Network and Internet Enable DNS over TLS (DoT) in Windows 11


  • Staff
DNS_banner.png

This tutorial will show you how to change your DNS Server address and enable DNS over TLS (DoT) in Windows 11.

A DNS (Domain Name System) server is the service that makes it possible for you to open a web browser, type a domain name and load your favorite websites.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Windows 11 includes built-in support for DoH.

Starting with Windows 11 build 25158, DNS over TLS (DoT) testing is now available for Windows DNS client query protection. The setup requires some command line use and is recommended for advanced networking users.

DNS over TLS (DoT) is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). Where DoH treats DNS traffic as one more HTTPS data stream over port 443, DoT dedicates port 853 to encrypted DNS traffic and runs directly over a TLS tunnel without HTTP layering underneath. This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide.

References:
DNS over TLS vs. DNS over HTTPS | Secure DNS


You must be signed in as an administrator to change the DNS server address and enable DoT.




Here's How:

1 Open Settings (Win+I).

2 Click/tap on Network & internet on the left side. (see screenshot below)


DoT-1.png

3 Do step 4 (current), step 5 (specific), or step 6 (all Wi-Fi) below for which network connection or adapter you want to enable DoT for.

4 Enable DNS over TLS (DoT) for a Current Network Connection

This will be for a network connection you are currently connected to.


A) Click/tap on Properties of the connected network you want to enable DoT for at the top on the right side. (see screenshot below)​

Current_DoT-1.png

B) Click/tap on the Ethernet or Wi-Fi connection you want to enable DoT for. (see screenshots below)​

Current_DoT-2.png
Current_DoT-3.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshots below)​

If you have a The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then it means you used step 6 that overrides this setting. You can click/tap on the Change DNS settings for all Wi-Fi networks link instead, and then click/tap on the Edit button in step 6.


DoT-2.png
DoT-5.png

5 Enable DNS over TLS (DoT) for Specific Network Connection

This will be for a network connection you do not have to be currently connected to.


A) Click/tap on Wi-Fi or Ethernet for the type of network connection you want to enable DoT for. (see screenshot below)​

Specific_DoT-1.png

B) Perform one of the following actions: (see screenshots below)​
  • For Ethernet, click/tap on the connection you want to enable DoT for.
  • For Wi-Fi, click/tap on Manage known networks, and click/tap on the known Wi-Fi network connection you want to enable DoT for.
Current_DoT-2.png
Specific_DoT-2.png
Specific_DoT-3.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshots below)​

If you have a The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then it means you used step 6 that overrides this setting. You can click/tap on the Change DNS settings for all Wi-Fi networks link instead, and then click/tap on the Edit button in step 6.


DoT-2.png
DoT-5.png

6 Enable DNS over TLS (DoT) for Wi-Fi Network Adapter

This will include all connections you make from the selected Wi-Fi network adapter.

This will override what is set for a network connection in step 4 and/or step 5.


A) Click/tap on Wi-Fi. (see screenshot below)​

All_DoT-1.png

B) Click/tap on Hardware properties. (see screenshot below)​

All_DoT-2.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshot below)​

All_DoT-3.png

7 Select Manual in the drop menu at the top. (see screenshots below step 10)

8 Enable DoT for IPv4

A) Turn on IPv4. (see screenshots below step 10)​

B) Type a Preferred DNS you want to use that supports DoH. (see table below)​

DoT DNS server​
Preferred DNS for IPv4​
Cloudflare1.1.1.1
Google Public DNS8.8.8.8
Quad99.9.9.9

C) Select Off in the DNS over HTTPS drop menu.​

D) Type an Alternate DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Alternate DNS for IPv4​
Cloudflare1.0.0.1
Google Public DNS8.8.4.4
Quad9149.112.112.112

E) Select Off in the DNS over HTTPS drop menu.​

9 Enable DoT for IPv6

A) Turn on IPv6. (see screenshots below step 10)​

B) Type a Preferred DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Preferred DNS for IPv6​
Cloudflare2606:4700:4700::1111
Google Public DNS2001:4860:4860::8888
Quad92620:fe::fe

C) Select Off in the DNS over HTTPS drop menu.​

D) Type an Alternate DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Alternate DNS for IPv6​
Cloudflare2606:4700:4700::1001
Google Public DNS2001:4860:4860::8844
Quad92620:fe:::9

E) Select Off in the DNS over HTTPS drop menu.​

10 When finished, click/tap on Save. (see screenshots below)

IPv4_DNS_settings.png
IPv6_DNS_settings.png

11 Verify the IPv4 DNS servers and IPv6 DNS servers you specified above all show as (Unencrypted). (see screenshot below)

If one shows as (Encrypted), then you will need to go back and select Off in the DNS over HTTPS drop menu for the DNS server address.


Verify_DNS_unencrypted.png

12 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

13 Copy and paste the command below into Windows Terminal (Admin), and press Enter to enable DoT settings. (see screenshot below step 15)

netsh dns add global dot=yes

14 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below step 15)

netsh dns add encryption server=<DNS server address> dothost=: autoupgrade=yes

The dothost field equal to “:” means that the default DoT port will be used (853) and the domain name presented in the server’s TLS certificate will not be validated. To ensure proper validation of the connection, provide the expected domain name of the DoT server (the connection will use DoT’s designated port 853 without needing to specify it, as custom ports are not supported yet).


Substitute <DNS server address> in the command above with the actual DNS server addresses you specified and shown in step 11.

You will need to repeat this command for the IPv4 preferred DNS (ex: "1.1.1.1"), IPv4 alternate DNS (ex: "1.0.0.1"), IPv6 preferred DNS (ex: "2606:4700:4700::1111"), and IPv6 alternate DNS (ex: "2606:4700:4700::1001") server addresses you specified and shown in step 11.

For example:
netsh dns add encryption server=1.1.1.1 dothost=: autoupgrade=yes

netsh dns add encryption server=1.0.0.1 dothost=: autoupgrade=yes

netsh dns add encryption server=2606:4700:4700::1111 dothost=: autoupgrade=yes

netsh dns add encryption server=2606:4700:4700::1001 dothost=: autoupgrade=yes


15 Copy and paste the command below into Windows Terminal (Admin), and press Enter to flush the DNS resolver cache. (see screenshot below)

ipconfig /flushdns

Enable_DoT_command.png

16 Copy and paste the command below into Windows Terminal (Admin), and press Enter to verify if DoT is enabled. (see screenshot below step 17)

netsh dns show global

17 Verify DoT settings show as enabled. (see screenshot below)

If DoT settings shows as disabled, then re-run the netsh dns add global dot=yes command, and repeat step 16 to verify.


Verify_DoT_enabled_command.png

18 Copy and paste the command below into Windows Terminal (Admin), and press Enter to verify DoT encryption. (see screenshot below)

netsh dns show encryption

Verify_DoT_encryption_command-1.png

19 Scroll down and look for the IPv4 preferred DNS (ex: "1.1.1.1"), IPv4 alternate DNS (ex: "1.0.0.1"), IPv6 preferred DNS (ex: "2606:4700:4700::1111"), and IPv6 alternate DNS (ex: "2606:4700:4700::1001") server addresses you specified and shown in step 11. (see screenshot below)

The output should contain:
  • Encryption settings for <DNS server address>
  • DNS-over-TLS host set to either : or 853
  • Auto-upgrade set to Yes
  • UDP-fallback set to No.
Verify_DoT_encryption_command-2.png

20 You can now close Settings and Windows Terminal (Admin) if you like.


That's it,
Shawn Brink


 

Attachments

  • DNS.png
    DNS.png
    21.3 KB · Views: 108
Last edited:
I used Cloudflares secure DNS against malware, not just set in windows, but also on my Fritz!box router:
Code:
Use other DNSv4 servers

Preferred DNSv4 server
1.1.1.2
Alternative DNSv4 server
1.0.0.2


Use other DNSv6 servers

Preferred DNSv6 server
2606:4700:4700::1112
Alternative DNSv6 server
2606:4700:4700::1002


DNS over TLS (DoT)

√ Encrypted name resolution in the internet (DNS over TLS)
√ Force a certificate check for encrypted name resolution in the internet
Only allow servers that are fully validated.
This setting should be disabled only if the identity of the server is known.

√ Allow fallback to non-encrypted name resolution in the internet
   Allow a fallback to non-encrypted DNS traffic if all encrypted servers fail.

   Attention: If this setting is disabled, a complete DNS failure can result.


Resolved Names of the DNS Server
security.cloudflare-dns.com

@Brink, my question is, do I need to set it up in windows when I have it on my router already(even though I did do that for all my PCs)
 

My Computer

System One

  • OS
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
    Computer type
    PC/Desktop
    Manufacturer/Model
    ۞ΞЖ†ԘΜΞ۞
    CPU
    Intel Core i9 9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> Samsung 860 Pro 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    Phanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 2x120 Phantek& Halo front, and 1x140 Phanteks
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome;
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as an added layer between browser & OS
    Other Info
    Router: FRITZ!Box 7590 AX V2
    Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
    Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR
@Brink, my question is, do I need to set it up in windows when I have it on my router already(even though I did do that for all my PCs)

Hey Cliff, :alien:

You shouldn't need to since the source router is already set to use that DNS.

You could set the DNS for Windows just to make sure though.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Thanks Shawn :cool: (y)
 

My Computer

System One

  • OS
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
    Computer type
    PC/Desktop
    Manufacturer/Model
    ۞ΞЖ†ԘΜΞ۞
    CPU
    Intel Core i9 9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> Samsung 860 Pro 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    Phanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 2x120 Phantek& Halo front, and 1x140 Phanteks
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome;
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as an added layer between browser & OS
    Other Info
    Router: FRITZ!Box 7590 AX V2
    Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
    Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR
Some information I found regarding DoT versus DoH: Understanding DoT and DoH (DNS over TLS vs. DNS over HTTPS) - ClouDNS Blog

Which is better, DoT or DoH?
The answer to this depends on the company or even each IT security professional’s specific needs. However, there are a few facts that can be pointed out:

From a network security standpoint, DoT is often preferred because it allows network administrators to monitor and block DNS queries. This helps them identify and stop potential malicious traffic.

From a privacy perspective, DoH might be preferable since DNS queries are hidden within the larger flow of HTTPS traffic. This provides users with more privacy but makes it harder for network administrators to block malicious traffic, as doing so would require blocking all other HTTPS traffic as well.

So for the normal home user without a home server setup, sticking with DoH is the better choice, but go to the link and read more.
 

My Computer

System One

  • OS
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
    Computer type
    PC/Desktop
    Manufacturer/Model
    ۞ΞЖ†ԘΜΞ۞
    CPU
    Intel Core i9 9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> Samsung 860 Pro 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    Phanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 2x120 Phantek& Halo front, and 1x140 Phanteks
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome;
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as an added layer between browser & OS
    Other Info
    Router: FRITZ!Box 7590 AX V2
    Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
    Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR

Latest Tutorials

Back
Top Bottom