Windows not Respecting DNS-over-HTTPS Templates

Brass Contributor

 

Description:

Windows is set to use Cloudflare DNS-over-HTTPS – using Cloudflare's malware blocking DNS resolver. However, Windows ignores the template set for this DNS resolver and reverts to a different DNS resolver URL.

 

Windows should be using this Cloudflare DNS resolver, as set in the template:

https://security.cloudflare-dns.com/dns-query

 

However, Windows ignores the template set and incorrectly changes it to this Cloudflare DNS resolver:

https://one.one.one.one/dns-query

 

Steps to reproduce:

1) Using PowerShell (running as admin), add the Cloudflare malware blocking DNS resolvers to the Windows list of known DoH DNS servers.

# Add a new DoH server to the list of known servers

$AddDoHServerIP4a = @{
    "ServerAddress"      = '1.1.1.2'
    "DohTemplate"        = 'https://security.cloudflare-dns.com/dns-query'
    "AllowFallbackToUdp" = $False
    "AutoUpgrade"        = $True
}
Add-DnsClientDohServerAddress @AddDoHServerIP4a

$AddDoHServerIP4b = @{
    "ServerAddress"      = '1.0.0.2'
    "DohTemplate"        = 'https://security.cloudflare-dns.com/dns-query'
    "AllowFallbackToUdp" = $False
    "AutoUpgrade"        = $True
}
Add-DnsClientDohServerAddress @AddDoHServerIP4b

$AddDoHServerIP6a = @{
    "ServerAddress"      = '2606:4700:4700::1112'
    "DohTemplate"        = 'https://security.cloudflare-dns.com/dns-query'
    "AllowFallbackToUdp" = $False
    "AutoUpgrade"        = $True
}
Add-DnsClientDohServerAddress @AddDoHServerIP6a

$AddDoHServerIP6b = @{
    "ServerAddress"      = '2606:4700:4700::1002'
    "DohTemplate"        = 'https://security.cloudflare-dns.com/dns-query'
    "AllowFallbackToUdp" = $False
    "AutoUpgrade"        = $True
}
Add-DnsClientDohServerAddress @AddDoHServerIP6b

 

2) Using PowerShell, check that the new DNS resolvers have been successfully added to the Windows list of known DoH DNS servers.

# Determine which DoH servers are on the known server list

Get-DNSClientDohServerAddress | Sort-Object -Property DohTemplate

 

Screenshot A (DNS servers successfully added):

Screenshot A.png

 

3) Go to [Windows Settings > Network & Internet > Wi-Fi > Hardware properties > DNS server assignment > Edit button > Manual]. Set the DoH settings as below.

IPv4            > On

Preferred DNS   > 1.1.1.2
DNS over HTTPS  > "On (automatic template)"

Alternative DNS > 1.0.0.2
DNS over HTTPS  > "On (automatic template)"
IPv6            > On

Preferred DNS   > 2606:4700:4700::1112
DNS over HTTPS  > "On (automatic template)"

Alternative DNS > 2606:4700:4700::1002
DNS over HTTPS  > "On (automatic template)"

 

Screenshot B (Windows settings initially appear correct):

Screenshot B.png

 

4) Click the "Save" button and accept the UAC elevation prompts.

 

5) Go back into the DNS settings again [Windows Settings > Network & Internet > Wi-Fi > Hardware properties > DNS server assignment > Edit button].

 

Windows has incorrectly changed the DNS-over-HTTPS template to a different DNS URL.

 

Screenshot C (Windows settings incorrect):

Screenshot C.png

 

6) If the below Group Policy is set, then it starts working correctly, however this should not be necessary for it to work correctly.

 

[Computer Configuration > Administrative Templates > Network > DNS Client > Configure DNS over HTTPS (DoH) name resolution > Enabled > Require DoH]

 

-----

Windows 11 (Version 23H2, build 22631.3447)

 

4 Replies
I know how to set up DNS-over-HTTPS. I also know how to work around the issue.

What I want to determine is why Windows is replacing the set DoH URL with a different one – and where it's getting this incorrect DoH URL from. 1.1.1.2 and 1.0.0.2 should not be matched to https://one.one.one.one/dns-query – this is not the correct DoH template for those DNS server IP addresses.
Is there no progress?

What appears to be happening is Microsoft have enabled "Discovery of Designated Resolvers" (DDR) by default for everyone now.

 

Therefore, if the DNS-over-HTTPS mode in Windows settings is set to "On (automatic template)" – and not "On (manual template)" – DDR will take priority over the Windows list of known DoH DNS servers.

 

As DDR has priority, adding the Cloudflare malware blocking DNS resolvers to the Windows list of known DoH DNS servers (using the Add-DnsClientDohServerAddress Powershell Cmdlet) won't have any affect, as Windows ignores it and uses DDR instead.

 

In order for Windows to use a template instead of DDR, the Windows setting needs to be set using "On (manual template)" and entered manually. Alternatively, if "Require DoH" is set via Group Policy, this forces Windows to use the Windows list of known DoH DNS servers, but I think this is more of a side affect.

 

The reason why the DoH DNS resolver URL is incorrect when received through DDR, appears to be because Quad9 and Cloudflare have only configured "Discovery of Designated Resolvers" (DDR) for their main DNS service, not their additional DNS services. Therefore, if you use 1.1.1.2 instead of 1.1.1.1 (Cloudflare) or 9.9.9.10 instead of 9.9.9.9 (Quad9), the SVCB records return the incorrect host names.

 

https://community.cloudflare.com/t/dns-for-families-compatibility-with-discovery-of-designated-resol...

 

Unfortunately, it's not possible to query SVCB records using Windows command line tools such as PowerShell (I.E. Resolve-DnsName), you need to use Linux or MacOS terminals to test.