How to enforce DoH in Windows 11 on all Editions
Enabling DoH in Windows 11
Basically all we are going to do is to execute regedit
then navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers
, create new keys named IPv4
or IPv6
address and within them New string (REG_SZ)
named Template
containing the DNS query-address.
The Windows defaults also appear here and the previous server adding command appears here. I suggest using registry instead of the GUI since it is more reliable, easier and works across all editions.
Official doc
- https://docs.microsoft.com/windows-server/networking/dns/doh-client-support
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"DoHPolicy"=dword:00000003
Adding providers
Example with Mullvad DoH, Adguard DoH and Quad9 ECS DoH which I do not recommended for privacy, because ECS can leak more information.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\193.19.108.2]
"Template"="https://doh.mullvad.net/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\194.242.2.2]
"Template"="https://doh.mullvad.net/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a07:e340::2]
"Template"="https://doh.mullvad.net/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a10:50c0::ad1:ff]
"Template"="https://dns.adguard.com/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a10:50c0::ad2:ff]
"Template"="https://dns.adguard.com/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\94.140.14.14]
"Template"="https://dns.adguard.com/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\94.140.15.15]
"Template"="https://dns.adguard.com/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::11]
"Template"="https://dns11.quad9.net/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::fe:11]
"Template"="https://dns11.quad9.net/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\9.9.9.11]
"Template"="https://dns11.quad9.net/dns-query"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\149.112.112.11]
"Template"="https://dns11.quad9.net/dns-query"
Warning
This only works by-design on Ethernet and means that this is not available for WiFi connections. On WiFi it can fallback to unencrypted DNS automatically and there is currently no toggle to prevent it.
Microsoft might expand this in the near future.