The current Insider preview in the Dev Channel includes support for DNS over TLS (DoT). This is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). It runs directly over a TLS tunnel without an HTTP layer and is therefore faster. The setup is done with netsh.

Similar to DoH, DoT is intended to protect users from falling victim to a manipulated DNS server or a man-in-the-middle attack when DNS queries are transmitted in plain text.

For both, however, relatively few DNS servers support this technology. In most cases, they are provided by public providers, such as Google or Cloudflare.

DoT versus DoH

DNS over TLS sends normal DNS requests through a TLS tunnel, while DNS over HTTPS establishes an HTTP connection over TLS. While this creates some overhead, the communication usually goes through port 443, which is open in most environments. DoT, on the other hand, uses port 853 by default.

With DoH, DNS queries are mixed with other encrypted HTTP traffic. This has privacy advantages because an eavesdropper cannot distinguish DNS queries from other HTTPS requests.

But this is also why DoH makes it more difficult for a network administrator to monitor and block DNS queries. However, with DoT, malicious traffic can be identified and thus prevented.

DoT implementation in Windows 11

In Windows 11, users now have the option to choose between the two protocols. While DoH is currently already on board in Windows 11, the first implementation for DoT is only available in previews from build 25158 on.

In addition, the feature can currently only be configured via the command line, and unlike DoH, Microsoft does not yet offer a group policy setting for it.

Configure the DNS Server

To enable DoT, you must (manually) specify a DNS server that supports this protocol. This can be done via the Settings app under Network in a connection's properties, for example, Ethernet or WiFi.

Edit a connections DNS settings

Edit a connections DNS settings

There, you edit the DNS server assignment and enter the IP address of the DoT server under IPv4 or IPv6, as required.

Enter the DNS server for IPv4 manually in the Settings app

Enter the DNS server for IPv4 manually in the Settings app

Alternatively, you can accomplish this task with PowerShell using Set-DnsClientServerAddress .

Activate DoT

For the actual activation of DoT, use these commands:

netsh dns add global dot=yes
netsh dns add encryption server=<IP-of-new-DNS-servers> dothost=: autoupgrade=yes
ipconfig /flushdns

To see if DoT is being used, invoke netsh again:

netsh dns show global

The output of this command should contain the line "DoT settings: enabled".

Activate DoT with netsh and then check the settings

Activate DoT with netsh and then check the settings

Finally, you can verify the correct DoT settings of the specific DNS server as follows:

netsh dns show encryption
The manually configured DNS server now uses DNS over TLS

The manually configured DNS server now uses DNS over TLS

Check that the output now contains an entry for "DNS over TLS host" for the selected DNS server, the value for "Automatic update" is yes, and "UDP fallback" is set to no.


With DNS over TLS, Microsoft supports a second secure DNS protocol in Windows 11, in addition to DNS over HTTPS. Which one you choose depends on the respective requirements. A key factor in the decision is whether admins want to isolate DNS traffic or whether communication via the standard HTTPS port is preferred.

Subscribe to 4sysops newsletter!

Both protocols can currently only be used with a handful of public DNS servers. However, it is unclear whether Microsoft will ever support DoH and DoT in Windows Server for internal use.

  1. While both DoT and DoH serve the same purpose of encrypting DNS requests, they use different ports and underlying mechanism. Thank you for a great article.

  2. james 10 months ago

    Windows 7 does not work
    The following command was not found: dns add global dot=yes.

  3. Alex 8 months ago

    Hi Wolfgang,

    Many thanks for sharing this excellent “How to” post, I have already subscribed to follow the next posts !

    I ran into an issue however on Windows 11 laptops : it was possible to activate DoH by running the command with “netsh dns add global doh=yes” but for DoT, the netsh command returns that “dot” or “DoT” wouldn’t be a known argument.

    And when running the command netsh dns show global settings, the results don’t display doh or dot setting but ” t’Oh ” settings.

    Would you have an idea about this please? Can’t find anything online.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account