Activate DNS over TLS (DoT) in Windows 11

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
• Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
• Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023

Similar to DoH, DoT is intended to protect users from falling victim to a manipulated DNS server or a man-in-the-middle attack when DNS queries are transmitted in plain text.

For both, however, relatively few DNS servers support this technology. In most cases, they are provided by public providers, such as Google or Cloudflare.

DoT versus DoH

DNS over TLS sends normal DNS requests through a TLS tunnel, while DNS over HTTPS establishes an HTTP connection over TLS. While this creates some overhead, the communication usually goes through port 443, which is open in most environments. DoT, on the other hand, uses port 853 by default.

With DoH, DNS queries are mixed with other encrypted HTTP traffic. This has privacy advantages because an eavesdropper cannot distinguish DNS queries from other HTTPS requests.

But this is also why DoH makes it more difficult for a network administrator to monitor and block DNS queries. However, with DoT, malicious traffic can be identified and thus prevented.

DoT implementation in Windows 11

In Windows 11, users now have the option to choose between the two protocols. While DoH is currently already on board in Windows 11, the first implementation for DoT is only available in previews from build 25158 on.

In addition, the feature can currently only be configured via the command line, and unlike DoH, Microsoft does not yet offer a group policy setting for it.

Configure the DNS Server

To enable DoT, you must (manually) specify a DNS server that supports this protocol. This can be done via the Settings app under Network in a connection's properties, for example, Ethernet or WiFi.

Edit a connections DNS settings

There, you edit the DNS server assignment and enter the IP address of the DoT server under IPv4 or IPv6, as required.

Enter the DNS server for IPv4 manually in the Settings app

Alternatively, you can accomplish this task with PowerShell using Set-DnsClientServerAddress .

Activate DoT

For the actual activation of DoT, use these commands:

netsh dns add global dot=yes
netsh dns add encryption server=<IP-of-new-DNS-servers> dothost=: autoupgrade=yes
ipconfig /flushdns

To see if DoT is being used, invoke netsh again:

netsh dns show global

The output of this command should contain the line "DoT settings: enabled".

Activate DoT with netsh and then check the settings

Finally, you can verify the correct DoT settings of the specific DNS server as follows:

netsh dns show encryption

The manually configured DNS server now uses DNS over TLS

Check that the output now contains an entry for "DNS over TLS host" for the selected DNS server, the value for "Automatic update" is yes, and "UDP fallback" is set to no.

Conclusion

With DNS over TLS, Microsoft supports a second secure DNS protocol in Windows 11, in addition to DNS over HTTPS. Which one you choose depends on the respective requirements. A key factor in the decision is whether admins want to isolate DNS traffic or whether communication via the standard HTTPS port is preferred.

Both protocols can currently only be used with a handful of public DNS servers. However, it is unclear whether Microsoft will ever support DoH and DoT in Windows Server for internal use.