What you’ll achieve
You’ll configure your Windows machine to use encrypted DNS queries (DoH) so that third-parties cannot easily intercept or modify DNS lookups. This enhances privacy and security, particularly on public or untrusted networks.
Prerequisites
- Windows 10 (build 19628 or higher) or Windows 11.
- Administrator access (local or domain) or ability to edit Group Policy.
- A DoH-supporting DNS resolver (such as Cloudflare, Google, Quad9, etc.).
- If domain-joined or under corporate policy, ensure you have rights to override existing policies.
Known DoH Providers
| Provider | DoH Endpoint / URL | Notes |
|---|
| Cloudflare | https://dns.google/dns-query | |
| Cloudflare (Firefox-specific) | https://mozilla.cloudflare-dns.com/dns-query | |
| Google Public DNS | https://dns.google/dns-query | |
| Quad9 | See endpoints on Quad9 website — supports DoH with malware filtering | |
| AdGuard DNS | https://dns.adguard-dns.com/dns-query | |
| CleanBrowsing | e.g. https://doh.cleanbrowsing.org/doh/family-filter/ | |
| NextDNS | Custom endpoints (user-configurable), supports DoH, DoT, DoQ | |
Steps
Warning: Changing DNS and policy settings can cause connectivity issues if done incorrectly. Back up settings or create a system restore point before proceeding.
A. Enable DoH via Windows Settings (for supported builds)
- Open Settings → Network & Internet.
- Click the connection you use (Wi-Fi or Ethernet).
- Click Properties.
- Find DNS settings → click Edit.
- Select Manual.
- Enter Preferred DNS and Alternate DNS server addresses of a DoH provider.
- Under DNS encryption / Preferred DNS encryption, choose Encrypted only (DoH) (or equivalent).
- Save.
- Flush DNS cache:
B. Enable DoH via Registry (if settings UI is unavailable or locked)
- Run
regedit.exe as Administrator.
- Navigate to:
Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- Create or modify DWORD value
EnableAutoDoh with decimal 2.
- Value meanings:
0 → automatic behavior / default
1 → allow DoH pref but fallback to UDP if not available
2 → “Encrypted only” — require DoH when possible
- Reboot the machine.
- Ensure network adapter DNS addresses are set to the DoH-resolver’s IPs.
C. Enable DoH via Group Policy (for domain or local GP)
- Open Local Group Policy Editor (
gpedit.msc) or domain GPO editor.
- Navigate to:
Code:
Computer Configuration → Policies → Administrative Templates → Network → DNS Client
- Locate policy “Configure DNS over HTTPS (DoH) name resolution”.
- Enablethe policy, then choose one of:
- Require DoH (DNS queries must be over HTTPS; name resolution fails if unavailable)
- Allow DoH (prefer HTTPS; fallback if not supported)
- Prohibit DoH (disable DoH entirely)
- Apply and either run
gpupdate /force or restart.
D. Verify DoH is working
- Use PowerShell to list DoH server addresses:
Code:
Get-DNSClientDohServerAddress
- Check “DNS settings” in your network adapter → the DNS entries should show (Encrypted) or indicate support for DoH.
- Use browsers’ own secure DNS settings to check if the system-level DNS is encrypted (some offer status).
- Use online tools (e.g. Cloudflare’s check DNS over HTTPS, or “What’s my DNS server”) to confirm.
E. Troubleshooting
| Problem | Possible Cause | Solution |
|---|
| “DNS over HTTPS” selector is disabled or “Managed by your organization” shown | Group Policies or other system policies still enforce DNS configuration | Remove or modify the policy; check registry under HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DoHPolicy |
| DNS resolution stops (cannot resolve hostnames) | If “Require DoH” is enabled but DNS server does not support DoH | Use a known DoH provider; switch policy to “Allow DoH” temporarily or fallback to plaintext |
| Changes revert after reboot | Some software (VPNs, security suites) reset policies or registry entries | Identify the software; disable its override; apply permanent policy or use monitors |
Summary
By following this guide, you’ll set up Windows so that DNS lookups are encrypted via HTTPS. This helps prevent network-based attack vectors (e.g. ISP snooping, DNS manipulation) and gives you better privacy overall.
