Blog Post

Networking Blog

3 MIN READ

DNS over TLS available to Windows Insiders

tojens

Microsoft

Jul 13, 2022

Credit and thanks to Alex Jercaianu, Matthew Cox, Miguel Reyes Badilla, and Milan Justel for implementation work

DNS over TLS (DoT) is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). Where DoH treats DNS traffic as one more HTTPS data stream over port 443, DoT dedicates port 853 to encrypted DNS traffic and runs directly over a TLS tunnel without HTTP layering underneath. This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide.

Client support for DoH was shipped in Windows 11 and Windows Server 2022. Starting today, the latest Windows Insider builds also offer client support for DoT.

How to evaluate DoT on Insider builds

First things first: install the latest Windows Insider build (25158 or higher). DoT support is not yet available to non-Insider builds of Windows.

Next, configure a DoT-providing DNS resolver as the primary and only resolver (this will ensure no accidental fallback covers up DoT failures). This can be done by following these steps:

Go to Settings -> Network (this should load the view for the current default network connection)
Click on Wi-Fi or Ethernet (likely the top row)
Click “Hardware properties” (likely the bottom row)
On the “DNS server assignment:” row, click the “Edit” button
Turn on the “IPv4” and/or “IPv6” switches
Type the IP address of the DoT server to test into the “Preferred DNS” text box
Save and confirm that “<resolver-IP-address> (Unencrypted)” shows up on the “IPv4 DNS servers:” row in the list of configurations near the bottom of this view

Next, in an elevated command line prompt, run the following commands:

netsh dns add global dot=yes
netsh dns add encryption server=<the-ip-address-configured-as-the-DNS-resolver> dothost=: autoupgrade=yes
ipconfig /flushdns

Note that the “dothost” field equal to “:” means that the default DoT port will be used (853) and the domain name presented in the server’s TLS certificate will not be validated. To ensure proper validation of the connection, provide the expected domain name of the DoT server (the connection will use DoT’s designated port 853 without needing to specify it, as custom ports are not supported yet).

These settings should take effect immediately without a reboot. Packet captures should show heavy traffic on port 853 and minimal traffic on port 53.

What to check if it does not work

If this results in a loss of Internet connectivity, here are some things to check to make sure no steps were missed. First, verify the build of Windows supports DoT (DoT is only supported on Insider builds 25158 or later).

Next, run the following command

netsh dns show global

The output should include a line that says “DoT settings: enabled”. If not, re-run this command:

netsh dns add global dot=yes

Next, run this command:

netsh dns show encryption

The output should contain “Encryption settings for <the-IP-address-for-the-configured-DoT-resolver>” with a DNS over TLS host, auto-upgrade set to yes, and UDP fallback set to no. If not, be sure the “netsh dns add encryption” command ran without errors and the parameters correctly specify the properties of the DoT resolver.

Next, review the DNS configuration view to see that the Settings app has the expected DNS resolver configured. Note that even if DoT is working, the text will still say “<resolver-IP-address> (Unencrypted)”; this is expected.

Next, verify the network being used does not perform port 853 blocking and that the resolvers do indeed support DoT. The public resolvers provided by Quad9, Cloudflare, Cisco (OpenDNS), and Google have been tested and are known to work.

If DoT is still not working, connectivity can be restored by changing the configured resolvers or by setting DNS configuration back to automatic to get DNS configuration from the network.

Updated Jul 11, 2022

Version 1.0

DNS

DoT

tojens

Microsoft

Technical PM for the Windows native HTTP stacks, IPv6 transition tech, and various IETF engagements

View Profile

Networking Blog

The Official Blog Site of the Windows Core Networking Team at Microsoft

22 Comments

raweh
Copper Contributor
Aug 22, 2023
Hello Guys,

I have a question about DoT and I hope someone can answer it for me. DoT is described in detail in RFC 7858 and RFC 8310. My question is, do you know if the protocol has changed at Microsoft? Or has it stayed the same and they have left the protocol as it is?
doctordns
Brass Contributor
Jun 26, 2023
Thanks for the comment, but I think you miss the point. I love the idea of DNS Over TLS. It is a great feature, and I'd like to use it and recommend it. But I can't for the simple reason is that we use the MS DNS server built into Windows Server. As do a lot of companies. Until that service supports DNS over TLS is not useful. Having to move to Linux for DNS is NOT a great substitute to the excellent DNS AD integrated zones for example. My comment was that just adding client support is not helpful to advance this technology.
HotCakeX
MVP
Jan 12, 2023
doctordns
I can't talk on behalf of MSFT developers but from my end-user point of view, there is no problem.
Windows server doesn't support DNS over TLS yet? Ok, you have DNS over HTTPS which does the same thing, so use it, until DNS over TLS is implemented in Windows Server.

Take another OS like Android as an example, it took Google many years just to implement DNS over HTTPS and even after they did it, they still only let you use 2 DoH servers, so not just any DoH server that you like.

For what it's worth, technically, DNS over HTTPS is better than DNS over TLS. DoH uses the same HTTPS port and your traffic blends in with the rest of the HTTPS traffic so nobody can even tell you are using DoH, but DoT uses a separate port by default, makes it very obvious you are using DoT.
doctordns
Brass Contributor
Jan 12, 2023
that is an improvement.
But it does not fix the real problem. Namely that Windows Server DNS does not support this. Frankly, the feature has zero value if one actually uses Windows Server DNS. What PM thought it makes any sense to just do it client side only? Where is the joined up vision? Or is MSFT just in effect, deprecating DNS on Windows? J
HotCakeX
MVP
Jan 11, 2023
tojens
Hello again,
Thanks for that,
I've taken care of the insecure parts. that part of the Readme is now replaced with:

in order to make sure the module will always be able to acquire the IP addresses of the dynamic DoH server, even when the currently set IPv4s and IPv6s are outdated, it will first attempt to use the DNS servers set on the system (DNSSEC-aware query), if it fails to resolve the DoH domain, it will then use Cloudflare's Encrypted API using TLS 1.3 and TLS_CHACHA20_POLY1305_SHA256 cipher suite, which are the best encryption algorithms available.
also, since TLS_CHACHA20_POLY1305_SHA256 is available but not enabled by default in Windows 11, added a check to enable it if it's disabled, since cURL uses Schannel.

Please let me know what you think, Thanks.
tojens
Microsoft
Jan 09, 2023
HotCakeX thanks for reaching out. I can understand the convenience trade-off your module provides, but we will not be adding similar functionality in Windows, and this piece of your README highlights the reason why:

in order to make sure the module will be able to always acquire the IP addresses of the dynamic DoH server, even when the currently set IPv4s and IPv6s are outdated, it will first attempt to use the DNS servers set on the system, if it fails to resolve the DoH domain, it will then use Cloudflare's 1.1.1.1 to resolve the IP addresses of the dynamic DoH server. DNS queries made to Cloudflare's 1.1.1.1 will be un-encrypted and in plain text.

When the admin configures DoH, we want to provide a strong guarantee that there's no opportunity for any network path attacker to intercept a bootstrap query. In other words, we prefer a stronger security/functionality trade-off when encrypted DNS is manually configured.
HotCakeX
MVP
Jan 08, 2023
I created a PowerShell module that will take care of DNS over HTTPS servers that don't have a stable IP address. works over any network condition.

https://github.com/HotCakeX/WinSecureDNSMgr/

tojens please add PowerShell equivalent of the commands above.
HotCakeX
MVP
Jan 08, 2023
doctordns
you can use DNS over HTTPS until DNS over TLS is added to Windows Server.
https://learn.microsoft.com/en-us/windows-server/networking/dns/doh-client-support
fbifido
Brass Contributor
Jul 29, 2022
Google Online Security Blog: DNS-over-HTTP/3 in Android (googleblog.com)
doctordns
Brass Contributor
Jul 26, 2022
First, requiring the IP address makes sense. ALthough I'd point out that (at least with server) one can specify a DNS sever name and Windows does the resolution. I think WIndows should offer that, despite the chicken/egg issue. BY all means pop up a horrible dialog box warning the user of the danger.

Second, I love this feature. But frankly, it is utterly useless to me unless there is Server support. ALL my client boxes exclusively use Windows Server 2022 DNS servers. I really do not want to have to get to grips with Linux and migrate back to much older tech (Linux does not Support AD integrated zones) with the extra work that entails (e.g. we must create DNS replication instead of just relying on AD, etc).

When will we get server-side DOT support so i CAN test this?