Blog Post

Networking Blog
3 MIN READ

Introducing DNR support for Windows Insiders

AditiPatange's avatar
AditiPatange
Icon for Microsoft rankMicrosoft
Oct 25, 2023

A huge thank you to Alex Jercaianu, Justin Sapp, Kosi Nwabueze, and Milan Justel for implementing this feature!

 

Discovery of Network-designated Resolvers (DNR) is an upcoming IETF standard to discover encrypted DNS servers. Before DNR, devices getting DNS server from their local network would not be able to use encrypted DNS without manually finding out the IP address of their desired encrypted DNS server and configuring it on client-side. DNR enables devices to use encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) on the client-side without requiring manual endpoint configuration.

 

We are excited to announce client-side DNR support in Windows Insiders build 25982 and higher!

 

How does client-side DNR work?

 

Let us look at what happens when a machine with client-side DNR enabled attempts to join a new network. First, the machine queries the local DHCP server to acquire an IP address. During that query it also requests special DNR-specific options (OPTION_V4_DNR for DHCPv4 or OPTION_V6_DNR for DHCPv6). The local DHCP server which is running server-side DNR responds to the machine with all the required information for configuring encrypted DNS such as the IP address of the encrypted DNS server, list of supported encrypted DNS protocols, their port numbers, and server authentication information. On receiving this information, the client machine sets up an encrypted DNS tunnel automatically with the server discovered through DNR.

 

From the user’s perspective, they joined a new network as they normally would and without any effort on their part, they are reaping the benefits of encrypted DNS!

 

How to use DNR on Windows Insider builds? 

 

First step is to install the latest Windows Insider build (25982 or higher). DNR support is not available on non-Insider Windows builds yet.

 

Once a compatible Windows Insider build is installed, a new registry key needs to be created to enable DNR on the device.

 

Please note: You should proceed with the deployment steps below only if you have prior experience with modifying registry. This is NOT recommended for people who are unfamiliar with registry keys.

 

UI 

The registry key can be created using UI by the following steps: 

  1. Open Registry Editor on your Windows device 
  2. Navigate to “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters”
  3. Click on “Edit” -> “New” -> “DWORD (32-bit) Value” (on the top left side of the window)
  4. Rename this new registry key from “New Value #1” to “EnableDnr”
  5. Double-click on “EnableDnr” registry key 
  6. In the new pop-up window, verify value name is “EnableDnr” and set value data to “1” 
  7. Click “OK” 

 

 

 

Command prompt 

Alternatively, the following command can be run in an administrator command prompt:

 

reg add HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters /v EnableDnr /t REG_DWORD /d 1 

 

After all the registry changes are done, reboot the device for the new settings to take effect. 

 

To see DNR working in action, try joining a network whose DHCPv4 or DHCPv6 server supports server-side DNR. 

 

During our internal testing, we partnered with BT Group who prototyped server-side DNR on their DHCPv4 servers. A Windows Insiders device with DNR enabled was joined to a network provisioned by BT. The Windows Insiders device was able to use OPTION_V4_DNR to discover, validate and use BT’s trial DNS over HTTPS service. 

 

Please note that our current client-side DNR implementation only supports configuration through following modes as stated in the DNR IETF draft: 

We do not support the IPv6 RA Encrypted DNS option yet. 

 

To stop using client-side DNR, the following command can be run in an administrator command prompt: 

 

reg add HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters /v EnableDnr /t REG_DWORD /d 0 

 

After running the command, reboot the device to return the machine to its original state. 

 

Updated Oct 26, 2023
Version 3.0
  • KoizumiR's avatar
    KoizumiR
    Copper Contributor

    This article confused me because the registry path modified through the Registry Editor and the path modified through the reg add command are actually not the same.

     

    The first method created a DWORD under HKLM\SYSTEM\CurrentControlSet\Services\Dnscache via regedit, while the second method created a DWORD under HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters, I guess at least one of them must be wrong.

     

    AditiPatange 

  • Hello KoizumiR, you are right! This was a mistake on my part.

     

    The right path for the new DWORD EnableDnr to enable DNR in Windows Insiders build is "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters"

     

    I have fixed the instructions in the blog post. Thank you for calling it out!

  • jonaspietsch_de's avatar
    jonaspietsch_de
    Copper Contributor

    Hi AditiPatange 

    thank you for your nice blog post.

    Can you please assist with my issue? I cannt get DNR to work.

    I have the folowing setup:

    1. Windows 11 with the build 27695
    2. The registry flag for DNR activated as stated in this blog post.
    3. Set up the DHCP server with ISC-KEA v2.6
    4. Configured the scope option 162 with the following value "2, dns.google." (ADN-only mode)

    I can now see in a packet log on the windows machine, that the scope option 162 is requested by windows and also answered by the DHCP server. But somehow windows is not switching to DNS over TLS or DNS over HTTPS.

    I used the Google DNS server to not have any issues regarding the certificate. But I also tried with a local server and trusted certificate, Windows is not switching to encrypted DNS.

    The logs in Microsoft-Windows-DHCP-Client/Operational and Microsoft-Windows-DNS-Client/Operational could not help.

    Do you have any troubleshooting tips?

    Thank you.