How to Change DNS in Windows 11: DoH Setup, GUI and PowerShell Guide

Changing your DNS server in Windows 11 is one of the quickest, least‑risky tweaks that can improve page load times, increase privacy, and enable encrypted DNS for system‑wide protection — this guide walks through every method (Settings GUI, Control Panel, Command Prompt, PowerShell), explains DNS over HTTPS (DoH) in Windows 11, and gives practical troubleshooting, security tradeoffs, and real‑world recommendations for home and managed environments.

Background / Overview​

DNS (Domain Name System) is the service that turns human‑readable domain names like example.com into IP addresses your PC can reach. By default most PCs use DNS servers assigned by the ISP via DHCP, but you can point Windows 11 to other resolvers — public providers such as Cloudflare (1.1.1.1), Google Public DNS (8.8.8.8), OpenDNS, or privacy‑centric resolvers — to change performance, filtering, and privacy characteristics. Changing DNS is supported in multiple places in Windows 11: the Settings app (GUI), legacy Control Panel / adapter properties, Command Prompt (netsh), and PowerShell (the modern method).
This article gives a step‑by‑step walkthrough for each approach, shows how to verify the change, explains how to enable DNS over HTTPS (DoH) system‑wide in Windows 11, and analyses the benefits and risks of switching resolvers.

---

Quick summary: what you’ll learn​

• How to change DNS for Wi‑Fi and Ethernet using Windows 11 Settings (GUI).
• How to set DNS with PowerShell (recommended for precision and scripting).
• Legacy CLI with netsh and Command Prompt examples.
• How to enable and verify DNS over HTTPS (DoH) in Windows 11 and what it protects.
• Practical troubleshooting for common errors (managed adapters, local DNS proxies, VPNs).

---

Why change DNS? The practical benefits​

Changing DNS can deliver measurable benefits — but results vary by network, ISP, and location.

• Speed: Some public resolvers respond faster or have better global distribution than ISP resolvers, reducing name‑lookup latency. Use a local benchmark to compare.
• Reliability: Big public resolvers generally have excellent uptime and redundancy.
• Security & Filtering: Providers such as OpenDNS or Quad9 offer optional blocking of known malware, phishing, or adult content.
• Privacy: Encrypted DNS transports (DoH/DoT) hide DNS queries from local network observers and some ISPs. But trust shifts to the resolver operator — review privacy policies.

Note: exact speed improvements depend on geographic proximity, resolver caching, and your ISP’s performance; treat claims of consistent “faster browsing” as situational and verify with benchmarks.

---

Overview: Where you can change DNS in Windows 11​

• Settings app (Network & internet → Wi‑Fi or Ethernet → adapter → DNS server assignment → Edit). This is the modern GUI and exposes encrypted DNS options (DoH) on supported builds.
• Control Panel / Network Connections → adapter properties → IPv4/IPv6 settings (classic method).
• PowerShell: Set-DnsClientServerAddress (recommended for scripting, automation, and avoiding naming/quoting issues).
• Command Prompt (netsh): netsh interface ipv4 set dns and netsh interface ipv4 add dns (legacy but still useful).

---

Step‑by‑step: Change DNS using Windows 11 Settings (GUI)​

This is the easiest option for most users and supports DNS encryption where available.

1. Press Windows key + I to open Settings. Click Network & internet.
2. Choose Wi‑Fi (if on wireless) or Ethernet (if wired). Click the active network (the adapter entry — not the top “Properties” header).
3. Scroll to DNS server assignment and click Edit.
4. In the Edit dialog, change from Automatic (DHCP) to Manual. Toggle IPv4 to On (and IPv6 if you use IPv6).
5. Enter the Preferred DNS (primary) and Alternate DNS (secondary) IPv4 addresses (examples below). If your provider supports DoH and Windows exposes it, you’ll also see an Encryption dropdown — choose Encrypted only (DNS over HTTPS) or Encrypted, if available depending on your preference.
6. Click Save.

Tip: After saving, Windows will often show the configured DNS entries with “(Encrypted)” if DoH is active.

---

Step‑by‑step: Change DNS in Control Panel (classic method)​

1. Press Windows + R, type ncpa.cpl and press Enter to open Network Connections.
2. Right‑click the active adapter (Wi‑Fi or Ethernet) → Properties.
3. Select Internet Protocol Version 4 (TCP/IPv4) → Properties.
4. Choose Use the following DNS server addresses and enter Preferred / Alternate DNS. For IPv6, use Internet Protocol Version 6 (TCP/IPv6).
5. Click OK to apply and close.

This legacy flow is still useful on older builds or if you prefer Control Panel.

---

PowerShell: the recommended, reliable method (for power users and automation)​

PowerShell avoids interface‑name quoting issues and is scriptable.

1. Open PowerShell as Administrator.
2. List your adapters and current DNS with:
   • Get-NetAdapter | Format-Table -Auto
   • Get-DnsClientServerAddress
3. Set DNS on an adapter (replace InterfaceAlias with the name shown — e.g., "Wi‑Fi" or "Ethernet"):
   • Set-DnsClientServerAddress -InterfaceAlias "Wi‑Fi" -ServerAddresses ("1.1.1.1","1.0.0.1")
4. To revert to DHCP:
   • Set-DnsClientServerAddress -InterfaceAlias "Wi‑Fi" -ResetServerAddresses
5. Flush DNS cache with: ipconfig /flushdns.

PowerShell is the least error‑prone CLI method and integrates well with inventories and management scripts.

---

Command Prompt / netsh: legacy CLI examples​

Use netsh if you prefer the old commands or scripting compatibility with older Windows versions.

• Set primary DNS:
  • netsh interface ipv4 set dns name="Wi‑Fi" source=static addr=8.8.8.8
• Add a secondary DNS:
  • netsh interface ipv4 add dns name="Wi‑Fi" addr=8.8.4.4 index=2
• Revert to DHCP:
  • netsh interface ipv4 set dns name="Wi‑Fi" source=dhcp

Caveats: netsh can be sensitive to exact interface names and quoting; PowerShell often avoids these pitfalls.

---

Verifying the change and basic diagnostics​

After changing DNS, verify the settings and test resolution.

• GUI check: Settings → Network & internet → adapter → the DNS Servers line should display your configured addresses (and “(Encrypted)” if DoH is active).
• Command line: ipconfig /all — look under the active adapter for DNS Servers.
• Test resolution directly against a resolver: nslookup google.com 8.8.8.8 and nslookup google.com — comparing results helps isolate whether the system resolver or a specific DNS server is responding.
• Flush the DNS cache: ipconfig /flushdns.

---

Enabling DNS over HTTPS (DoH) system‑wide in Windows 11​

Windows 11 exposes DoH options in the Settings UI on supported builds and allows system‑wide encrypted DNS so every app benefits, not only browsers.

• In the adapter Edit dialog (Settings → Network & internet → adapter → Edit), after entering DNS IPs, choose the Encryption option Encrypted only (DNS over HTTPS) or Encrypted, if available. Windows will then select a DoH template automatically for many known providers or allow custom templates for others. When enabled, the connection properties annotate servers with “(Encrypted)”.

What DoH protects:

• Hides DNS queries from local network observers and ISPs.
• Prevents simple on‑path DNS tampering.

Tradeoffs and caveats:

• Trust moves from your ISP to the DoH provider — review logging and privacy policies.
• Some enterprise and AD environments require careful planning; enabling strict DoH can break internal name resolution if domain services expect plaintext DNS. Microsoft warns about applying “Require DoH” without planning for Active Directory environments.
• Some network appliances expect plaintext DNS and may misbehave; in those cases choose Encrypted, if available rather than forcing encryption.

---

Popular public DNS providers (addresses you can copy/paste)​

• Google Public DNS: 8.8.8.8, 8.8.4.4 (IPv6: 2001:4860:4860::8888, 2001:4860:4860::8844).
• Cloudflare DNS: 1.1.1.1, 1.0.0.1 (IPv6: 2606:4700:4700::1111, 2606:4700:4700::1001).
• OpenDNS (Cisco): 208.67.222.222, 208.67.220.220.
• Quad9: 9.9.9.9, 149.112.112.112 (supports DoH/DoT and filtering options).

These addresses are widely used; many providers also publish DoH template endpoints (e.g., Cloudflare’s cloudflare-dns.com or Google’s dns.google/dns-query) that Windows can use when configuring encrypted DNS.

---

Router vs PC: where to change DNS?​

• Changing DNS on the router applies to all devices on your LAN, which is convenient if you want a household‑wide resolver. However, router UIs vary, and not all support DoH/DoT.
• Changing DNS on the Windows 11 PC affects only that device and can enable system DoH where router lacks it. That offers per‑device control and is preferred when different devices need different policies.

Recommendation: For home users who want network‑wide parental controls or filtering, set the router DNS. For power users who want per‑device DoH and testing, configure per‑PC DNS in Windows 11.

---

Troubleshooting: common errors and how to fix them​

1. “The configured DNS server is incorrect or does not exist” (netsh error): usually due to wrong interface name, quoting issues, wrong IP family, or adapter managed by DHCP/GPO. Use PowerShell (Set-DnsClientServerAddress) to avoid name quoting problems.
2. Changes revert or cannot be applied: the adapter may be managed by DHCP or Group Policy — domain‑joined machines often have policies locking DNS; consult your IT admin before changing.
3. DNS still shows 127.0.0.1: some security suites, VPNs, or local DNS proxies use a localhost resolver. Disable or reconfigure that software if it interferes.
4. DNS lookups fail after change: test with nslookup google.com 8.8.8.8 to confirm external resolvers respond; check ipconfig /all for adapter DNS values and restart the DNS Client service (sc query dnscache, net start dnscache) if necessary.

If you still have problems, gather diagnostic output (ipconfig /all, sc query dnscache, netsh winhttp show proxy, nslookup tests) and consult support with the outputs; these lines usually reveal whether Windows is using the configured resolver or a local proxy.

---

Security and privacy analysis — strengths and risks​

Strengths:

• Encrypted DNS (DoH) meaningfully reduces local eavesdropping and simple DNS manipulation. When configured system‑wide, every app benefits.
• Reputable public resolvers provide fast global infrastructure and optional threat blocking.

Risks and tradeoffs:

• Trust shift: switching to a third‑party resolver hands your query metadata to that operator. DoH hides DNS from the local network but does not make you anonymous — the resolver sees the queries. Evaluate providers’ logging and retention policies.
• Enterprise risks: For domain‑joined computers, forcing DoH can break internal resolution and group policy functionality if not planned and tested. Microsoft explicitly warns administrators to plan before requiring DoH on AD‑joined machines.
• Network compatibility: Some appliances or parental controls expect plaintext DNS; encrypted DNS can bypass or break those filters unless solved at the resolver level. Choose “Encrypted if available” in mixed networks.

Flagging unverifiable claims: Public DNS providers sometimes claim “faster browsing” — this is situational and depends on your location, routing, and ISP caching. Always benchmark before assuming a universal speed gain.

---

Best practices and practical recommendations​

• For general users: try Cloudflare (1.1.1.1) or Google (8.8.8.8) and measure real‑world impact. Use the Settings GUI for simplicity.
• For privacy‑conscious users: pick a provider with a clear no‑logging or minimal‑logging policy and enable DoH in Windows 11 when available. Remember that DoH moves trust to that resolver.
• For households: configure DNS at the router if you want consistent behavior across devices and parental filters; test whether your router supports DoH/DoT.
• For enterprise: coordinate with IT. Avoid forcing DoH or changing DNS on AD‑joined machines without planning, as internal name resolution can be impacted.
• Always keep a record of the original (automatic) setting so you can revert quickly: Settings → Edit → Automatic (DHCP) or PowerShell -ResetServerAddresses.

---

Advanced topics (briefly)​

• DNS over TLS (DoT) is an alternative encrypted transport popular with network operators — Windows does not expose a simple system DoT toggle in the same Settings dialog as DoH; it’s more commonly implemented on routers or via resolver clients.
• Oblivious DoH (ODoH) exists to separate the client’s IP from the query content for stronger privacy, but adoption is limited compared with DoH/DoT.
• Using a local DNS proxy (e.g., DNSCrypt or a Pi‑hole) provides filtering and local auditing; when using such a local resolver, configure it to forward to a DoH/DoT upstream to keep encryption to the internet.

---

Example checklist before and after changing DNS​

1. Backup current settings (note “Automatic (DHCP)” or adapter IPs).
2. Choose a primary and secondary DNS (IPv4 and optional IPv6).
3. Apply settings via Settings, PowerShell, or netsh. fileciteturn0file9turn0file15
4. Flush DNS: ipconfig /flushdns.
5. Verify with ipconfig /all, Get-DnsClientServerAddress, and nslookup. fileciteturn0file11turn0file15
6. If using DoH, confirm “(Encrypted)” appears in the adapter properties or check Get-DNSClientDohServerAddress in PowerShell.

---

Final verdict — is changing DNS in Windows 11 worth it?​

For most home users, changing DNS is a low‑cost, reversible tweak that can deliver faster lookups, optional malware filtering, and — if enabled with DoH — stronger privacy on untrusted networks. Power users and administrators will appreciate PowerShell’s Set-DnsClientServerAddress for repeatable, scriptable changes. However, the real benefits depend on your network and chosen provider; encrypted DNS shifts trust rather than eliminates it, and enterprise environments require caution. Use benchmarks and verify behavior after the change, and revert to DHCP quickly if something breaks. fileciteturn0file0turn0file10

---

By following the step‑by‑step instructions above and keeping the security and compatibility considerations in mind, you can confidently change DNS in Windows 11 to match your priorities — speed, privacy, or filtering — while retaining a safe path back to your original configuration. fileciteturn0file9turn0file15

---

Source: MSPoweruser How To Change DNS In Windows 11: A Step-by-Step Guide