If you’ve been keeping an eye on the recent security landscape, you may have heard of DNS over HTTPS, often shortened to DoH. But what is this new protocol, why do you need it, and how do you enable DNS over HTTPS in Windows 11? We’ll be covering all of this today, starting with the “what”.
What is DoH and what´s the difference to DNS over TLS?
DNS over HTTPS (DoH), is a protocol introduced in 2018 that seeks to hide DNS queries and responses passing the traffic through an encrypted HTTPS session. In doing so, it both improves user privacy and prevents attackers from spoofing or altering DNS traffic for malicious purposes.
It’s important to note that DNS over HTTPS is not the same as DNS over TLS (DoT). Though they provide similar encryption and are both encrypted, they differ in a key aspect: the port they use. DoT uses a dedicated port, 853, while DoH uses port 433. Why does the port matter? Though DoT is encrypted, an admin watching the network can see that requests are coming and going, even if it would be a struggle to see their contents because of encryption.
DoH, however, uses the same port as all other HTTPS traffic, such as web browsing. It’s camouflaged within the massive amounts of HTTPS data flowing in and out of the network. This is good if you’re looking for privacy, as it makes it difficult for network admins to maintain visibility. It can be a bad thing for network managers, though, as it makes it more difficult for them to block malicious DNS queries.
Which browsers support DNS-over-HTTPS?
Due to its relative newness, not every browser has specific support for DNS over HTTPS at the time of writing. This functionality allows you to force your browser to use DNS over HTTPS separately from the rest of your operating system and applications. Most major browsers do, however, including:
- Chrome (Version 83+)
- Microsoft Edge (Version 86+)
- Firefox (Version 62+)
- Bromite (Version 67.0.3396.88+)
Several other tools with DoH support, as well as a list of publicly available DoH servers, are listed on this GitHub.
With all that said, let’s take a look at how to change your DNS in Windows 11 and use DNS over HTTPS:
How to Enable DNS over HTTPS (DoH) on Windows 11
Recent versions of Windows 10, as well as Windows 11, let you enable encrypted DNS via the Windows DNS settings menu. This makes things pretty simple and intuitive.
- Open Settings
Press the Start button and click “Settings” in your pinned apps. If it’s not there, you can press “Windows + I” instead.
- Press “Network & Internet” in the sidebar, then “Properties” next to your network name
You may have multiple networks here if you’re connected to both WiFi and Ethernet. You can just choose the one you’re currently using.
- Press “Edit” under the “DNS server assignment” heading
- OR: Click “Change DNS settings for all Wi-Fi networks”
You’ll only be able to press this if you’ve previously modified the settings for all Wi-Fi networks.
- Change “Automatic (DHCP)” to “Manual”
- Toggle IPv4 to “On”
- Enter a DNS address in the “Preferred DNS” field
For reference, this is also how to change DNS in Windows 11 normally, without DoH.
You should set your DNS to a public DNS provider. In our case, we chose Quad9, with the IP address 188.8.131.52. You’ll find more options in the section below.
- Change “Preferred DNS encryption” to “Encrypted only (DNS over HTTPS)”
- Enter an alternate DNS address
For Quad9, the alternative IPv4 address is 184.108.40.206. You can see the alternate addresses of other providers in the section below.
- Change “Alternate DNS encryption” to “Encrypted only (DNS over HTTPS)
- Press “Save”
Your DNS changes will apply near instantly. You can check if it’s working by visiting this dns over https test page and making sure the DoH field says “Yes”.
- OR: Enter an IPv6 DNS address
If you prefer to use IPv6 due to its increased address space and other advantages, toggle on “IPv6” instead.
Note: You only need to choose either IPv4 or Ipv6, not both.
- Enter an IPv6 DNS address in the “Preferred DNS” field
For example, the Google DNS in IPv6 is 2001:4860:4860::8888. We’ll be using Quad9 again, however, which uses the address “2620:fe::fe”.
- Change the “Preferred DNS encryption” to “Encrypted only (DNS over HTTPS)”
- Enter and alternate IPv6 DNS address in the “Alternate DNS” field
For Quad9, that means entering “2620:fe::9”.
- Change the “Alternate DNS encryption” field to “Encrypted only (DNS over HTTPS)
- Press “Save”
The Best Free DNS Servers for Windows 11
Now that you know how to enable DNS over HTTPS in Windows 11, you may want to explore more Windows 11 DNS options. Different DNS services offer different features and performance, with the closest servers to you typically delivering the lowest ping.
Here are some of the best free Windows DNS over HTTPS options. We’ll present them in the “IPv4/Alternate IPv4 | IPv6/Alternate IPv6” format:
- Open DNS: 220.127.116.11/18.104.22.168 | 2620:119:35::35/2620:119:53::53
- Owned by networking giant Cisco, OpenDNS is fas, secure, and offers an additional “Family Shield” option for those who have kids.
- Cloudflare: 22.214.171.124/126.96.36.199 | 2606:4700:4700::1111/2606:4700:4700::1001
- Cloudflare is best known for its DDoS protection/CDN technology, but it also introduced a free DNS service in 2018. As well as claiming to be the “fastest DNS resolver on earth”, Cloudflare DNS has built-in security, including DDoS mitigation and DNSSEC. It also offers its DNS for mobile via an app called 188.8.131.52 Warp. Still, its primary advantage is being incredibly easy to remember.
- Google DNS: 184.108.40.206/220.127.116.11 | 2001:4860:4860::8888/2001:4860:4860::884
- Google DNS for IPv6 and IPv4 has been around for a very long time and benefits from both Google’s extensive global infrastructure and easy-to-remember IPv4 addresses. Some, however, have privacy concerns due to it being owned by one of the biggest ad firms in the world.
- Quad9: 18.104.22.168/22.214.171.124 | 2620:fe::fe/2620:fe::9
- Quad9 is a Swiss company focused on making the internet a more private and secure place. Its major feature is its ability to block malware, phishing, and spyware websites through a regularly maintained list. It also claims that no data containing your IP address is ever logged.
- Uncensored DNS: 126.96.36.199/188.8.131.52 | 2001:67c:28a4::/2001:67c:28a4::
- If you don’t trust any company to have your best interests at heart, uncensored DNS could be a good bet. Run entirely by a private individual, Danish ISP admin Thomas Steen Rasmussen, it is free from corporate interests. The service is run with Rasmussen’s own money as a private individual. As the name suggests, it removes DNS-based website censorship, but it also does not log any personal information.
You can test the speed of different Windows DNS providers from your location by using a tool such as GRC.
How to Change DNS Server in Windows 11 and Windows 10
If you’re just looking to change DNS server, and not enable DNS over HTTPS, you may be better served our existing guide. It’s designed for Windows 10, but the Control Panel should be identical for windows 11.
How to Perform a Windows Network Reset to Fix DNS Issues
If you’re having problems with DNS resolution, whether it be after following this guide or randomly, you can try to perform a full Windows 10/Windows 11 Network reset by following our dedicated tutorial. This will reset your DNS settings to their default state.