Microsoft is starting to add and enable the support for secured Domain Name System (DNS) over HTTPS encryption, also known as DoH, with the release of Windows 10 Build 19628. DNS over HTTPS intends to enhance the privacy and increase the security of web browsing by encrypting the DNS resolution requests via the HTTPS protocol. DoH can potentially prevent MitM (Man in the Middle) attacks as DNS resolution requests are currently transmitted in plain text, even though the DNS resolver still have the DNS resolution requests data which the DoH client sends.

Windows Insiders on the Fast ring and installed the Windows 10 Build 19628 or higher are invited to test the DNS over HTTPS feature. However, as the feature is still in early testing stage, users who want to take advantage of DNS over HTTPS must enable the feature explicitly.

Note that the DNS over HTTPS feature support in Windows 10 should be enabled by default when the DoH client development is completed and the feature is made available in general release builds of Windows 10, likely to be either Windows 10 20H2 or Windows 10 21H1 due April or May 2021. Currently for Windows Insider preview builds, users need to explicitly enable the DoH client support via registry key. It’s unclear if Microsoft will provide any configurable setting to enable or disable DNS over HTTPS via either GUI or registry key when feature is live.

Thus, in order to enable the DNS over HTTPS client in Windows 10, join Windows Insider program and set to be on the Fast ring. Make sure that you’ve receive and install Windows 10 Build 19628 or higher from Windows Update. Then, activate the DNS over HTTPS client by modifying the registry:

  • Open the Registry Editor (regedit).
  • Navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
  • Create a new DWORD (32-bit) Value named EnableAutoDoh.
  • Set its value data to 2.

Out of the box, Windows 10 DoH client has the following DoH providers in the auto-promotion list currently as shown in table below, with the IPv4 and IPv6 addresses that you should use as DNS server for Windows 10 to automatically send DNS resolution requests over HTTPS:

Cloudflare1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
Google8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Quad99.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::fe:9

So, the DNS server configured in Windows 10 must match the IP addresses in DNS over HTTPS auto-promotion list in order to activate secure encrypted DNS traffic. You can manually configure Windows 10 to use any of these IP addresses as a DNS server through the Control Panel if DHCP service doesn’t provide the above listed IP addresses as DNS server. Note that the supported DNS resolver must be set on Windows 10 itself. You can set it at the router and ask Windows to query the router for DNS resolution.

To configure a DNS server in the Control Panel:

  • Open Control Panel.
  • Go to Network and Internet -> Network and Sharing Center -> Change adapter settings.
  • Right click on the connection you want to add a DNS server to and select Properties.
  • Select either Internet Protocol Version 4 (TCP/IPv4) and/or Internet Protocol Version 6 (TCP/IPv6) and click Properties.
  • Select the Use the following DNS server addresses radio button, and add the DNS server addresses into the fields below.
  • Click OK or Apply to close all the dialog window.
  • Restart the computer and voila, Windows 10 should abandon classic DNS over port 53 and send DNS resolution requests over HTTPS.

Windows 10 also provides commands to add additional DNS resolver that supports DNS over HTTPS, such as OpenDNS, NextDNS, CleanBrowsing, AdGuard DNS or even your ISP’s DNS to auto-promotion list so that they could be supported by Windows 10.

To add a DNS over HTTPS server to Windows 10’s auto-promotion list, run the following command as administrator.

netsh dns add encryption server=<DNS server IP address> dohtemplate=<DoH template URL>

Replace the <DNS server IP address> with actual IP address of the DNS resolver, and <DoH template url> with actual DoH template actual URL, both of which could be provided by the DNS service provider. For example, to set NextDNS DoH support, use the following command (you can get configuration ID from my.nextdns.io):

netsh dns add encryption server=45.90.28.49 dohtemplate="https://dns.nextdns.io/<configuration ID>"
Note
Verify the template was applied to the DoH server list with the following command:

netsh dns show encryption server=<DNS server IP address>

Here’s a brief list of DNS over HTTPS template base URL for popular publicly available DNS servers:

  • AdGuard: https://dns.adguard.com/dns-query
  • AdGuard Family protection: https://dns-family.adguard.com/dns-query
  • OpenDNS: https://doh.opendns.com/dns-query
  • OpenDNS FamilyShield: https://doh.familyshield.opendns.com/dns-query
  • CleanBrowsing: https://doh.cleanbrowsing.org/doh/family-filter/
  • nextdns.io: https://dns.nextdns.io/<config_id>

An updated list of publicly available DNS service providers that support DNS over HTTPS with their template URLs is available on github.com.

By turning on secured DNS resolution lookup over encrypted DNS over HTTPS, all apps running Windows 10 that rely on OS DNS implementation to resolve domain names can take advantage of DoH. It also means that you no longer need to configure web browsers, such as Chrome and Firefox, to use own DNS over HTTPS implementation.

You May Also Interested In: