Network and Internet Enable DNS over TLS (DoT) in Windows 11


DNS_banner.png

This tutorial will show you how to change your DNS Server address and enable DNS over TLS (DoT) in Windows 11.

A DNS (Domain Name System) server is the service that makes it possible for you to open a web browser, type a domain name and load your favorite websites.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Windows 11 includes built-in support for DoH.

Starting with Windows 11 build 25158 (24H2), DNS over TLS (DoT) testing is now available for Windows DNS client query protection. The setup requires some command line use and is recommended for advanced networking users.

DNS over TLS (DoT) is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). Where DoH treats DNS traffic as one more HTTPS data stream over port 443, DoT dedicates port 853 to encrypted DNS traffic and runs directly over a TLS tunnel without HTTP layering underneath. This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide.

References:
DNS over TLS vs. DNS over HTTPS | Secure DNS
developers.google.com

DNS-over-TLS | Public DNS | Google for Developers

developers.google.com developers.google.com
techcommunity.microsoft.com

DNS over TLS available to Windows Insiders | Microsoft Community Hub

Instructions for enabling DNS over TLS support for Windows DNS client
techcommunity.microsoft.com techcommunity.microsoft.com


You must be signed in as an administrator to change the DNS server address and enable DoT.




Here's How:

1 Open Settings (Win+I).

2 Click/tap on Network & internet on the left side. (see screenshot below)


DoT-1.png

3 Do step 4 (current), step 5 (specific), or step 6 (all Wi-Fi) below for which network connection or adapter you want to enable DoT for.

4 Enable DNS over TLS (DoT) for a Current Network Connection

This will be for a network connection you are currently connected to.


A) Click/tap on Properties of the connected network you want to enable DoT for at the top on the right side. (see screenshot below)​

Current_DoT-1.png

B) Click/tap on the Ethernet or Wi-Fi connection you want to enable DoT for. (see screenshots below)​

Current_DoT-2.png
Current_DoT-3.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshots below)​

If you have a The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then it means you used step 6 that overrides this setting. You can click/tap on the Change DNS settings for all Wi-Fi networks link instead, and then click/tap on the Edit button in step 6.


DoT-2.png
DoT-5.png

5 Enable DNS over TLS (DoT) for Specific Network Connection

This will be for a network connection you do not have to be currently connected to.


A) Click/tap on Wi-Fi or Ethernet for the type of network connection you want to enable DoT for. (see screenshot below)​

Specific_DoT-1.png

B) Perform one of the following actions: (see screenshots below)​
  • For Ethernet, click/tap on the connection you want to enable DoT for.
  • For Wi-Fi, click/tap on Manage known networks, and click/tap on the known Wi-Fi network connection you want to enable DoT for.
Current_DoT-2.png
Specific_DoT-2.png
Specific_DoT-3.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshots below)​

If you have a The DNS settings for all Wi-Fi networks have been set. The settings below won't be saved. type message, then it means you used step 6 that overrides this setting. You can click/tap on the Change DNS settings for all Wi-Fi networks link instead, and then click/tap on the Edit button in step 6.


DoT-2.png
DoT-5.png

6 Enable DNS over TLS (DoT) for All Wi-Fi Network Adapter

This will include all connections you make from the selected Wi-Fi network adapter.

This will override what is set for a network connection in step 4 and/or step 5.


A) Click/tap on Wi-Fi. (see screenshot below)​

All_DoT-1.png

B) Click/tap on Hardware properties. (see screenshot below)​

All_DoT-2.png

C) Click/tap on the Edit button under DNS server assignment on the right side, and go to step 7. (see screenshot below)​

All_DoT-3.png

7 Select Manual in the drop menu at the top. (see screenshots below step 10)

8 Enable DoT for IPv4

A) Turn on IPv4. (see screenshots below step 10)​

B) Type a Preferred DNS you want to use that supports DoH. (see table below)​

DoT DNS server​
Preferred DNS for IPv4​
Cloudflare1.1.1.1
Google Public DNS8.8.8.8
Quad99.9.9.9

C) Select Off in the DNS over HTTPS drop menu.​

D) Type an Alternate DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Alternate DNS for IPv4​
Cloudflare1.0.0.1
Google Public DNS8.8.4.4
Quad9149.112.112.112

E) Select Off in the DNS over HTTPS drop menu.​

9 Enable DoT for IPv6

A) Turn on IPv6. (see screenshots below step 10)​

B) Type a Preferred DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Preferred DNS for IPv6​
Cloudflare2606:4700:4700::1111
Google Public DNS2001:4860:4860::8888
Quad92620:fe::fe

C) Select Off in the DNS over HTTPS drop menu.​

D) Type an Alternate DNS you want to use that supports DoT. (see table below)​

DoT DNS server​
Alternate DNS for IPv6​
Cloudflare2606:4700:4700::1001
Google Public DNS2001:4860:4860::8844
Quad92620:fe:::9

E) Select Off in the DNS over HTTPS drop menu.​

10 When finished, click/tap on Save. (see screenshots below)

IPv4_DNS_settings.png
IPv6_DNS_settings.png

11 Verify the IPv4 DNS servers and IPv6 DNS servers you specified above all show as (Unencrypted). (see screenshot below)

If one shows as (Encrypted), then you will need to go back and select Off in the DNS over HTTPS drop menu for the DNS server address.


Verify_DNS_unencrypted.png

12 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

13 Copy and paste the command below into Windows Terminal (Admin), and press Enter to enable DoT settings. (see screenshot below step 15)

netsh dns add global dot=yes

14 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below step 15)

netsh dns add encryption server=<DNS server address> dothost=: autoupgrade=yes

The dothost field equal to “:” means that the default DoT port will be used (853) and the domain name presented in the server’s TLS certificate will not be validated. To ensure proper validation of the connection, provide the expected domain name of the DoT server (the connection will use DoT’s designated port 853 without needing to specify it, as custom ports are not supported yet).


Substitute <DNS server address> in the command above with the actual DNS server addresses you specified and shown in step 11.

You will need to repeat this command for the IPv4 preferred DNS (ex: "1.1.1.1"), IPv4 alternate DNS (ex: "1.0.0.1"), IPv6 preferred DNS (ex: "2606:4700:4700::1111"), and IPv6 alternate DNS (ex: "2606:4700:4700::1001") server addresses you specified and shown in step 11.

For example:
netsh dns add encryption server=1.1.1.1 dothost=: autoupgrade=yes

netsh dns add encryption server=1.0.0.1 dothost=: autoupgrade=yes

netsh dns add encryption server=2606:4700:4700::1111 dothost=: autoupgrade=yes

netsh dns add encryption server=2606:4700:4700::1001 dothost=: autoupgrade=yes


15 Copy and paste the command below into Windows Terminal (Admin), and press Enter to flush the DNS resolver cache. (see screenshot below)

ipconfig /flushdns

Enable_DoT_command.png

16 Copy and paste the command below into Windows Terminal (Admin), and press Enter to verify if DoT is enabled. (see screenshot below step 17)

netsh dns show global

17 Verify DoT settings show as enabled. (see screenshot below)

If DoT settings shows as disabled, then re-run the netsh dns add global dot=yes command, and repeat step 16 to verify.


Verify_DoT_enabled_command.png

18 Copy and paste the command below into Windows Terminal (Admin), and press Enter to verify DoT encryption. (see screenshot below)

netsh dns show encryption

Verify_DoT_encryption_command-1.png

19 Scroll down and look for the IPv4 preferred DNS (ex: "1.1.1.1"), IPv4 alternate DNS (ex: "1.0.0.1"), IPv6 preferred DNS (ex: "2606:4700:4700::1111"), and IPv6 alternate DNS (ex: "2606:4700:4700::1001") server addresses you specified and shown in step 11. (see screenshot below)

The output should contain:
  • Encryption settings for <DNS server address>
  • DNS-over-TLS host set to either : or 853
  • Auto-upgrade set to Yes
  • UDP-fallback set to No.
Verify_DoT_encryption_command-2.png

20 You can now close Settings and Windows Terminal (Admin) if you like.


That's it,
Shawn Brink


Related Tutorials

 
Last edited:
Click to expand...
Thanks, I have finally got it working, by adding a custom link (I use NextDNS) and disabling DoH first. It is like this, firewall confirms.
Code: 
netsh dns set global doh=no
netsh dns add global dot=yes

netsh dns add encryption server=1.1.1.2 dothost=security.cloudflare-dns.com:853 autoupgrade=yes udpfallback=no
netsh dns add encryption server=1.0.0.2 dothost=security.cloudflare-dns.com:853 autoupgrade=yes udpfallback=no
 

Attachments

  • capture_10032024_101237.jpg
    capture_10032024_101237.jpg
    204.3 KB · Views: 14

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 3.18 (07/24)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @4800 CL40 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @60FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article Article
Personalization Enable or Disable Open Jump Lists on Hover over Taskbar Apps in Windows 11
Replies
1
Views
3K
abactuon
abactuon
  • Article Article
Network and Internet Enable or Disable Discovery of Network-designated Resolvers (DNR) in Windows 11
Replies
0
Views
4K
Brink
Brink
  • Article Article
Virtualization Enable or Disable Hyper-V Enhanced Session Mode in Windows 11
Replies
0
Views
5K
Brink
Brink
  • Article Article
System Enable or Disable Create Dev Drive in Windows 11
Replies
4
Views
9K
Brink
Brink
  • Article Article
Network and Internet Share Printer over Network in Windows 11
Replies
0
Views
16K
Brink
Brink
  • Article Article
Windows Update Disable Automatic Windows Updates in Windows 11
Replies
13
Views
16K
Brink
Brink
  • Article Article
Browsers and Mail Enable or Disable Secure DNS over HTTPS (DoH) in Microsoft Edge
Replies
6
Views
32K
Battleroyale
B

Latest Support Threads

Latest Tutorials

Back
Top Bottom