CHEF-KOCH's Microblog ✨

How to enforce DoH in Windows 11 on all Editions

Enabling DoH in Windows 11

Basically all we are going to do is to execute regedit then navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers, create new keys named IPv4 or IPv6 address and within them New string (REG_SZ) named Template containing the DNS query-address.

The Windows defaults also appear here and the previous server adding command appears here. I suggest using registry instead of the GUI since it is more reliable, easier and works across all editions.

Official doc

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"DoHPolicy"=dword:00000003

Adding providers

Example with Mullvad DoH, Adguard DoH and Quad9 ECS DoH which I do not recommended for privacy, because ECS can leak more information.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\193.19.108.2]
"Template"="https://doh.mullvad.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\194.242.2.2]
"Template"="https://doh.mullvad.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a07:e340::2]
"Template"="https://doh.mullvad.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a10:50c0::ad1:ff]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a10:50c0::ad2:ff]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\94.140.14.14]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\94.140.15.15]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::11]
"Template"="https://dns11.quad9.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::fe:11]
"Template"="https://dns11.quad9.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\9.9.9.11]
"Template"="https://dns11.quad9.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\149.112.112.11]
"Template"="https://dns11.quad9.net/dns-query"

Warning

This only works by-design on Ethernet and means that this is not available for WiFi connections. On WiFi it can fallback to unencrypted DNS automatically and there is currently no toggle to prevent it.

Microsoft might expand this in the near future.

#DoH #HTTPS #Windows #Windows 11