How to enable DNS over HTTPS in Windows 11
October 15, 2022
To improve your online privacy and security, Windows 11 lets you use DNS over HTTPS (DoH) to encrypt the DNS requests your computer makes when you browse or do anything else on the Internet. This article will show you how to set it up in Windows 11.
Encrypted DNS is more private and secure
Every time you visit a website using a domain name (such as “suay.site”), your computer sends a request to a Domain Name System (DNS) server. The DNS server takes the domain name and looks up the corresponding IP address from the list. It sends an IP address back to your computer, which is then used to connect to the site.
See also: How to enable DNS over HTTPS and what it is for
This process of getting the resolution of a domain name to an IP address traditionally took place on the network in the plain text. Any intermediate point can intercept the transmitted information – the domain names of the sites you visit and their IPs. With DNS over HTTPS, also known as DoH, communication between your computer and a DoH-enabled DNS server is encrypted. No one can intercept your DNS requests to track the addresses you visit or spoof responses from a DNS server.
First, choose a free DNS with DoH support – there are already a lot of them now
Starting with the release of Windows 11, DNS over HTTPS in Windows 11 only works with a certain hard-coded list of free DNS services (you can see the list yourself by running
netsh dns show encryption
in the terminal window).
Here is the current list of supported IPv4 DNS server addresses as of October 2022:
- Primary Google DNS: 8.8.8.8
- Additional Google DNS: 8.8.4.4
- Cloudflare Primary DNS: 1.1.1.1
- Secondary DNS Cloudflare: 1.0.0.1
- Primary DNS Quad9: 9.9.9.9
- Secondary DNS Quad9: 149.112.112.112
For IPv6, list of supported DNS server addresses:
- Primary Google DNS: 2001:4860:4860::8888
- Google Secondary DNS: 2001:4860:4860::8844
- Cloudflare primary DNS server: 2606:4700:4700::1111
- Additional Cloudflare DNS: 2606:4700:4700::1001
- Primary DNS Quad9: 2620:fe::fe
- Secondary DNS Quad9: 2620:fe::fe:9
When it comes time to enable DoH in the section below, you will need to select two pairs of these DNS servers – primary and secondary for IPv4 and IPv6 – to use with your Windows 11 PC. As a bonus, using them will likely speed up your Internet experience.
Enable DNS over HTTPS in Windows 11
To start configuring DNS over HTTPS, open the Settings app by pressing Win+i on your keyboard. Alternatively, you can right-click the Start button and select “Settings” from the special menu that appears.
In Settings, click “Network & internet” in the sidebar.
For “Wi-Fi” and “Ethernet”, the procedure for setting up DNS over HTTPS is slightly different.
Configuring DNS over HTTPS for Ethernet (Wired)
In Network & internet, click the name of your primary Internet connection in the list, such as “Ethernet”.
On the Ethernet properties page, find the “DNS server assignment” setting and click the “Edit” button next to it.
In the window that appears, select “Manual” DNS settings from the drop-down menu.
Then turn the “IPv4” switch to the “On” position.
In the IPv4 section, enter the primary DNS server address you selected in the section above in the “Preferred DNS” field (for example, “8.8.8.8”).
The drop-down list “Preferred DNS encryption” will become active. In this list, select “Encrypted only (DNS over HTTPS)”.
Similarly, enter the address of the secondary DNS server in the “Alternate DNS” field (for example, “8.8.4.4”). The drop-down list “Preferred DNS encryption” will become active. In this list, select “Encrypted only (DNS over HTTPS)”.
If your ISP supports IPv6, then repeat this process with IPv6. If your ISP does NOT support IPv6, then you DO NOT need to enable IPv6 DNS servers. If you're unsure, it's best not to enable IPv6 DNS.
Switch the IPv6 switch to the On position, and then copy the primary IPv6 address from the section above and paste it into the “Preferred DNS” field. Then copy the appropriate secondary IPv6 address and paste it into the “Alternate DNS” field.
After that, set both “Preferred DNS encryption” options to “Encrypted only (DNS over HTTPS)”.
Finally, click “Save”.
Back on the Ethernet hardware properties page, you'll see a list of your DNS servers with “(Encrypted)” marked next to each one.
Configuring DNS over HTTPS for Wi-Fi (Wireless)
In Network & internet settings, click the name of your primary Internet connection in the list, such as Wi-Fi.
On the Wi-Fi properties page, go to the “Hardware properties” section.
On the next window, locate the “DNS server assignment” option and click the “Change” button next to it.
In the window that appears, select “Manual” DNS settings from the drop-down menu. Then turn the “IPv4” switch to the “On” position.
In the IPv4 section, enter the primary DNS server address you selected in the section above in the “Preferred DNS” field (for example, “8.8.8.8”).
The drop-down list “Preferred DNS encryption” will become active. In this list, select “Encrypted only (DNS over HTTPS)”.
Tip: If you don't see the “Preferred DNS encryption” settings, then you are editing the DNS settings for a specific Wi-Fi connection and not for the wireless adapter as a whole. Make sure you have selected the connection type in Settings → Network & internet, then click “Hardware properties” first.
Similarly, enter the address of the secondary DNS server in the “Alternate DNS” field (for example, “8.8.4.4”).
If your ISP supports IPv6, then repeat this process with IPv6. If your ISP does NOT support IPv6, then you DO NOT need to enable IPv6 DNS servers. If you're unsure, it's best not to enable IPv6 DNS.
Switch the IPv6 switch to the On position, and then copy the primary IPv6 address from the section above and paste it into the “Preferred DNS” field. Then copy the appropriate secondary IPv6 address and paste it into the “Alternate DNS” field.
After that, set both “Preferred DNS encryption” options to “Encrypted only (DNS over HTTPS)”.
Finally, click “Save”.
Back on the Wi-Fi hardware properties page, you'll see a list of your DNS servers with “(Encrypted)” marked next to each one.
That's all you need to do. Close the Settings app, and you are ready to go. From now on, all your DNS requests will be private and secure. Happy viewing!
Note. If you're having network problems after changing these settings, make sure you've entered the correct IP addresses. An incorrect IP address can cause DNS servers to be unavailable. If the addresses are entered correctly, try disabling the “IPv6” switch in the list of DNS servers. If you are configuring IPv6 DNS servers on a computer that is not connected to IPv6, this can cause connectivity issues.
Related articles:
- How to check if my router supports IPv6 (61.1%)
- What happens if an IPv4 client tries to access an IPv6-only server (SOLVED) (61.1%)
- How to clear DNS and other caches in Google Chrome (57.4%)
- How to find out all DNS records of sites behind CloudFlare (57.4%)
- How to configure the network interface to use a dynamic IP address (DHCP) in PowerShell (57.4%)
- Where is the Normal.dotm analog for LibreOffice located (RANDOM - 50%)
