You can enable DNS over HTTPS in Windows 10 (DoH) in Windows 10 using one of the methods available in the OS, including Settings and Registry. DNS-over-HTTPS is a relatively young web protocol. Its primary goal is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver.
The plan to support DoH in Windows 10 was revealed with a number of principles Microsoft is going to use when implementing the feature in the OS. Microsoft planned to implement support for encryption of DNS traffic back in 2019, but users were able to try this new feature only in 2020. So Windows 10 Build 19628 was the first build to include the DoH support.
Advertisеment
This post will show you how to enable and configure the DNS over HTTPS (DoH) feature on Windows 10.
Enable DNS over HTTPS in Windows 10
- Open the Settings app. You can press Win + I to open it faster.
- Navigate to Network & internet > Status.
- Click on Properties.
- On the next page, click on the Edit button under DNS settings.
- Select Manual.
- Specify DNS servers that support DoH (see the list in the next chapter).
- Select Encrypted only (DNS over HTTPS) from the In the Preferred DNS encryption drop-down menu for each of the servers.
- If you are using IPv6 DNS, repeat the previous step for the its configuration.
- Finally, click on the Save button.
You are done. To find that DoH actually works, scroll down the contents of the network settings page. You should see "Encrypted" next to the DNS address value on the Properties page.
The list of public DNS server that support encryption can be found in the table below.
The list of DoH-enabled servers
You can use the following public DNS over HTTPS servers.
Server Owner | IPv4 addresses | IPv6 addresses |
Cloudflare | 1.1.1.1 1.0.0.1 | 2606:4700:4700::1111 2606:4700:4700::1001 |
8.8.8.8 8.8.4.4 | 2001:4860:4860::8888 2001:4860:4860::8844 | |
Quad9 | 9.9.9.9 149.112.112.112 | 2620:fe::fe 2620:fe::fe:9 |
However, if your Windows 10 version doesn't allow to turn on DNS over HTTPS in Settings, e.g. the options are missing, you can apply a Registry tweak to do the same. It is an alternative method to the Settings app.
Turn on DNS over HTTPS in the Registry
- Open the Registry Editor. Press Win + R and type
regedit
in the Run box. - Go to the following Registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
. - On the right, modify or create a new 32-Bit DWORD value EnableAutoDoh.
- Set its value to
2
. - Restart Windows 10.
This will activate DNS over HTTPS, so Windows 10 will start sending and receiving DNS traffic through secure, encrypted servers. However, you need to change the DNS server address to one from the above mentioned table. Here is how you can set a DNS server address.
Change Server Address after enabling DoH
- Open the classic Control Panel. Press Win + R and type
control
in the Run box, then hit Enter. - Go to Control Panel\Network and Internet\Network and Sharing Center.
- On the right, click on Change adapter properties.
- In the Network Connections window, double-click your network connection.
- Click Properties in the next window.
- In Adapter Properties, select the Internet Protocol Version 4 (TCP/IPv4) entry, and click on the Properties button.
- Select the option "Use the following DNS server addresses:" on the General tab. Enter the DNS server address that supports DoH.
- If your network configuration includes IPv6, specify the IPv6 servers for the Internet Protocol Version 6 (TCP/IPv6) option.
- Click OK to apply the change.
You are done.
Finally, you can check if DNS over HTTPS works for you after applying the Registry tweak and the above mentioned changes. You can verify it’s working by seeing no more plain text DNS traffic from your device.
Verify that your DNS over HTTPS settings work
- Open a command prompt as Administrator.
- Type and run the following command to reset network traffic filter:
pktmon filter remove
. - Type and run the following command to add a traffic filter for port 53, the port classic DNS uses:
pktmon filter add -p 53
. - Run the following command to start a real-time logging of traffic:
pktmon start --etw -m real-time
. - All port 53 packets will be printed to the command line. If DoH works, you should not see traffic here.
That's it.
Related articles:
- Enable DNS over HTTPS in Microsoft Edge
- How to Enable DNS over HTTPS (DoH) in Opera
- Enable DNS over HTTPS in Chrome (DoH)
- Enable DNS over HTTPS in Firefox
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!
Advertisеment
Hey Sergey,
Is there a method of pushing this via DHCP like we usually do with standard DNS?
Hmm. It depends on your DHCP server software.
Cannot find DNS settings… So do we have to use manual IP assignment first?