- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
Preferred use cases for DoH are external (wireless) networks into which mobile users have logged in. There, they could become victims of a manipulated DNS server or a man-in-the-middle attack if DNS requests are transmitted in plain text.
To date, this technology is mainly supported by cloud providers such as Google or Cloudflare; Windows Server does not offer it natively. However, for private use, there are open-source implementations, such as DNSProxy or lambDoH.
If you want to play around with DoH in PowerShell, then the following simple HTTP-Get call uses the JSON-API:
Invoke-RestMethod -Uri `
"https://dns.google.com/resolve?name=www.4sysops.com&type=A&ct=application/dns+json" |
select {$_.Answer.data}
DoH support in web browsers
The current versions of all major browsers already support DoH. With most of them, you select a public service from providers such as Google or NextDNS from a predefined list. Alternatively, you can enter the IP of another service that offers DNS over HTTPS.
In Microsoft Edge DoH can be configured independently of the operating system
The browser then uses its own integrated DNS client to resolve the addresses. This can be configured in Chromium-based programs via group policies so that they even use a different DNS server than the one set in the OS, if necessary.
While Chrome does not currently support DoH if the computer is a member of an AD domain, Edge offers its own settings in the group policies to control the use of DNS over HTTPS and to define DoH URI templates.
Configuring DNS over HTTPS for Microsoft Edge via Group Policy
DoH support in the operating system
In many cases, however, it would be preferable to use DoH at the operating system level. On the one hand, all applications would then benefit from it; on the other hand, the DNS servers could be configured in one place.
Microsoft is now getting closer to this goal in the previews for Windows 10 21H2 and Windows 11. While this feature still had to be activated by setting registry keys in the early previews, a corresponding option is now available in the Settings app.
Option to configure DoH in the Windows 11 settings app
It can be found under Network and internet if you edit the Ethernet or WiFi settings there. You have to switch from DHCP to Manual and explicitly set the DNS server. In this case, Windows allows you to select an option for DNS encryption if the server supports this feature.
Registering the DNS server with DoH support
The operating system does not currently detect on its own whether a DNS server supports DoH. Therefore, you have to teach the OS which DNS servers are available for such a connection and under which URL they can be reached.
Microsoft has predefined some of these in the system; they can be queried with
Get-DnsClientDohServerAddress
List of predefined DoH compatible DNS servers and the URLs under which they can be reached
To add your own DoH services, use the cmdlet
Add-DnsClientDohServerAddress -ServerAddress '<IP address>' -DohTemplate '<DoH template>'
Existing entries can be changed with Set-DnsClientDohServerAddress. In addition, netsh.exe can maintain the list of DNS servers for DoH with new parameters.
New parameters for netsh.exe for configuring DoH
In the future, this manual configuration of the DoH templates will not be necessary if clients can inquire on their own whether a server supports DNS over HTTPS. Microsoft is submitting a corresponding proposal to the IETF for standardization.
Controlling DoH via group policies
For the central administration of DoH, the current previews of Windows 10 and 11 already contain a setting for group policies. It can be found under Computer Configuration > Policies > Administrative Templates > Network > DNS Client and is called Configure DNS over HTTPS (DoH) name resolution.
Group policy for the central configuration of DNS over HTTPS
Here, you can either force DoH for all requests or disallow it in general. In most cases, the option Allow DoH is probably the most suitable because it allows a fallback to an unencrypted request if the server does not support DoH.
Conclusion
After some delay, Microsoft is now getting serious about supporting DNS over HTTPS in the operating system. There, it will be available to all applications, and in the medium term, the separate DoH support of web browsers should also become unnecessary. In managed environments, this feature can be controlled via group policies.
Subscribe to 4sysops newsletter!
DoH certainly offers the greatest benefit for users who work outside the secured corporate network, for example, when they connect to a public WiFi.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
I’m using 21H2 but it doesn’t include the DoH feature? Why?
Most likely because Microsoft wants people to upgrade to Windows 11.
It’s been stuck in preview builds for Windows 10, so they’ll probably gonna wait another 2 years or just not release it for Windows 10 because of the above reason.
i’m using windows 11, and still no DoH feature
It now seems unlikely Microsoft will ever release DNS over HTTPS for Windows 10.