Forum Discussion
DNS-over-TLS on Windows 11: why does the DNS client negotiate TLS 1.2 instead of TLS 1.3?
Hi,
We have configured DNS-over-TLS (DoT) on Windows 11 (latest version, 25H2) using:
netsh dns add encryption server=<ip> dothost=<hostname> autoupgrade=yes
After capturing and analyzing DNS traffic, we noticed that the DNS client always sends a TLS 1.2-only Client Hello, with no supported_versions extension offering TLS 1.3. This causes connection failures with DoT servers that require TLS 1.3.
While researching this behavior, we found a Microsoft Q&A discussion mentioning that applications using the legacy SCHANNEL_CRED structure cannot negotiate TLS 1.3, while applications using the newer SCH_CREDENTIALS structure can.
Could you confirm whether the Windows DNS client still uses SCHANNEL_CRED for DoT connections? If so, is there a plan to update it to SCH_CREDENTIALS to enable proper TLS 1.3 support?
Thank you.
3 Replies
Based on your detailed traffic analysis and the specific question about Schannel structures, I can confirm your suspicion is highly likely correct. The Windows DNS client almost certainly uses the legacy SCHANNEL_CRED structure for its DoT connections, which is why it cannot negotiate TLS 1.3.
In the dialog box that appears when creating a new desktop, you'll see an option that says "Copy all open apps". Uncheck this option to prevent the new desktop from copying all open apps from the current desktop.
As of Windows 11 (including 25H2), the DNS client still predominantly uses SCHANNEL_CRED when establishing DoT connections.
