Credit and thanks for feature work to Alexandru Jercaianu and Vladimir Cernov
If you have been waiting to try DNS over HTTPS (DoH) on Windows 10, you're in luck: the first testable version is now available to Windows Insiders! If you haven’t been waiting for it, and are wondering what DoH is all about, then be aware this feature will change how your device connects to the Internet and is in an early testing stage so only proceed if you’re sure you’re ready. Having said that, if you want to see the Windows DoH client in action and help us create a more private Internet experience for our customers, here is what you need to do:
Step 1: How do I get a Windows build with DoH support?
First, make sure your Microsoft account is part of the Windows Insider Program. If you know you are already a Windows Insider, make sure you are in the Fast ring and go to Step 2. If not, go here and follow the instructions for the Fast ring so you can get the latest Insider Preview build.
Once this is done, run Windows Update, reboot, and verify you’re running Build 19628 or higher. You can do this by clicking here or by going to the Settings app -> System -> About.
Step 2: How do I turn on the DoH feature?
Once you know your Windows install has our DoH client, we need to activate it. You can do that by:
- Opening the Registry Editor
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
- Create a new DWORD value named “EnableAutoDoh”
- Set its value to 2
Please note: the registry keys and values described here are only for enabling DoH client testing on Insider builds. When the DoH client is made available in general release builds, registry configuration of DoH will not be supported.
Step 3: How do I add DoH servers to Windows?
Now that the DoH client is active, Windows will start using DoH if you already have one of these servers configured:
Server IP addresses
You can configure Windows to use any of these IP addresses as a DNS server through the Control Panel or the Settings app. The next time the DNS service restarts, we’ll start using DoH to talk to these servers instead of classic DNS over port 53. The easiest way to trigger a DNS service restart is by rebooting the computer.
To add a DNS server in the Control Panel:
- Go to Network and Internet -> Network and Sharing Center -> Change adapter settings.
- Right click on the connection you want to add a DNS server to and select Properties.
- Select either “Internet Protocol Version 4 (TCP/IPv4)” or “Internet Protocol Version 6 (TCP/IPv6)” and click Properties.
- Ensure the “Use the following DNS server addresses” radio button is selected and add the DNS server address into the fields below.
Step 4: How do I know DoH is working?
Now that you have Windows configured to use DoH, you should be able to verify it’s working by seeing no more plain text DNS traffic from your device. You can do this by using Packetmon, a network traffic analyzer included with Windows.
Start by opening a new Command Prompt or PowerShell window. Run the following command to reset any network traffic filters PacketMon may already have in place.
pktmon filter remove
Run the following command to add a traffic filter for port 53, the port classic DNS uses (and which should now be silent since we’re only using DoH).
pktmon filter add -p 53
Run the following command to start a real-time logging of traffic. All port 53 packets will be printed to the command line. If your device is only configured with DoH servers, this should show little to no traffic.
pktmon start --etw -m real-time
Step 5: How do I use a DoH server that isn’t on the auto-promotion list?
If you’re trying to test a DoH server that isn’t already on our auto-promotion list, such as your ISP’s DoH servers, you can add it to our list manually using the command line. First, identify the IP address and the DoH URI template for the server you want to add. Then, run the following command as an administrator:
netsh dns add encryption server=<your-server’s-IP-address> dohtemplate=<your-server’s-DoH-URI-template>
You can verify the template was applied to the well-known DoH server list by running this command, which should show you the template being used for a given IP address:
netsh dns show encryption server=<your-server’s-IP-address>
Now when Windows is configured to use that IP address as a DNS server, it will use DoH instead of classic DNS.