DNS-over-TLS on Windows 11: why does the DNS client negotiate TLS 1.2 instead of TLS 1.3?

Hi,

We have configured DNS-over-TLS (DoT) on Windows 11 (latest version, 25H2) using:

netsh dns add encryption server=<ip> dothost=<hostname> autoupgrade=yes

After capturing and analyzing DNS traffic, we noticed that the DNS client always sends a TLS 1.2-only Client Hello, with no supported_versions extension offering TLS 1.3. This causes connection failures with DoT servers that require TLS 1.3.

While researching this behavior, we found a Microsoft Q&A discussion mentioning that applications using the legacy SCHANNEL_CRED structure cannot negotiate TLS 1.3, while applications using the newer SCH_CREDENTIALS structure can.

Could you confirm whether the Windows DNS client still uses SCHANNEL_CRED for DoT connections? If so, is there a plan to update it to SCH_CREDENTIALS to enable proper TLS 1.3 support?

Thank you.