- Configuring Defender Antivirus: Exclusions, real-time protection, scans, and remediations - Mon, Sep 26 2022
- Get updates for Windows Server 2022 in WSUS - Mon, Sep 19 2022
- Microsoft Defender: Control updates for malware signatures using Group Policy or PowerShell - Thu, Sep 15 2022
Similar to DoH, DoT is intended to protect users from falling victim to a manipulated DNS server or a man-in-the-middle attack when DNS queries are transmitted in plain text.
For both, however, relatively few DNS servers support this technology. In most cases, they are provided by public providers, such as Google or Cloudflare.
DoT versus DoH ^
DNS over TLS sends normal DNS requests through a TLS tunnel, while DNS over HTTPS establishes an HTTP connection over TLS. While this creates some overhead, the communication usually goes through port 443, which is open in most environments. DoT, on the other hand, uses port 853 by default.
With DoH, DNS queries are mixed with other encrypted HTTP traffic. This has privacy advantages because an eavesdropper cannot distinguish DNS queries from other HTTPS requests.
But this is also why DoH makes it more difficult for a network administrator to monitor and block DNS queries. However, with DoT, malicious traffic can be identified and thus prevented.
DoT implementation in Windows 11 ^
In Windows 11, users now have the option to choose between the two protocols. While DoH is currently already on board in Windows 11, the first implementation for DoT is only available in previews from build 25158 on.
In addition, the feature can currently only be configured via the command line, and unlike DoH, Microsoft does not yet offer a group policy setting for it.
Configure the DNS Server ^
To enable DoT, you must (manually) specify a DNS server that supports this protocol. This can be done via the Settings app under Network in a connection's properties, for example, Ethernet or WiFi.
There, you edit the DNS server assignment and enter the IP address of the DoT server under IPv4 or IPv6, as required.
Alternatively, you can accomplish this task with PowerShell using Set-DnsClientServerAddress .
Activate DoT ^
For the actual activation of DoT, use these commands:
netsh dns add global dot=yes netsh dns add encryption server=<IP-of-new-DNS-servers> dothost=: autoupgrade=yes ipconfig /flushdns
To see if DoT is being used, invoke netsh again:
netsh dns show global
The output of this command should contain the line "DoT settings: enabled".
Finally, you can verify the correct DoT settings of the specific DNS server as follows:
netsh dns show encryption
Check that the output now contains an entry for "DNS over TLS host" for the selected DNS server, the value for "Automatic update" is yes, and "UDP fallback" is set to no.
With DNS over TLS, Microsoft supports a second secure DNS protocol in Windows 11, in addition to DNS over HTTPS. Which one you choose depends on the respective requirements. A key factor in the decision is whether admins want to isolate DNS traffic or whether communication via the standard HTTPS port is preferred.
Subscribe to 4sysops newsletter!
Both protocols can currently only be used with a handful of public DNS servers. However, it is unclear whether Microsoft will ever support DoH and DoT in Windows Server for internal use.