrimaryDNS%
echo Secondary - %IPv4SecondaryDNS%
echo/
echo IPv6:
echo Primary - %IPv6PrimaryDNS%
echo Secondary - %IPv6SecondaryDNS%
echo/

rem Clears existing DoH settings.
reg delete "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters" /f 1>NUL
echo Cleared any existing DoH settings.
echo/

rem The following for loops get a given interface's InterfaceIndex and GUID. We use the InterfaceIndex to set DNS, and the GUID to set DoH in the registry.
rem We only care about network interfaces that have a GUID.
for /f %%X in ('wmic nic where "GUID!=NULL" Get InterfaceIndex /value') do (
    rem We have to use a second for loop to remove the extra carrige returns from wmic output.
    rem InterfaceIndex is stored at %%I.
    for /f "tokens=1* delims==" %%H in ("%%X") do (
        for /f %%X in ('wmic nic where "InterfaceIndex=%%I" Get GUID /value') do (
            rem GUID is stored at %%G.
            for /f "tokens=1* delims==" %%F in ("%%X") do (

                rem Prints the name of the interface being modified.
                for  /f "tokens=*" %%X in ('wmic nic where "InterfaceIndex=%%I" Get NetConnectionID /value') do (
                    for /f "tokens=1* delims==" %%B in ("%%X") do (
                        for  /f "tokens=*" %%X in ('wmic nic where "InterfaceIndex=%%I" Get Name /value') do (
                            for /f "tokens=1* delims==" %%M in ("%%X") do echo %%C ^(%%N^):
                        )
                    )
                )
                echo/

                rem Clears existing DNS servers.
                netsh interface ipv4 set dnsservers %%I dhcp 1>NUL
                echo Cleared any existing IPv4 DNS servers.
                netsh interface ipv6 set dnsservers %%I dhcp 1>NUL
                echo Cleared any existing IPv6 DNS servers.
                echo/

                netsh interface ipv4 set dnsservers %%I static %IPv4PrimaryDNS% primary no 1>NUL
                echo Set primary IPv4 DNS server to: %IPv4PrimaryDNS%
                netsh interface ipv4 add dnsservers %%I %IPv4SecondaryDNS% index=2 no 1>NUL
                echo Set secondary IPv4 DNS server to: %IPv4SecondaryDNS%
                echo/

                netsh interface ipv6 set dnsservers %%I static %IPv6PrimaryDNS% primary no 1>NUL
                echo Set primary IPv6 DNS server to: %IPv6PrimaryDNS%
                netsh interface ipv6 add dnsservers %%I %IPv6SecondaryDNS% index=2 no 1>NUL
                echo Set secondary IPv6 DNS server to: %IPv6SecondaryDNS%
                echo/

                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh\%IPv4PrimaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh\%IPv4SecondaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                echo Enabled DoH for IPv4.

                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh6\%IPv6PrimaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\%%G\DohInterfaceSettings\Doh6\%IPv6SecondaryDNS%" /v "DohFlags" /t REG_QWORD /d "1" /f 1>NUL
                echo Enabled DoH for IPv6.
                echo/
            )
        
        )
    )
)

ipconfig /flushdns 1>NUL
echo Flushed DNS.
echo/

pause

If you want to use a DoH service that's not included with Windows 11, you can of course combine this with what @TairikuOkami provided above.
 

My Computer

System One

  • Operating System
    Windows 11
Top Bottom