Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
Windows Insiders can now test DNS over HTTPS
Published May 13 2020 10:00 AM 176K Views
Microsoft

Credit and thanks for feature work to Alexandru Jercaianu and Vladimir Cernov

 

If you have been waiting to try DNS over HTTPS (DoH) on Windows 10, you're in luck: the first testable version is now available to Windows Insiders! If you haven’t been waiting for it, and are wondering what DoH is all about, then be aware this feature will change how your device connects to the Internet and is in an early testing stage so only proceed if you’re sure you’re ready. Having said that, if you want to see the Windows DoH client in action and help us create a more private Internet experience for our customers, here is what you need to do:

 

Step 1: How do I get a Windows build with DoH support?

 

First, make sure your Microsoft account is part of the Windows Insider Program. If you know you are already a Windows Insider, make sure you are in the Fast ring and go to Step 2. If not, go here and follow the instructions for the Fast ring so you can get the latest Insider Preview build.

Once this is done, run Windows Update, reboot, and verify you’re running Build 19628 or higher. You can do this by clicking here or by going to the Settings app -> System -> About.

 

Step 2: How do I turn on the DoH feature?

 

Once you know your Windows install has our DoH client, we need to activate it. You can do that by:

  • Opening the Registry Editor
  • Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key
  • Create a new DWORD value named “EnableAutoDoh”
  • Set its value to 2

 

Please note: the registry keys and values described here are only for enabling DoH client testing on Insider builds. When the DoH client is made available in general release builds, registry configuration of DoH will not be supported.

 

tojens_0-1589221350608.png

 

 

Step 3: How do I add DoH servers to Windows?

 

Now that the DoH client is active, Windows will start using DoH if you already have one of these servers configured:

 

Server Owner

Server IP addresses

Cloudflare

1.1.1.1

1.0.0.1

2606:4700:4700::1111

2606:4700:4700::1001

Google

8.8.8.8

8.8.4.4

2001:4860:4860::8888

2001:4860:4860::8844

Quad9

9.9.9.9

149.112.112.112

2620:fe::fe

2620:fe::fe:9

 

 

You can configure Windows to use any of these IP addresses as a DNS server through the Control Panel or the Settings app. The next time the DNS service restarts, we’ll start using DoH to talk to these servers instead of classic DNS over port 53. The easiest way to trigger a DNS service restart is by rebooting the computer.

 

To add a DNS server in the Control Panel:

  • Go to Network and Internet -> Network and Sharing Center -> Change adapter settings.
  • Right click on the connection you want to add a DNS server to and select Properties.
  • Select either “Internet Protocol Version 4 (TCP/IPv4)” or “Internet Protocol Version 6 (TCP/IPv6)” and click Properties.
  • Ensure the “Use the following DNS server addresses” radio button is selected and add the DNS server address into the fields below.

 

Step 4: How do I know DoH is working?

 

Now that you have Windows configured to use DoH, you should be able to verify it’s working by seeing no more plain text DNS traffic from your device. You can do this by using Packetmon, a network traffic analyzer included with Windows.

Start by opening a new Command Prompt or PowerShell window. Run the following command to reset any network traffic filters PacketMon may already have in place.

 

 

pktmon filter remove

 

 

Run the following command to add a traffic filter for port 53, the port classic DNS uses (and which should now be silent since we’re only using DoH).

 

 

pktmon filter add -p 53

 

 

Run the following command to start a real-time logging of traffic. All port 53 packets will be printed to the command line. If your device is only configured with DoH servers, this should show little to no traffic.

 

 

pktmon start --etw -m real-time

 

 

Step 5: How do I use a DoH server that isn’t on the auto-promotion list?

 

If you’re trying to test a DoH server that isn’t already on our auto-promotion list, such as your ISP’s DoH servers, you can add it to our list manually using the command line. First, identify the IP address and the DoH URI template for the server you want to add. Then, run the following command as an administrator:

 

 

netsh dns add encryption server=<your-server’s-IP-address> dohtemplate=<your-server’s-DoH-URI-template>

 

 

You can verify the template was applied to the well-known DoH server list by running this command, which should show you the template being used for a given IP address:

 

 

netsh dns show encryption server=<your-server’s-IP-address>

 

 

Now when Windows is configured to use that IP address as a DNS server, it will use DoH instead of classic DNS.

66 Comments

This is great! It's nice to see this feature built into Windows! Thanks :smile:

Copper Contributor

Keep up the excellent work. Thanks.

Awesome addition to Windows! Thanks 

Copper Contributor

Could add NextDNS?

 

Its IP range 45.90.28.0 - 45.90.28.255 and DoH address is https://dns.nextdns.io/

Copper Contributor

If this gets enabled by default in the future, will there ever be a way for networks to opt-out like Firefox's canary domain? I have a local Pi-hole which already uses DNS-over-TLS and would very much like to not have to change settings in every Windows machine for it to be effective.

Copper Contributor

I have second vote on NextDNS above!!!

Copper Contributor

Tested in combination with Chrome 84.0.4144.2 - browser cannot be used. Horrible lags and hangs.

Iron Contributor

I think there might be a small error.  This:

pktmon start --etw -l real-time

should be:

pktmon start --etw -m real-time

 

Microsoft

@Jonathan Kay Thank you very much, you're absolutely right! I've edited the post accordingly so nobody gets misled going forward.

 

For those interested in using other DNS providers with DoH: please ask your providers to reach out to us as this is a pilot feature not intended as a mechanism for supporting every DoH server out there. Please note you are free to follow the instructions at the end of the blog post to add whichever DoH server you want to use to your own system for auto-promotion. That way, say you want to use NextDNS as two comments so far have mentioned, you can run the "netsh dns ..." commands to register a NextDNS entry for DoH.

 

@Olexander I'm sorry to hear that. When I fresh install Chrome Dev, I get 84.0.4143.7 and it seems to work on par with all the non-dev browser versions. Do you see the problem on a non-dev browser channel as well?

Copper Contributor

I think there might be a small error.  This:

pktmon start --etw -l real-time

should be:

pktmon start --etw -m real-time​

Neither one works. 

Unknown parameter 'real-time'. See pktmon start help.

Copper Contributor

Nice.  Added my "personal nextdns" IP/identifier, tested and confirmed it's using DNS over HTTPS.  NextDNS page shows it as active.  :)

Copper Contributor

? Should the instructions be changed from:

  • Select either “IPv4” or “IPv6” and click Properties.
  • Ensure the “Use the following DNS server addresses” radio button is selected and add the DNS server address into the fields below.

To:

  • Select IPv4 and click Properties
  • Ensure the "Use the following DNS ..."
  • Select IPv6 and click Properties
  • Ensure the "Use the following DNS ..."
Copper Contributor

This will not show up being default on, will it? DoH is a huge misguided mistake that wasn't very well thought out and I have no intention of ever using it if I can avoid it.

Iron Contributor

DoH often breaks with captive portals or even some networks that explicitly block it.  Will there be an easy way to turn it on or off without having to manually revert the settings?

 

While having per-adapter DNS settings may be useful, this is far from usable.  How about a top level setting in the Network & Internet settings page to enable or disable DNS and to select a known provider or custom servers which get applied across all network connections.  It should be as easy and usable as the 1.1.1.1 mobile app and the Android Private DNS Mode setting.

Copper Contributor

@tojens Most likely, the problem was on the browser's side. With the new browser version, no lags. I'll keep watching. Thank you!

Copper Contributor

Muito bom. Parabéns!!

Copper Contributor

I have configured my Windows correctly, nothing is logged when browsing internet from Edge, but when doing a nslookup from a command prompt, the querry is still done using simple DNS 53. Is it a normal behavior? 

Copper Contributor

I also experience lags and hangs with latest Edge canary (build 84.0.516.0)

I tried to disable/enable the custom flag for secure DNS inside Edge but it doesn't change anything.

Had to remove DoH registry key, too bad...

Microsoft

@Laurent MILTGEN this is expected because nslookup doesn't use the platform DNS resolver. You can read more about the details of troubleshooting DNS client behavior here: https://docs.microsoft.com/en-us/windows-server/networking/dns/troubleshoot/troubleshoot-dns-client

 

To make queries with the platform resolver, please use the Resolve-DnsName cmdlet: https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname?view=win10-ps

Copper Contributor

Works well with regular windows actions. WSL and WSL2 in default configuration. Both, still work in the clear.

Copper Contributor

@tojens It looks like Resolve-DnsName bypasses the platform resolver, and thus DoH, when the -Server parameter is used. This is probably by design that predates DoH, but I think it creates a weak link now. I reported this at https://github.com/PowerShell/PowerShell/issues/12910. I'm hoping that the Windows implementation of DoH eventually supports encrypted queries to servers other than the one specified for the platform.

Brass Contributor

Glad to see this feature! I have got it working with a private server.

 

Will you be supporting DNS over HTTPS to ports other than 443?

Copper Contributor

Hi, I know the post is a bit old but I have been trying to add another DoH server and I can't run the command > netsh dns add encryption...

It keeps returning "Command not found".

I tried on both Power Shell and CMD, both as Administrator.

I can go as far as >netsh dns add... but there isn't a suggestion for the encryption bit.

raphaelarocha_0-1594744060050.png

I am using Windows 10 Home, could that be the problem?

Copper Contributor

Hi,

Nice instructions. I followed everything and something weird happened. After a restart, the Network Registry settings disappeared.

 

Also,

netsh

 in my powershell does not have the

add encryption

It prompts

PS C:\WINDOWS\system32> netsh dns add

The following commands are available:

Commands in this context:
add dnsservers - Adds a static DNS server address.
PS C:\WINDOWS\system32>

 

And

pktmon start --etw -m real-time

no longer works, I use:

pktmon start --etw -l real-time

After a while of not showing traffic, a continous log of "dns -> ip connection", "ip_connection <- dns" appears

 

I then went to https://1.1.1.1/help, and it appears that using dns over HTTPS(doh) No

 

Copper Contributor

Hello,

I already posted one comment, but it got deleted?

 

I am having the same problem as @raphaelarocha , no "add dns encryption" option. Also, every time I reboot my device, the "AutoDoh" value from registry editor completely disappears.

 

pktmon start --etw -l real-time

keeps a continous log of the "dns -> IPconnection" and "IPconnection <- dns"

 

DoH does not seem to work on the device after testing it with https://1.1.1.1/help

Brass Contributor

@rugs-130 are you running normal Windows or the Insider version?

Copper Contributor

I have opened Registry Editor, I have navigated to Parameters. I can not create a new folder or create a new DWORD value named “EnableAutoDoh. I am not allowed to.

Brass Contributor

@André NOUN you don't need the registry, you can do it in the Insider GUI:

 

 

VirtualBox_Windows 10 Insider_08_08_2020_13_25_36.png

Copper Contributor

Thank you DonnyM, I followed your instructions, and it worked.:beaming_face_with_smiling_eyes:

Copper Contributor

@DonnyM Where is the "insider GUI" ?  Running latest insider version however have not come across where to edit DNS settings  :sad:

Brass Contributor

@Stephen Curtis Settings > Network > Properties

Copper Contributor

@DonnyMIt's the insider version, 20H2, also cannot finde the insider GUI

Brass Contributor

@rugs-130 you need Insider Dev, it's not in Insider Beta yet.

Iron Contributor

Hello,

I'm so glad that this new feature was offered to the insider's in the latest dev. build, my biggest issue in trying to utilize the setting is the fact that I utilize the wifi signal that's broadcast from my at&t 5268AC gateway, so I don't know if I should change the dns setting's or not. Right now it's currently set to the automatic dhcp mode, and of course I wouldn't want cause any issue's with my wifi signal because it's being used on multiple device's in our household. 

Copper Contributor

Nice work!

Copper Contributor

Very nice work! :thumbs_up::waving_hand::beaming_face_with_smiling_eyes:

Copper Contributor

I'm on build 20236.1005 in the Dev channel (Insider).  I don't see the Encryption options in the DNS settings.  I have added the registry key and it has persisted over a reboot.

 

finbarr69_0-1603036230209.png

And :

 

finbarr69_1-1603036282395.png

 

No choice of encryption drop-downs.

 

You could add example output for the netsh dns show encryption command so we know what the output means.  I have this:-

 

> netsh dns show encryption server=8.8.8.8

Encryption settings for 8.8.8.8
----------------------------------------------------------------------
DNS-over-HTTPS template : https://dns.google/dns-query
Auto-upgrade : no
UDP-fallback : no

 

Which I'm guessing means not encrypted.  What should the output look like if it is encrypted?

 

Thanks :)

 

Brass Contributor

That's strange, the options are showing fine on my Win10 Insider Dev install.

 

 

DonnyM_0-1603062420546.png

 

DonnyM_1-1603062443109.png

 

Copper Contributor

@finbarr69   "For Wi-Fi connections: Go to Settings > Network & Internet > Wi-Fi. Click the adapter properties link, then select Edit IP assignment or Edit DNS server assignment and it will be available in the popup. Currently you will not see the encryption options if you go to the individual network’s property pag...

 

You can add any IP address listed here to unlock the DoH dropdown and choose to use encryption. Once encryption is enabled, you can confirm it’s working by looking at the applied DNS servers in the network properties and see them labeled as “(Encrypted)” servers. If you want to try a custom DoH server we don’t recognize yet, you can configure an IP address to be recognized as a DoH server by using the netsh command documented here at the end of the blog post."

Copper Contributor

@KSC2020 Aha! Thank you. The instructions at the top of this page are not complete. They need updated to look like the instructions at https://blogs.windows.com/windows-insider/2020/08/05/announcing-windows-10-insider-preview-build-201... which differentiate between the Wifi and Ethernet adaptors.


Thanks for pointing out my error - I had just followed the instructions on here. :)

 

Unfortunately,  when I set it to "Encrypted only (DNS over HTTPS)" , I lose all network connectivity. So, something is wrong.  I'll see if I can diagnose it.

 

Thanks :)

 

 

Brass Contributor

Netzwerk erfolgreich mit öffentlichen Google Server IPv4 und IPv6 mit DNS über HTTPS verschlüsselt. Der EFI Treiber Netzwerkadapter wurde von Windows 10 update installiert aber Fehler in Registerkarte Ereignisse -Gerät nicht gestartet. Treiber prüfen, ob Gerät gestartet sonst kompatiblen Treiber selbst installieren. Versuch den aktuellen Treiber zu deinstallieren und neu installieren, wie beschrieben kann auch helfen das Gerät Netzwerkadapter zu starten. 

Brass Contributor

@beartek if you set up the Windows account as a Child account, Edge will not allow custom DNS servers to be configured on that account.

@DonnyM 

"if you set up the Windows account as a Child account, Edge will not allow custom DNS servers to be configured on that account."

 

Hi there,

 

If the browser detects that the user is in a “managed” environment, then DoH (Secure DNS) can be configured only by policy, not the end-user. That’s because Enterprise environments often have specific requirements for network configuration that are more likely to be broken by Secure DNS.

 

You need to use Group Policy or other management methods such as Intune, MDM etc. to manage DNS servers on non-admin situations. Secure DNS is not the only option that is unavailable for non-admin situations.

 

https://techcommunity.microsoft.com/t5/enterprise/found-a-bug-in-edge-87-policy/m-p/1801503

 

 

 

@beartek 

Spoiler
Edge circumvents local DNS. I put 1.1.1.3 and 1.0.0.3 in the local network interfaces and the router and the cablemodem. Chrome and Firefox won't let the 3rd graders surf porn, but Edge empowers 3rd graders to surf porn! What is the real purpose of this? Limited choices in Edge config for private dns i.e. 1.1.1.1 (no filter) is allowed but 1.1.1.3 (no porn/malware) is not allowed (as of last night). Sure is suspicious to those of us who argue against crimeware and child exploitation... 

Please don't escalate it to Non-related things, the wording in your comment is not suitable and is kind of offensive.

 

using DNS alone to filter web content is not an effective way, it is easily circumvented.

the correct way would be to use URL filtering, or deep packet inspection (DPI)

 

if your issue is with Edge, you can contact Edge support, this topic is about DoH in Windows

Microsoft Edge help & learning - Microsoft Support

Hi, how may we assist you? (microsoftedgeinsider.com)

 

also, Edge has this secure DNS option that blocks adult content.

 

gfg.jpg

 

 

Brass Contributor

@HotCakeX it is not necessary to mess around with Group Policy settings, using the in-built Windows Parental Controls will also stop accounts set up as Child accounts from altering DNS in Edge.

@DonnyM I know that,

I explained why "Edge will not allow custom DNS servers to be configured on that account (child account)."

and that's the reason.

Brass Contributor

@HotCakeX I know that. I was explaining to @beartek how to stop children from altering their DNS in Edge.

@DonnyM Okay, good.

How to add OpenDNS to Windows DoH list?

 

I don't know how to add 2 IP addresses (preferred and alternative) to this command and also don't know dohtemplate of OpenDNS.

netsh dns add encryption server=<your-server’s-IP-address> dohtemplate=<your-server’s-DoH-URI-template>

 

here is more info about OpenDNS setup

https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS

 

 

Okay I figured it out,

to add OpenDNS which is now called Cisco Umbrella, to Windows DoH list, need to use these 2 commands in an elevated Powershell:

 

netsh dns add encryption server=208.67.222.222 dohtemplate=https://doh.umbrella.com/dns-query

 

and

netsh dns add encryption server=208.67.220.220 dohtemplate=https://doh.umbrella.com/dns-query

 

more info:

https://support.umbrella.com/hc/en-us/articles/360043574271-Using-DNS-over-HTTPS-DoH-with-Umbrella

 

 

Version history
Last update:
‎Aug 05 2020 10:39 AM
Updated by: