- How to install Group Policy ADMX templates for OneDrive - Mon, Mar 27 2023
- How to change the PowerShell prompt - Wed, Mar 22 2023
- Trim characters from strings in PowerShell - Tue, Mar 14 2023
Similar to DoH, DoT is intended to protect users from falling victim to a manipulated DNS server or a man-in-the-middle attack when DNS queries are transmitted in plain text.
For both, however, relatively few DNS servers support this technology. In most cases, they are provided by public providers, such as Google or Cloudflare.
DoT versus DoH
DNS over TLS sends normal DNS requests through a TLS tunnel, while DNS over HTTPS establishes an HTTP connection over TLS. While this creates some overhead, the communication usually goes through port 443, which is open in most environments. DoT, on the other hand, uses port 853 by default.
With DoH, DNS queries are mixed with other encrypted HTTP traffic. This has privacy advantages because an eavesdropper cannot distinguish DNS queries from other HTTPS requests.
But this is also why DoH makes it more difficult for a network administrator to monitor and block DNS queries. However, with DoT, malicious traffic can be identified and thus prevented.
DoT implementation in Windows 11
In Windows 11, users now have the option to choose between the two protocols. While DoH is currently already on board in Windows 11, the first implementation for DoT is only available in previews from build 25158 on.
In addition, the feature can currently only be configured via the command line, and unlike DoH, Microsoft does not yet offer a group policy setting for it.
Configure the DNS Server
To enable DoT, you must (manually) specify a DNS server that supports this protocol. This can be done via the Settings app under Network in a connection's properties, for example, Ethernet or WiFi.
There, you edit the DNS server assignment and enter the IP address of the DoT server under IPv4 or IPv6, as required.
Alternatively, you can accomplish this task with PowerShell using Set-DnsClientServerAddress .
For the actual activation of DoT, use these commands:
netsh dns add global dot=yes netsh dns add encryption server=<IP-of-new-DNS-servers> dothost=: autoupgrade=yes ipconfig /flushdns
To see if DoT is being used, invoke netsh again:
netsh dns show global
The output of this command should contain the line "DoT settings: enabled".
Finally, you can verify the correct DoT settings of the specific DNS server as follows:
netsh dns show encryption
Check that the output now contains an entry for "DNS over TLS host" for the selected DNS server, the value for "Automatic update" is yes, and "UDP fallback" is set to no.
With DNS over TLS, Microsoft supports a second secure DNS protocol in Windows 11, in addition to DNS over HTTPS. Which one you choose depends on the respective requirements. A key factor in the decision is whether admins want to isolate DNS traffic or whether communication via the standard HTTPS port is preferred.
Subscribe to 4sysops newsletter!
Both protocols can currently only be used with a handful of public DNS servers. However, it is unclear whether Microsoft will ever support DoH and DoT in Windows Server for internal use.
Want to write for 4sysops? We are looking for new authors.
While both DoT and DoH serve the same purpose of encrypting DNS requests, they use different ports and underlying mechanism. Thank you for a great article.
Thanks for your kind feedback, Surender!
Windows 7 does not work
The following command was not found: dns add global dot=yes.
Many thanks for sharing this excellent “How to” post, I have already subscribed to follow the next posts !
I ran into an issue however on Windows 11 laptops : it was possible to activate DoH by running the command with “netsh dns add global doh=yes” but for DoT, the netsh command returns that “dot” or “DoT” wouldn’t be a known argument.
And when running the command netsh dns show global settings, the results don’t display doh or dot setting but ” t’Oh ” settings.
Would you have an idea about this please? Can’t find anything online.