Forum Discussion
DNS-over-TLS on Windows 11: why does the DNS client negotiate TLS 1.2 instead of TLS 1.3?
Hi, We have configured DNS-over-TLS (DoT) on Windows 11 (latest version, 25H2) using: netsh dns add encryption server=<ip> dothost=<hostname> autoupgrade=yes After capturing and analyzing...
Based on your detailed traffic analysis and the specific question about Schannel structures, I can confirm your suspicion is highly likely correct. The Windows DNS client almost certainly uses the legacy SCHANNEL_CRED structure for its DoT connections, which is why it cannot negotiate TLS 1.3.