HomeWinBuzzer TipsHow to Enable DNS over HTTPS (DoH) on Windows 11

How to Enable DNS over HTTPS (DoH) on Windows 11

We explain and show you how to enable DNS over HTTPS (DoH) in Windows 11, using both IPv4 and IPv6 addresses.

-

If you’ve been keeping an eye on the recent security landscape, you may have heard of DNS over HTTPS, often shortened to DoH. But what is this new protocol, why do you need it, and how do you enable DNS over HTTPS in Windows 11? We’ll be covering all of this , starting with the “what”.

What Is DoH and What´s the Difference to DNS Over TLS?

DNS over HTTPS (DoH), is a protocol introduced in 2018 that seeks to hide DNS queries and responses passing the traffic through an encrypted HTTPS session. In doing so, it both improves user privacy and prevents attackers from spoofing or altering DNS traffic for malicious purposes.

It’s important to note that DNS over HTTPS is not the same as DNS over TLS (DoT). Though they provide similar encryption and are both encrypted, they differ in a key aspect: the port they use. DoT uses a dedicated port, 853, while DoH uses port 433. Why does the port matter? Though DoT is encrypted, an admin watching the network can see that requests are coming and going, even if it would be a struggle to see their contents because of encryption.

DoH, however, uses the same port as all other HTTPS traffic, such as web browsing. It’s camouflaged within the massive amounts of HTTPS data flowing in and out of the network. This is good if you’re looking for privacy, as it makes it difficult for network admins to maintain visibility. It can be a bad thing for network managers, though, as it makes it more difficult for them to block malicious DNS queries.

Which Browsers Support DNS-Over-HTTPS?

Due to its relative newness, not every browser has specific support for DNS over HTTPS at the time of writing. This functionality allows you to force your browser to use DNS over HTTPS separately from the rest of your operating system and applications. Most major browsers do, however, including:

  • Chrome (Version 83+)
  • Microsoft Edge (Version 86+)
  • Firefox (Version 62+)
  • Bromite (Version 67.0.3396.88+)

Several other tools with DoH support, as well as a list of publicly available DoH servers, are listed on this GitHub.

How to Enable DNS over HTTPS (DoH) on Windows 11

Enhance your online privacy and security by enabling DNS over HTTPS (DoH) on Windows 11. This guide walks you through the process step-by-step, ensuring your DNS queries are encrypted and safeguarded from potential threats.

  1. Open Settings
     
    Press the Start button and click on “Settings” among your pinned apps, or press “Windows + I” to open the Settings menu directly.
     
    Windows 11 - Open Settings
  2. Navigate to Network Settings
     
    Click on “Network & Internet” in the sidebar, then select “Properties” next to your network name. Choose the network you’re currently using if connected to multiple networks.
     
    Windows 11 - Settings - Network & Internet - Properties Network Connected
  3. Edit DNS Server Assignment
     
    Under the “DNS server assignment” section, click on “Edit” to modify your DNS settings.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit DNS Server
  4. Change DNS Settings for All Networks (Optional)
     
    If applicable, click on “Change DNS settings for all Wi-Fi networks“.
     
    Windows 11 - Settings - Network & Internet - Properties - Change DNS Settings for All WiFi Networks
  5. Switch to Manual DNS Configuration
     
    Change “Automatic (DHCP)” to “Manual“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit DNS Server - Manual - Save
  6. Enable IPv4 (or IPv6)
     
    Choose either IPv4 or IPv6, not both. Below you find the options for IPv6.
     
    For IPv6: Toggle the IPv4 option to “On“. IPv4 uses a 32-bit address system, limiting it to about 4.3 billion unique addresses, which has led to address scarcity due to the growing number of internet devices. IPv6, on the other hand, employs a 128-bit address scheme, vastly expanding the address pool and enhancing internet scalability, security, and configuration features.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit DNS Server - Turn On IPv4
  7. Enter Preferred DNS Address
     
    In the “Preferred DNS” field, input the DNS address of your choice, such as Quad9’s 9.9.9.9. Quad9 is a free, recursive DNS (Domain Name System) service aimed at providing enhanced privacy and security to internet users. You’ll find more options in the section below.
     
    For reference, this is also how to change DNS in Windows 11 normally, without DoH.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv4 - Preferred DNS
  8. Set Preferred DNS Encryption
     
    Change the “Preferred DNS encryption” setting to “Encrypted only (DNS over HTTPS)“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv4 - Preferred DNS - Preferred DNS Encryption
  9. Input an Alternate DNS Address
     
    Enter an alternate DNS address, such as Quad9’s 149.112.112.112. You can find the alternate addresses of other providers in the section below.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv4 - Alternate DNS
  10. Encrypt Alternate DNS
     
    Set the “Alternate DNS encryption” to “Encrypted only (DNS over HTTPS)“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv4 - Alternate DNS - Alternate DNS Encryption
  11. Save Your Settings
     
    Click “Save” to apply your DNS changes. Verify the activation of DoH by visiting “https://1.1.1.1/help” and checking if the DoH field says “Yes“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv4 - Save
  12. Configure IPv6 DNS (Optional)
     
    If preferring IPv6, toggle “IPv6” to “On“. Choose either IPv4 or IPv6, not both.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit DNS Server - Turn On IPv6
  13. Enter Preferred IPv6 DNS Address
     
    Input the preferred IPv6 DNS address, such as Quad9’s “2620:fe::fe“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv6 - Preferred DNS
  14. Encrypt Preferred IPv6 DNS
     
    Change the “Preferred DNS encryption” for IPv6 to “Encrypted only (DNS over HTTPS)“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv6 - Preferred DNS - Preferred DNS Encryption
  15. Specify an Alternate IPv6 DNS Address
     
    Enter an alternate IPv6 DNS address, such as “2620:fe::9“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv6 - Alternate DNS
  16. Encrypt Alternate IPv6 DNS
     
    Set the “Alternate DNS encryption” for IPv6 to “Encrypted only (DNS over HTTPS)“.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv6 - Alternate DNS - Alternate DNS Encryption
  17. Finalize IPv6 DNS Settings
     
    Click “Save” to apply your IPv6 DNS settings. Verify DoH activation for IPv6 by visiting a DNS test page.
     
    Windows 11 - Settings - Network & Internet - Properties - Edit - IPv6 - Save

The Best Free DNS Servers for Windows 11

Now that you know how to enable DNS over HTTPS in Windows 11, you may want to explore more Windows 11 DNS options. Different DNS services offer different features and performance, with the closest servers to you typically delivering the lowest ping.
 
Here are some of the best free Windows DNS over HTTPS options. We’ll present them in the “IPv4/Alternate IPv4 | IPv6/Alternate IPv6” format:

  • Open DNS: 208.67.222.222/208.67.220.220 | 2620:119:35::35/2620:119:53::53
     
    Owned by networking giant Cisco, OpenDNS is fas, secure, and offers an additional “Family Shield” option for those who have kids.
  • Cloudflare: 1.1.1.1/1.0.0.1 | 2606:4700:4700::1111/2606:4700:4700::1001
     
    Cloudflare is best known for its DDoS protection/CDN technology, but it also introduced a free DNS service in 2018. As well as claiming to be the “fastest DNS resolver on earth”, Cloudflare DNS has built-in security, including DDoS mitigation and DNSSEC. It also offers its DNS for mobile via an app called 1.1.1.1 Warp. Still, its primary advantage is being incredibly easy to remember.
  • Google DNS: 8.8.8.8/8.8.4.4 | 2001:4860:4860::8888/2001:4860:4860::884
     
    Google DNS for IPv6 and IPv4 has been around for a very long time and benefits from both Google’s extensive global infrastructure and easy-to-remember IPv4 addresses. Some, however, have privacy concerns due to it being owned by one of the biggest ad firms in the world.
  • Quad9: 9.9.9.9/149.112.112.112 | 2620:fe::fe/2620:fe::9
     
    Quad9 is a Swiss company focused on making the internet a more private and secure place. Its major feature is its ability to block malware, phishing, and spyware websites through a regularly maintained list. It also claims that no data containing your IP address is ever logged.
  • Uncensored DNS: 91.239.100.100/91.239.100.100 | 2001:67c:28a4::/2001:67c:28a4::
     
    If you don’t trust any company to have your best interests at heart, uncensored DNS could be a good bet. Run entirely by a private individual, Danish ISP admin Thomas Steen Rasmussen, it is free from corporate interests. The service is run with Rasmussen’s own money as a private individual. As the name suggests, it removes DNS-based website censorship, but it also does not log any personal information.

You can test the speed of different Windows DNS providers from your location by using a tool such as GRC.
 

FAQ – Frequently Asked Questions About DNS over HTTPS (DoH) on Windows 11

Can DNS over HTTPS interfere with parental controls or network filters?

Yes, because DoH encrypts DNS queries, it can effectively bypass network filters and parental controls that rely on intercepting and analyzing DNS requests to block or allow content. If you rely on these controls for content filtering, you may need to look for alternative solutions that support encrypted DNS queries or configure exceptions as needed.

Does enabling DNS over HTTPS affect VPN usage?

Typically, when you use a VPN, all your internet traffic, including DNS queries, is routed through the VPN server, providing encryption and privacy. Enabling DoH on your Windows 11 system does not directly interfere with this process but adds an extra layer of encryption for DNS requests outside the VPN tunnel. It’s mainly beneficial when not using a VPN, ensuring your DNS queries are encrypted at all times.

What are the differences between DNS over HTTPS (DoH) and DNS over TLS (DoT)?

Both DoH and DoT secure DNS queries by encrypting the data, but they operate differently. DNS over HTTPS (DoH) uses the HTTPS protocol (port 443) to encrypt DNS queries, making it difficult to distinguish from regular HTTPS traffic, thus offering better privacy by blending in. DNS over TLS (DoT), on the other hand, uses a dedicated port (853) for encrypted DNS traffic, which can potentially be blocked or filtered more easily by network administrators. DoH is often preferred for its stealthier nature and compatibility with existing web infrastructure.

Can I use DNS over HTTPS with all of my apps, or just web browsers?

When you enable DNS over HTTPS (DoH) system-wide on Windows 11, all DNS queries from your device, regardless of the originating application, are encrypted. This includes queries from web browsers, email clients, and any other app that communicates over the internet. This system-wide approach provides a uniform layer of privacy and security across all applications, significantly enhancing your online security posture beyond just web browsing.

Can I use DNS over HTTPS on networks other than my home network?

Yes, once you enable DoH on your Windows 11 device, it applies to any network you connect to, be it your home network, public Wi-Fi, or a mobile hotspot. This ensures your DNS queries remain encrypted and secure regardless of the network’s security level, providing consistent privacy protection across different connectivity environments.

How do I choose a DNS server that supports DNS over HTTPS?

To take advantage of DNS over HTTPS (DoH), you’ll need to use a DNS server that supports this protocol. Providers such as Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) offer DoH support. Research and select a provider based on their privacy policies, server locations, and performance metrics. Additionally, ensure your chosen provider’s DNS server addresses are correctly entered in your system settings per the DoH setup instructions.

Should I configure both IPv4 and IPv6 settings for DoH?

Yes, to ensure comprehensive encryption of your DNS traffic, it’s recommended to configure DoH for both IPv4 and IPv6 settings on your device. Even though IPv6 adoption is growing, many networks still rely on IPv4. Configuring both settings ensures that all DNS queries, regardless of the internet protocol version, benefit from the increased privacy and security provided by DoH.

How can I troubleshoot if I experience connectivity issues after enabling DoH?

If you encounter connectivity issues after enabling DoH, start by confirming that the DNS servers you’ve chosen support DoH and are correctly configured in your system settings. Test your internet connection with DoH disabled to determine if the issue is specifically related to DoH configuration. Consider trying alternative DoH-supported DNS servers, reviewing your network settings, and ensuring that other network devices like routers are compatible with DNS configurations using encryption.

Does DoH protect against all forms of online tracking and surveillance?

While DoH significantly enhances privacy by encrypting DNS queries, it’s not a comprehensive solution against all forms of online tracking. Advertisers and websites might still track your online activities through cookies, browser fingerprinting, or login-based tracking mechanisms. Combining DoH with other privacy tools like VPNs, private browsing modes, and cookie management can provide a more robust defense against tracking and surveillance.

What should I do if a website or service doesn’t work after enabling DoH?

Compatibility issues may arise with some websites or online services post-DoH activation, especially those requiring specific DNS settings for access or functionality. If disabling DoH temporarily resolves the issue, it indicates a compatibility problem. Consider adding specific exceptions if your DNS provider or system configuration supports it, or switch to a different DoH-compatible DNS provider that may not have the same restrictions.

Can enabling DNS over HTTPS improve the speed of my internet connection?

The impact of DoH on internet speed is generally minimal; encryption may add slight latency to DNS queries, but the overall effect on browsing speed is negligible for most users. In fact, some users might experience improved speed and reliability with DoH, especially if their default DNS provider was suboptimal or if the chosen DoH provider has a faster, more reliable infrastructure.

How does DoH compare with traditional unencrypted DNS in terms of security?

Traditional DNS queries are unencrypted, exposing your browsing history to potential eavesdropping, interception, or manipulation. DoH significantly heightens security by encrypting these queries, ensuring that only you and your chosen DNS provider can see and process your DNS requests. This encryption shields your browsing activity from third parties, including potentially malicious actors and even your internet service provider.

Will enabling DNS over HTTPS consume more system resources on my computer?

The encryption process associated with DoH can marginally increase the usage of system resources, such as CPU and memory. However, on modern computers, this increase is typically minimal and not likely to impact system performance or user experience. The benefits of enhanced privacy and security provided by DoH far outweigh these insignificant resource implications.

How do I revert to using unencrypted DNS?

To revert to unencrypted DNS on your Windows 11 device, navigate to your DNS settings and select the “Automatic (DHCP)” option for DNS server assignment. This action disables DoH and allows your network to automatically select a DNS server, which will likely not use DoH. This change might be necessary for specific network environments or for troubleshooting DNS-related connectivity issues.

Is using DNS over HTTPS necessary if I’m already using a secure network?

Even on secure networks, it’s beneficial to use DoH for your DNS queries. DoH provides an extra layer of encryption specifically targeting DNS traffic, which might otherwise be exposed. While secure networks protect data transmission, DoH specifically secures DNS queries against interception or manipulation, making it a wise addition to your overall online privacy strategy.

Related: How to Change Your DNS Server in Windows and Why You’d Want To)

When you sign up for an internet service provider (ISP), they assign you to a DNS server of their creation. This function makes it possible for you to access all your favorite sites and services without manually typing their IP address. Unfortunately, however, not all DNS servers are created equal. There are several reasons you may want to change DNS in Windows 10, but it’s necessary to learn what they are and how they work so you can make an informed decision. In our other guide, we show you how to change DNS servers on Windows via the Control Panel, Settings, and Command Prompt.
 
How-to-change-DNS-settings-on-your-PC-running-Windows-10.jpg

Related: How to Flush DNS in Windows 11 or Windows 10

The DNS cache helps with this domain name resolution process by storing a temporary database of your recent website visits and their associated IP addresses. This way, name resolution can be handled locally on your PC rather than having to send a request to a server and wait for the response. Flushing the DNS cache removes the database of sites and IP addresses on your PC. This is useful in cases where the website or service has changed its IP address and your cache has not updated, causing your browser to direct you to the wrong place. In our other guide, we show you how to clear the DNS resolver cache in Windows 11 or Windows 10 using four of the most convenient methods.
  
Featured - How to flush DNS in Windows 11 or Windows 10

Related: How to Reset Your Network in Windows

We’ve all run into the dreaded taskbar icon that denotes Windows internet connection issues. There are various reasons this can happen, but if you’re really struggling, the quickest fix is to perform a full Windows network reset. In our other guide, we show you how to do a network reset via the network and internet settings menu or the netsh winsock reset command.
  
How to Reset Your Entire Network in Windows 10 and Start From Scratch

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.
Table of Contents: