Network and Internet Enable DNS over TLS (DoT) in Windows 11


  • Staff
DNS_banner.png

A DNS (Domain Name System) server is the service that makes it possible for you to open a web browser, type a domain name and load your favorite websites.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Windows 11 includes built-in support for DoH.

Starting with Windows 11 build 25158, DNS over TLS (DoT) testing is now available for Windows DNS client query protection. The setup requires some command line use and is recommended for advanced networking users.

DNS over TLS (DoT) is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). Where DoH treats DNS traffic as one more HTTPS data stream over port 443, DoT dedicates port 853 to encrypted DNS traffic and runs directly over a TLS tunnel without HTTP layering underneath. This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide.

Reference:
DNS over TLS vs. DNS over HTTPS | Secure DNS

This tutorial will show you how to change your DNS Server address and enable DNS over TLS (DoT) in Windows 11.


You must be signed in as an administrator to change the DNS server address and enable DoT.




Here's How:

1 Open Settings (Win+I).

2 Click/tap on Network & internet on the left side. (see screenshot below)


DoT-1.png

3 Do step 4 (current), step 5 (specific), or step 6 (all Wi-Fi) below for which network connection or adapter you want to enable DoT for.

4 Enable DNS over TLS (DoT) for a Current Network Connection

This will be for a network connection you are currently connected to.


A) Click/tap on Properties of the connected network you want to enable DoT for at the top on the right side. (see screenshot below)​

Current_DoT-1.png

B) Click/tap on the Ethernet or Wi-Fi connection you want to enable DoT for. (see screenshots below)​

Current_DoT-2.png
Current_DoT-3.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshots below)​

If you have a The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then it means you used step 6 that overrides this setting. You can click/tap on the Change DNS settings for all Wi-Fi networks link instead, and then click/tap on the Edit button in step 6.


DoT-2.png
DoT-5.png

5 Enable DNS over TLS (DoT) for Specific Network Connection

This will be for a network connection you do not have to be currently connected to.


A) Click/tap on Wi-Fi or Ethernet for the type of network connection you want to enable DoT for. (see screenshot below)​

Specific_DoT-1.png

B) Perform one of the following actions: (see screenshots below)​
  • For Ethernet, click/tap on the connection you want to enable DoT for.
  • For Wi-Fi, click/tap on Manage known networks, and click/tap on the known Wi-Fi network connection you want to enable DoT for.
Current_DoT-2.png
Specific_DoT-2.png
Specific_DoT-3.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshots below)​

If you have a The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then it means you used step 6 that overrides this setting. You can click/tap on the Change DNS settings for all Wi-Fi networks link instead, and then click/tap on the Edit button in step 6.


DoT-2.png
DoT-5.png

6 Enable DNS over TLS (DoT) for Wi-Fi Network Adapter

This will include all connections you make from the selected Wi-Fi network adapter.

This will override what is set for a network connection in step 4 and/or step 5.


A) Click/tap on Wi-Fi. (see screenshot below)​

All_DoT-1.png

B) Click/tap on Hardware properties. (see screenshot below)​

All_DoT-2.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshot below)​

All_DoT-3.png

7 Select Manual in the drop menu at the top. (see screenshots below step 10)

8 Enable DoT for IPv4

A) Turn on IPv4. (see screenshots below step 10)​

B) Type a Preferred DNS you want to use that supports DoH. (see table below)​

DoT DNS server​
Preferred DNS for IPv4​
Cloudflare1.1.1.1
Google Public DNS8.8.8.8
Quad99.9.9.9

C) Select Off in the DNS over HTTPS drop menu.​

D) Type an Alternate DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Alternate DNS for IPv4​
Cloudflare1.0.0.1
Google Public DNS8.8.4.4
Quad9149.112.112.112

E) Select Off in the DNS over HTTPS drop menu.​

9 Enable DoT for IPv6

A) Turn on IPv6. (see screenshots below step 10)​

B) Type a Preferred DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Preferred DNS for IPv6​
Cloudflare2606:4700:4700::1111
Google Public DNS2001:4860:4860::8888
Quad92620:fe::fe

C) Select Off in the DNS over HTTPS drop menu.​

D) Type an Alternate DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Alternate DNS for IPv6​
Cloudflare2606:4700:4700::1001
Google Public DNS2001:4860:4860::8844
Quad92620:fe:::9

E) Select Off in the DNS over HTTPS drop menu.​

10 When finished, click/tap on Save. (see screenshots below)

IPv4_DNS_settings.png
IPv6_DNS_settings.png

11 Verify the IPv4 DNS servers and IPv6 DNS servers you specified above all show as (Unencrypted). (see screenshot below)

If one shows as (Encrypted), then you will need to go back and select Off in the DNS over HTTPS drop menu for the DNS server address.


Verify_DNS_unencrypted.png

12 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

13 Copy and paste the command below into Windows Terminal (Admin), and press Enter to enable DoT settings. (see screenshot below step 15)

netsh dns add global dot=yes

14 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below step 15)

netsh dns add encryption server=<DNS server address> dothost=: autoupgrade=yes

The dothost field equal to “:” means that the default DoT port will be used (853) and the domain name presented in the server’s TLS certificate will not be validated. To ensure proper validation of the connection, provide the expected domain name of the DoT server (the connection will use DoT’s designated port 853 without needing to specify it, as custom ports are not supported yet).


Substitute <DNS server address> in the command above with the actual DNS server addresses you specified and shown in step 11.

You will need to repeat this command for the IPv4 preferred DNS (ex: "1.1.1.1"), IPv4 alternate DNS (ex: "1.0.0.1"), IPv6 preferred DNS (ex: "2606:4700:4700::1111"), and IPv6 alternate DNS (ex: "2606:4700:4700::1001") server addresses you specified and shown in step 11.

For example:
netsh dns add encryption server=1.1.1.1 dothost=: autoupgrade=yes

netsh dns add encryption server=1.0.0.1 dothost=: autoupgrade=yes

netsh dns add encryption server=2606:4700:4700::1111 dothost=: autoupgrade=yes

netsh dns add encryption server=2606:4700:4700::1001 dothost=: autoupgrade=yes


15 Copy and paste the command below into Windows Terminal (Admin), and press Enter to flush the DNS resolver cache. (see screenshot below)

ipconfig /flushdns

Enable_DoT_command.png

16 Copy and paste the command below into Windows Terminal (Admin), and press Enter to verify if DoT is enabled. (see screenshot below step 17)

netsh dns show global

17 Verify DoT settings show as enabled. (see screenshot below)

If DoT settings shows as disabled, then re-run the netsh dns add global dot=yes command, and repeat step 16 to verify.


Verify_DoT_enabled_command.png

18 Copy and paste the command below into Windows Terminal (Admin), and press Enter to verify DoT encryption. (see screenshot below)

netsh dns show encryption

Verify_DoT_encryption_command-1.png

19 Scroll down and look for the IPv4 preferred DNS (ex: "1.1.1.1"), IPv4 alternate DNS (ex: "1.0.0.1"), IPv6 preferred DNS (ex: "2606:4700:4700::1111"), and IPv6 alternate DNS (ex: "2606:4700:4700::1001") server addresses you specified and shown in step 11. (see screenshot below)

The output should contain:
  • Encryption settings for <DNS server address>
  • DNS-over-TLS host set to either : or 853
  • Auto-upgrade set to Yes
  • UDP-fallback set to No.
Verify_DoT_encryption_command-2.png

20 You can now close Settings and Windows Terminal (Admin) if you like.


That's it,
Shawn Brink


 

Attachments

  • DNS.png
    DNS.png
    21.3 KB · Views: 2
Last edited:

Latest Tutorials

Top Bottom