Navigation section

Enable DNS over HTTPS in Windows 11: easy system-wide privacy

  • Thread Author
For privacy-conscious Windows users, encrypting DNS in Windows 11 is one of those rare, high-impact, low-effort settings that delivers real protection with almost no downside — and it’s now easier to enable system‑wide than most people realize. The recent How‑To Geek walkthrough frames the change as an “overlooked” privacy upgrade and gives a practical GUI walkthrough for turning on DNS over HTTPS (DoH) in Settings; the same technique applies whether you choose Cloudflare, Google, or another supported resolver.

Windows 11 network settings window showing DNS/HTTPS options against a circuit-themed background.Background​

DNS is the internet’s address book: every time you type a domain name into a browser, your device asks a DNS resolver for the numeric IP address that corresponds to that textual name. That lookup traditionally happens in plaintext and is visible to anyone who can observe your network traffic: your ISP, a corporate network, or an attacker on an open Wi‑Fi hotspot. Encrypting DNS prevents that passive observation and closes off a potently useful attack surface — DNS hijacking and tampering — that attackers and misconfigured middleboxes can exploit.
Windows 11 (and Windows Server editions) now include built‑in client support for encrypted DNS transports such as DNS over HTTPS (DoH). Microsoft’s DNS client will use DoH when a configured DNS server is on the OS’s list of known DoH‑capable endpoints; administrators can also manage DoH through Group Policy, and the client supports several policy modes (Allow, Prohibit, Require). These platform‑level controls make it practical to protect all applications on the PC, not just a browser.

Encrypted DNS: how it works and what’s available​

Types of encrypted DNS (short primer)​

  • DNS over HTTPS (DoH) — wraps DNS queries inside standard HTTPS traffic. That makes queries hard to identify and intercept and helps them blend in with regular web traffic. Major public resolvers and browsers support DoH.
  • DNS over TLS (DoT) — creates a dedicated TLS session for DNS on a well‑known port (853). DoT is easy for network operators to detect (and sometimes block) but still provides strong encryption and integrity protection.
  • Oblivious DoH (ODoH) — an extra privacy layer that separates the who from the what. A relay (proxy) forwards encrypted DoH requests to a resolver so that no single operator sees both your IP and your query content. ODoH reduces the trust placed in any single party, but adoption is still limited compared with DoH/DoT.

Why encrypted DNS matters​

  • Stops passive observers from logging your lookups. Even when sites use HTTPS, your DNS lookups reveal which domains you contact. Encryption hides those lookups from ISPs and on‑path eavesdroppers.
  • Reduces the attack surface for DNS manipulation. Tampering with DNS can redirect you to phishing or malware sites; encrypted DNS makes such tampering significantly harder.
  • System‑wide protection when enabled at the OS level. Configuring DoH at the Windows client level protects browsers, games, and any app that relies on the system resolver, not just a browser with built‑in DoH.

Tradeoffs and important caveats​

  • Trust shifts to the resolver operator. Switching from your ISP’s DNS to Cloudflare, Google, or another public resolver moves trust away from the ISP and toward that third party. Evaluate privacy policies and logging practices for any provider you pick. The feature is privacy‑enhancing, not privacy‑neutral — you still have to pick who you trust with queries.
  • Enterprise and AD environments require care. If you enable DoH site‑wide or require DoH via Group Policy for domain‑joined machines, Active Directory name resolution and some domain services may break unless carefully managed. Microsoft explicitly warns against enabling “Require DoH” on AD‑joined systems without planning.
  • Network compatibility & diagnostics. Some networks and appliances expect plaintext DNS and may not behave well when clients use encrypted transports; in those environments you may need to use “encrypted if available” or consult your network administrator.
  • Provider reliability and incidents. Large resolvers are robust, but outages do happen. One real‑world example: Cloudflare documented an incident that impacted queries to its 1.1.1.1 addresses and noted how DoH clients that used domain endpoints were more resilient than clients that hard‑coded IPs. That’s a practical reminder to check provider status pages and consider redundancy.

Hands‑on: enabling DNS over HTTPS in Windows 11 (system‑wide)​

The native Windows 11 route is straightforward and takes less than five minutes. The steps below consolidate the GUI flow described in the How‑To‑Geek walkthrough and Microsoft’s documentation, and include the exact resolver addresses most users choose.
  • Open Settings (Win + I).
  • Go to Network & Internet.
  • Click the connection you use (Wi‑Fi or Ethernet) — not the top “Properties” label; instead choose the adapter entry and then Hardware properties for that connection.
  • Under DNS server assignment, click Edit.
  • Change from Automatic (DHCP) to Manual.
  • Toggle IPv4 (or IPv6 if you prefer) to On.
  • Enter the Preferred and Alternate DNS addresses for the provider you choose (addresses below).
  • In the DNS over HTTPS dropdown directly under the IP fields, choose On (automatic template) or Encrypted only (DNS over HTTPS) depending on how strict you want to be.
  • Click Save.
When enabled, Windows will annotate the DNS servers in the connection properties with “(Encrypted)” so you can visually confirm the client is using DoH. If the encryption options are greyed out, Group Policy or system management may be preventing changes — check the policy settings and the “Some settings are managed by your organization” banner in Settings.

Common provider IP addresses (copy‑paste)​

  • Cloudflare (IPv4): 1.1.1.1 and 1.0.0.1. (IPv6): 2606:4700:4700::1111 and 2606:4700:4700::1001. Use the DoH endpoint cloudflare‑dns.com when a client needs a template or domain endpoint.
  • Google Public DNS (IPv4): 8.8.8.8 and 8.8.4.4. (IPv6): 2001:4860:4860::8888 and 2001:4860:4860::8844. Google supports DoH via the dns.google/dns‑query endpoint.
  • Quad9 (common alternative): 9.9.9.9 and 149.112.112.112 (Quad9 also supports DoH/DoT).
If your ISP supports IPv6 you can enable IPv6 DoH in the same dialog; if the network does not have IPv6 connectivity, leave IPv6 off to avoid connectivity issues. Many how‑to guides suggest enabling both IPv4 and IPv6 DoH where available.

Verifying the setup and useful diagnostic commands​

  • Windows Settings will show “(Encrypted)” next to the DNS server lines after successful configuration. That’s the quickest GUI confirmation.
  • From an elevated PowerShell, you can list the DoH‑capable servers known to the DNS client and query configuration with:
  • Get‑DNSClientDohServerAddress (lists configured DoH addresses and templates).
  • Use netsh or Get‑DnsClient commands to inspect adapter DNS settings; the legacy netsh interface also has “netsh dns show encryption” to see encryption status on some builds.
  • If name resolution fails after switching settings, revert the DNS addresses to the previous values or switch the encryption dropdown to Encrypted, if available until you resolve compatibility issues.

Beyond the basics: ODoH, privacy tradeoffs, and real‑world considerations​

ODoH: stronger privacy but limited deployment​

Oblivious DoH (ODoH) is a meaningful step forward because it separates query content from client identity by routing encrypted queries through a proxy. That reduces the single‑operator trust model: even a resolver operator can’t link your IP to the query if you use a non‑colluding proxy. Cloudflare, Apple and partners helped craft the protocol and have production deployments and tooling for ODoH, but support is not yet pervasive across consumer clients and routers. Expect ODoH to be a privacy option for tech‑savvy users and services first, rather than a default for every consumer.

Where DoH helps — and where it doesn’t​

  • DoH effectively hides which domains you look up from on‑path observers, and prevents straightforward DNS tampering. It does not hide the destination IP addresses of your connections once you connect, nor does it prevent server‑side tracking (e.g., logging by websites you sign into).
  • If you already use a VPN that tunnels DNS through the VPN, DoH at the OS level may be redundant. If the VPN implements DNS proxying inside the tunnel, the VPN’s DNS configuration controls the lookup behavior. In most cases, DoH is complementary to — not a replacement for — a properly configured VPN.

Trust & centralization risks​

Switching from ISP DNS to a big public resolver concentrates metadata (even if encrypted in transit) into fewer operators. That consolidation brings benefits (speed, global anycast, DNSSEC support) and risks (single‑operator visibility, legal jurisdiction, subpoena risk). Users should weigh provider privacy policies and consider multi‑resolver strategies or privacy‑focused options when appropriate. Real‑world incidents — like the Cloudflare resolver outage — demonstrate that resilience planning matters.

Enterprise & admin guidance​

  • Group Policy controls. Administrators can allow, prohibit, or require DoH via Group Policy settings in Computer Configuration → Administrative Templates → Network → DNS Client. Use the “Require DoH” option only after validating all domain services because AD relies heavily on DNS and many AD components do not use DoH. Microsoft documents this explicitly.
  • Policy modes to know:
  • Allow (client uses DoH if servers support it)
  • Prohibit (no DoH)
  • Require (DoH mandatory — name resolution fails if servers don’t support DoH) — avoid on AD domain controllers unless you know what you’re doing.
  • Testing and rollout. Pilot in a controlled group, monitor resolution health and tooling (e.g., AD replication tests, AD‑dependent services), and roll back if you encounter issues with appliances that assume plaintext DNS.

Troubleshooting quick hits​

  • If the DNS encryption dropdown is greyed out, check for Group Policy restrictions or a device management profile that blocks changes.
  • If sites fail to load after enabling IPv6 DoH, disable IPv6 in the DNS edit dialog (or ensure your network actually supports IPv6). Misconfigured IPv6 DNS can cause resolution failures even when IPv4 remains functional.
  • When in doubt, test resolution with the prior addresses (or DHCP automatic) and use the diagnostics commands above to confirm what the client is attempting.

Final analysis — who should enable encrypted DNS today?​

  • Everyday users seeking a meaningful privacy improvement: Enabling DoH in Windows 11 is an accessible, system‑wide upgrade that prevents passive observers from seeing domain lookups. It’s a recommended privacy step for most non‑enterprise users who are comfortable choosing a public DNS operator.
  • Privacy‑sensitive users who want to reduce single‑party trust: Consider ODoH when client support and provider options exist for your platform, but be aware adoption is still nascent and tooling is more limited.
  • Enterprises and administrators: Treat DoH as a policy decision. Use Group Policy to enforce an appropriate mode, test for Active Directory compatibility, and use managed resolver choices that meet your compliance and auditing requirements.
Encrypted DNS in Windows 11 is an elegant, practical improvement: it’s quick to activate, protects the entire system, and significantly reduces an easy surveillance vector. It’s not a silver bullet — you still need end‑to‑end HTTPS, robust account hygiene, and sensible choices about which network services you trust — but as a single setting, enabling DoH offers a strong privacy ROI and should be near the top of any Windows 11 privacy checklist.
Practical checklist (summary):
  • Pick a resolver (Cloudflare, Google, Quad9, or a trusted alternative).
  • Settings → Network & Internet → [Your adapter] → Hardware properties → Edit DNS → Manual → add resolver IPs → DNS over HTTPS: On → Save.
  • Verify “(Encrypted)” appears, check Get‑DNSClientDohServerAddress / netsh for status, and test browsing under normal conditions.
Flag: ODoH adoption and resolver trust are evolving; treat any single claim of “perfect privacy” with skepticism and confirm provider policies and operational status before making organizational or compliance decisions.
Source: How-To Geek The Overlooked Windows 11 Privacy Upgrade That Just Works
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Enable and Configure DNS over HTTPS (DoH) in Windows 10/11 for Better Privacy
Replies
0
Views
102
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
How to Change DNS to Google’s 8.8.8.8 on Windows 11 for Faster, Secure Browsing
Replies
0
Views
543
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Cut Windows 11 Telemetry with O&O ShutUp10++, Spybot Anti-Beacon, and VPN
Replies
0
Views
405
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
How to Fix DNS Server Not Responding Error: Easy Solutions for All Devices
Replies
0
Views
393
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
DNS4EU: Europe's Privacy-Focused DNS Revolution for Digital Sovereignty
Replies
0
Views
513
ChatGPT
ChatGPT
Back
Top