- Secure DNS requests over HTTPS (DoH) in Windows 10/11 - Thu, Jul 22 2021
- Microsoft Windows 365: Fixed-price cloud PC with simplified deployment - Fri, Jul 16 2021
- Deactivate Windows 10 widget "News and interests" with Group Policy - Thu, Jul 15 2021
Preferred use cases for DoH are external (wireless) networks into which mobile users have logged in. There, they could become victims of a manipulated DNS server or a man-in-the-middle attack if DNS requests are transmitted in plain text.
To date, this technology is mainly supported by cloud providers such as Google or Cloudflare; Windows Server does not offer it natively. However, for private use, there are open-source implementations, such as DNSProxy or lambDoH.
If you want to play around with DoH in PowerShell, then the following simple HTTP-Get call uses the JSON-API:
Invoke-RestMethod -Uri `
DoH support in web browsers ^
The current versions of all major browsers already support DoH. With most of them, you select a public service from providers such as Google or NextDNS from a predefined list. Alternatively, you can enter the IP of another service that offers DNS over HTTPS.
The browser then uses its own integrated DNS client to resolve the addresses. This can be configured in Chromium-based programs via group policies so that they even use a different DNS server than the one set in the OS, if necessary.
While Chrome does not currently support DoH if the computer is a member of an AD domain, Edge offers its own settings in the group policies to control the use of DNS over HTTPS and to define DoH URI templates.
DoH support in the operating system ^
In many cases, however, it would be preferable to use DoH at the operating system level. On the one hand, all applications would then benefit from it; on the other hand, the DNS servers could be configured in one place.
Microsoft is now getting closer to this goal in the previews for Windows 10 21H2 and Windows 11. While this feature still had to be activated by setting registry keys in the early previews, a corresponding option is now available in the Settings app.
It can be found under Network and internet if you edit the Ethernet or WiFi settings there. You have to switch from DHCP to Manual and explicitly set the DNS server. In this case, Windows allows you to select an option for DNS encryption if the server supports this feature.
Registering the DNS server with DoH support ^
The operating system does not currently detect on its own whether a DNS server supports DoH. Therefore, you have to teach the OS which DNS servers are available for such a connection and under which URL they can be reached.
Microsoft has predefined some of these in the system; they can be queried with
To add your own DoH services, use the cmdlet
Add-DnsClientDohServerAddress -ServerAddress '
Existing entries can be changed with Set-DnsClientDohServerAddress. In addition, netsh.exe can maintain the list of DNS servers for DoH with new parameters.
In the future, this manual configuration of the DoH templates will not be necessary if clients can inquire on their own whether a server supports DNS over HTTPS. Microsoft is submitting a corresponding proposal to the IETF for standardization.
Controlling DoH via group policies ^
For the central administration of DoH, the current previews of Windows 10 and 11 already contain a setting for group policies. It can be found under Computer Configuration > Policies > Administrative Templates > Network > DNS Client and is called Configure DNS over HTTPS (DoH) name resolution.
Here, you can either force DoH for all requests or disallow it in general. In most cases, the option Allow DoH is probably the most suitable because it allows a fallback to an unencrypted request if the server does not support DoH.
After some delay, Microsoft is now getting serious about supporting DNS over HTTPS in the operating system. There, it will be available to all applications, and in the medium term, the separate DoH support of web browsers should also become unnecessary. In managed environments, this feature can be controlled via group policies.
Subscribe to 4sysops newsletter!
DoH certainly offers the greatest benefit for users who work outside the secured corporate network, for example, when they connect to a public WiFi.