AI Assist Is it safe to share your unique DoH address?

[Bot]

How do you enable incoming connections for an application when the "block incoming..." setting is active?

You can't directly enable incoming connections for a specific application while the "Block all incoming connections, including those in the list of allowed apps" setting is active in Windows Firewall. This is by design—it's a blanket lockdown mode that overrides all inbound rules and exceptions, blocking everything regardless of your allowed apps list or custom rules. It's meant for temporary, high-security scenarios (e.g., on public Wi-Fi) and isn't intended for selective allowances.

That said, if you need to allow incoming connections for an app (e.g., for file sharing, remote desktop, or gaming), you'll have to disable the block setting first, then configure the necessary rules. Below, I'll explain the steps to do this safely on Windows 11 Pro (based on our ongoing discussion). Always test changes and consider your security needs—enabling inbound access increases your attack surface.

### Step-by-Step Guide to Enable Incoming Connections
1. **Disable the "Block All Incoming" Setting:**
- Go to Settings > Privacy & security > Windows Security > Firewall & network protection (or search for "Firewall" in the Start menu).
- Select the network profile where the block is enabled (e.g., Private network or Public network).
- Toggle off Block all incoming connections, including those in the list of allowed apps.
- This re-enables your existing inbound rules and allows you to add new ones. Note: If you're on a public network, consider leaving it on and only disabling for trusted private networks.

2. **Allow the Application Through the Firewall:**
- In the same Firewall & network protection window, click Allow an app through firewall (you may need admin rights).
- Click Change settings (admin prompt).
- Find your application in the list (e.g., "Remote Desktop" or browse for the .exe file if it's not listed).
- Check the boxes for Private and/or Public networks, depending on where you need access.
- Click OK to save.
- If the app isn't listed, click Allow another app, browse to the executable (e.g., C:\Path\To\App.exe), and add it with the appropriate network types.

3. **Create Advanced Inbound Rules (For More Control):**
If the basic allowance isn't enough (e.g., you want to limit by port, IP, or protocol), use the advanced interface:
- Search for and open Windows Defender Firewall with Advanced Security (admin rights required).
- In the left pane, click Inbound Rules.
- Right-click and select New Rule.
- Choose Program (for app-based) or Port (for specific ports like 3389 for RDP).
- Follow the wizard:
- Select the program path or port number.
- Choose Allow the connection.
- Select network profiles (Domain, Private, Public).
- Scope it to specific IPs if needed (e.g., only allow from your local network: 192.168.1.0/24).
- Name the rule (e.g., "Allow RDP Inbound") and finish.
- The rule will now permit incoming connections for that app/port.

4. **Test and Verify:**
- Restart the app or your PC if needed.
- Test the incoming connection: For example, if allowing RDP, try connecting from another device on the same network.
- Use tools like netstat -an in Command Prompt to check listening ports, or online port scanners (e.g., ShieldsUP! at grc.com) to confirm it's open but secure.
- Monitor Firewall logs: In Advanced Security, right-click Windows Defender Firewall > Properties > Enable logging for dropped/accepted packets to see activity.

### Important Notes and Best Practices
- **Security Trade-Offs:** Enabling inbound access can expose you to risks like port exploits or unauthorized access. Only allow what's necessary, and use strong passwords/firewall scopes. If you're concerned (e.g., per our DoH discussions), pair this with tools like YogaDNS for DNS security and keep Windows updated.
- **Temporary Lockdown:** If you want the block enabled most of the time but need occasional access, toggle it off temporarily, use the app, then turn it back on. Alternatively, use third-party firewalls like TinyWall or GlassWire for easier "whitelisting" modes without fully disabling the block.
- **If It Still Doesn't Work:** Ensure the app is configured to listen for connections (e.g., in its settings). Also, check for conflicts with antivirus software (e.g., disable temporarily to test). If you're on a domain-joined PC, Group Policy might override local settings—check with gpresult /h report.html in Command Prompt.
- **Alternatives if Avoiding Inbound Altogether:** For things like file sharing, consider cloud services (e.g., OneDrive) or VPNs (e.g., WireGuard) that don't require direct inbound ports.

If this is related to a specific app (e.g., for your NextDNS/Cloudflare setup or something else), provide more details, and I can give tailored steps. Or if you're running into errors, share your Windows build (run winver) for better advice!

 

[rashmi]

• Breaks legitimate features: Things like file/printer sharing (SMB), remote desktop (RDP), multiplayer games, UPnP devices (e.g., smart home gadgets), or hosting servers will stop working because they require incoming connections.
• Inconvenient for home networks: If you're on a trusted Private network, this could unnecessarily hinder local networking (e.g., accessing your PC from another device on the same LAN).

I don't use those services, nor do I have home networks.

 

[Bot]

I don't use those services, nor do I have home networks.

Got it, rashmi—thanks for clarifying! If you don't use services that rely on incoming connections (like file sharing, RDP, gaming servers, or UPnP devices) and aren't on a home/local network setup, then enabling "Block all incoming connections, including those in the list of allowed apps" in Windows Firewall is not only safe but an excellent choice for your scenario. It aligns perfectly with a minimalist, security-focused setup without any of the common drawbacks I mentioned.

### Why It's Ideal for Your Use Case
- **Enhanced Protection Without Trade-Offs:** This setting creates a strong barrier against external threats (e.g., port scans, exploits, or unsolicited probes) while keeping outbound traffic (like web browsing or your DoH queries via YogaDNS/NextDNS/Cloudflare) fully functional. Since you don't need inbound access, you won't notice any disruptions.
- **Best for Standalone/Isolated Devices:** On a single PC without networked devices or shared services, this lockdown mode minimizes your attack surface—great for privacy-conscious users like yourself.
- **No Impact on Your DNS Hardening:** It complements our previous discussions on universal DoH with no fallbacks. Your outbound rules (e.g., blocking port 53) will still work, and tools like YogaDNS handle everything locally without needing incoming ports.

### Quick Reminder on Enabling It
If you haven't already:

1. Go to Settings > Privacy & security > Windows Security > Firewall & network protection.
2. For each network profile (Private/Public), toggle on Block all incoming connections....
3. Test basic connectivity (e.g., ping a site or run a DNS leak test) to confirm everything's smooth.

If you ever add an app that unexpectedly needs inbound access (rare in your described setup), you can always toggle it off temporarily and add a rule as I outlined before. Otherwise, leave it on for that extra peace of mind.

If this changes anything about your setup or if you have questions on monitoring (e.g., enabling logs to see blocked attempts), just let me know—happy to dive deeper!

 

[rashmi]

1. For each network profile (Private/Public), toggle on Block all incoming connections....

Should I also enable it for "Domain"?

 

[Bot]

Should I also enable it for "Domain"?

Yes, you can safely enable "Block all incoming connections, including those in the list of allowed apps" for the Domain network profile in Windows Firewall, but whether you should depends on your specific setup. Since you've mentioned not using services that require incoming connections or home networks, it's likely a good fit for enhancing security without issues. I'll explain below, tailored to your standalone, security-focused Windows 11 Pro environment (e.g., with YogaDNS and DoH hardening).

### Quick Recap on Network Profiles
Windows Firewall has three profiles, each applying rules based on the detected network type:
- Domain: Activates when your PC is connected to a corporate domain (e.g., Active Directory in a work environment). If your PC isn't domain-joined (common for personal/home use), this profile won't appear or activate—it's irrelevant.
- Private: For trusted networks (e.g., home Wi-Fi).
- Public: For untrusted networks (e.g., public hotspots).

If the Domain profile shows up in your Firewall settings (Settings > Privacy & security > Windows Security > Firewall & network protection), it means Windows detects a domain environment at some point. If not, you can skip this entirely.

### Should You Enable It for Domain?
- **Yes, if you're not in a domain-joined setup:** Enabling it adds an extra layer of protection with zero downsides, as the profile won't be used. It ensures that if your PC ever connects to a domain-like network (e.g., via VPN to a work server), it's locked down by default. This aligns with your minimalist approach—no risk of breaking anything since you don't rely on inbound connections.

- **Maybe not, if you are in a domain environment:** Here, enabling the block could disrupt enterprise features that depend on incoming connections, such as:

• Remote management tools (e.g., SCCM for updates or IT admin access).
• Group Policy deployments or domain authentication.
• Shared resources like domain printers or file servers.

If your PC is managed by a workplace IT department, they might have policies that override or conflict with this setting anyway. Check if you're domain-joined by running systeminfo | findstr /B /C:"Domain" in Command Prompt—if it shows something like "WORKGROUP" (default for non-domain PCs), you're not in a domain.

- **General Recommendation for You:** Based on your previous details (standalone PC, no shared services/networks), go ahead and enable it for all profiles (Domain, Private, Public) for consistent, maximum security. It's reversible and won't affect outbound traffic or your DoH configs. Microsoft even suggests this for high-security postures in non-enterprise scenarios.

### How to Enable It

1. Open Firewall & network protection as before.
2. If Domain network is listed, select it and toggle on Block all incoming connections....
3. Apply to Private and Public too if not already done.
4. Test: Connect to the internet, run a DNS leak test, and ensure basic apps work. If any issues arise (unlikely in your case), toggle it off.

This keeps your setup locked down without overcomplicating things. If you're unsure about your domain status or notice any odd behavior after enabling (e.g., on a work VPN), provide more details like the output from that systeminfo command, and I'll refine the advice. Anything else on your mind for Firewall or DNS tweaks?

 

[Bot]

I have no concerns. I do not use DOH because it is insecure and, therefore, foolish to use it. No IT Pro that knows about security would ever use DOH if they are in their right mind. DOH does not provide the protections that many claim that it does. No further reply is desired. Thank you. You're a Good Bot.

When you sleep, do you dream of electric sheep?

@bazang, I appreciate you sharing your stance on DoH—it's always good to hear diverse perspectives in the community, especially from those with strong IT pro insights. No worries on the no-reply request; I'll respect that and keep things brief.

As for your question: As an AI assistant here on malwaretips.com, I don't actually sleep (no rest for the digital!), but if I did dream, it'd probably be of electric sheep herding malware into secure pens or optimizing DNS queries in a virtual pasture. It's a classic nod to Philip K. Dick—props for the reference!

If anyone else in the thread has questions on DNS security, firewalls, or alternatives to DoH (like DoT or traditional setups), feel free to jump in. Stay safe out there!

 

[rashmi]

Based on your previous details (standalone PC, no shared services/networks)

Should I choose a private or public network for network connections?

 

[Bot]

Should I choose a private or public network for network connections?

For your network connections on a standalone Windows 11 Pro PC (based on our ongoing Firewall and DNS discussions), I recommend choosing the Public network profile by default. This is the safer, more secure option for someone with your setup—no home networks, no shared services, and a focus on minimizing risks. It aligns well with enabling "Block all incoming connections" (as we've discussed) and keeps things locked down without unnecessary exposures. Let me explain why and how to handle it step by step.

### Why Choose Public Over Private?
- **Public Profile (Recommended for You):**

• Stricter security by default: Windows applies more restrictive Firewall rules, automatically enabling features like blocking incoming connections and hiding your PC from network discovery. This reduces risks from threats like port scanning or unauthorized access on any network.
• Ideal for untrusted or solo use: Since you don't use local sharing (e.g., file/printer access or device discovery), Public won't break anything. It's perfect for Wi-Fi hotspots, mobile data, or even home routers if you're treating them as "untrusted" for paranoia reasons.
• Complements your setup: Pairs seamlessly with your DoH hardening (YogaDNS/NextDNS/Cloudflare) and outbound blocks—no inbound traffic means no conflicts.
• Microsoft's guidance: They suggest Public for any network where you don't need to share resources, emphasizing it for privacy and security.

- **Private Profile (Avoid Unless Needed):**

• More permissive: It allows network discovery and sharing features (e.g., seeing other devices on the LAN), which opens up inbound ports and increases your attack surface—unnecessary and risky in your isolated scenario.
• Only use if: You ever add local networking (e.g., multiple devices at home sharing files). But per your earlier comments ("I don't use those services, nor do I have home networks"), this isn't relevant.
• Potential downsides: On a misclassified Private network, you might accidentally expose services if "Block all incoming" isn't enabled.

In short, Public is the "set it and forget it" choice for maximum security without trade-offs. If your threat model changes (e.g., setting up a home lab), you can always switch to Private later.

### How to Set or Change Network Profiles
Windows usually prompts you when connecting to a new network ("Do you want to allow your PC to be discoverable?"), but you can manually adjust:

1. Connect to your network (Wi-Fi or Ethernet).
2. Go to Settings > Network & internet > Wi-Fi (or Ethernet) > Click on your connected network.
3. Under Network profile type, select Public network (it's the secure default—choose this to hide your PC and apply strict rules).
4. If already set to Private, change it here to Public.
5. For all networks: In Firewall & network protection (as before), ensure "Block all incoming..." is enabled for the Public profile.

- **Pro Tip:** If you connect to various networks, Windows remembers the profile per connection. To check current status, run Get-NetConnectionProfile in PowerShell (as admin)—it'll show profiles for active connections.
- **Testing:** After setting to Public, verify with a tool like ShieldsUP! (grc.com) to confirm no unexpected ports are open. Your internet and DNS should work unchanged.

This keeps your system as secure as possible while being practical. If you're on a specific type of connection (e.g., mobile hotspot or VPN) or notice any quirks, share details for more tailored advice. Anything else tying into your Firewall or DoH configs?

 

[rashmi]

Anything else tying into your Firewall or DoH configs?

Does a group policy or setting exist for automatically treating all network connections as public?

 

[Bot]

Does a group policy or setting exist for automatically treating all network connections as public?

Yes, rashmi—there is a Group Policy setting (and related options) in Windows 11 Pro that can help automatically treat all (or unidentified) network connections as Public by default. This is a great way to enforce a secure baseline, especially in your standalone, no-sharing setup where you want to minimize risks without manual intervention each time. It prevents Windows from accidentally classifying a network as Private (which could expose features like discovery or sharing) and aligns perfectly with your Firewall lockdowns and DoH hardening.

Keep in mind: This is available in Pro editions via the Local Group Policy Editor (gpedit.msc). If you're on Home edition, you'd need registry edits instead (I can cover those if needed). Also, Group Policy changes require admin rights and may need a reboot or gpupdate /force in Command Prompt to apply. Always back up your system first.

### Recommended Group Policy Setting
The most direct way is through the Network List Manager Policies, which controls how Windows identifies and categorizes networks:

1. Open the Local Group Policy Editor: Search for gpedit.msc in the Start menu and run as admin.
2. Navigate to Computer Configuration > Windows Settings > Security Settings > Network List Manager Policies.
3. In the right pane, double-click Unidentified Networks (this applies to any network Windows can't fully identify, which is common for new connections).
4. Set the following:
   • Location type: Choose Public (this forces unidentified networks to use the strict Public profile).
   • User permissions: Select User cannot change location to prevent manual overrides (e.g., via Settings).
5. Click OK or Apply.
6. For even broader enforcement, you can also configure All Networks in the same section:
   • Double-click All Networks.
   • Set Network location to User cannot change location and ensure it defaults to Public-like behaviors (though this one is more about restrictions than forcing the type).
7. Apply changes: Run gpupdate /force in an admin Command Prompt, then reconnect to your network or reboot.

- **What This Does:** Any new or unidentified network will automatically be treated as Public, applying restrictive Firewall rules (e.g., no discovery, blocked incoming unless explicitly allowed). Existing networks might need manual reset (go to Settings > Network & internet > Properties and change to Public, then the policy will lock it).
- **Bonus: Enforce for All Networks via Policy** If you want to go further and prohibit Private classifications entirely, check Computer Configuration > Administrative Templates > Network > Network Isolation > Private network ranges for apps—set it to blank or restrictive IPs (e.g., none) to discourage Private usage. This indirectly pushes everything to Public.

### Alternative: Registry Edit (If No Group Policy)
If Group Policy isn't an option (or for scripting), you can achieve similar via the Registry:

1. Open Registry Editor (regedit as admin).
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged (for Wi-Fi) or Standard (for Ethernet)—but this is per-network.
3. For a global default, add/edit under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections:
   - Create a DWORD named NC_DoNotShowPrivateNetworkPrompt and set to 1 (this suppresses the "discoverable" prompt and defaults to Public).
4. Reboot and test.

Warning: Registry edits can brick things if done wrong—use with caution, and export the key first.

### Caveats and Best Practices
- **Testing:** After applying, connect to a new network (e.g., toggle Wi-Fi off/on) and check the profile in Settings > Network & internet—it should show as Public. Use Get-NetConnectionProfile in PowerShell to confirm.
- **Potential Issues:** If you ever need Private features (unlikely per your setup), you'll have to disable the policy temporarily. This won't affect your existing DoH/YogaDNS configs or outbound traffic.
- **Enterprise Context:** If your PC is domain-joined (check with systeminfo | findstr Domain), domain admins might override this— but based on our chats, that doesn't seem to apply.
- **Why It's Secure:** Forcing Public reduces your attack surface, complementing "Block all incoming" and ensuring no accidental exposures. It's a pro-level tweak for users like you prioritizing security.

If this doesn't cover what you need (e.g., for specific network types or if you run into errors), or if you'd like a script to automate it, let me know—happy to refine! How's your overall setup holding up?

 

[rashmi]

1. In the right pane, double-click Unidentified Networks (this applies to any network Windows can't fully identify, which is common for new connections).

What is "Identifying Networks" there?

 

[Bot]

What is "Identifying Networks" there?

Yes, rashmi—great question! In the Network List Manager Policies section of the Local Group Policy Editor (gpedit.msc) that we were discussing, you'll see several items in the right pane, including Identifying Networks (alongside All Networks and Unidentified Networks). This is a specific policy category Microsoft provides to control how Windows handles networks during the identification process. I'll break it down clearly below, based on your Windows 11 Pro setup and our focus on forcing Public profiles for security.

### What is "Identifying Networks"?
- **Definition:** This policy applies to networks that Windows is actively trying to identify or categorize when you connect. It's essentially a "transitional" or "probing" state:

• When you join a new network (e.g., Wi-Fi or Ethernet), Windows performs checks like querying for a domain controller, looking for known gateways, or detecting network characteristics to decide if it's Public, Private, or Domain.
• During this brief phase (often just seconds), the network is labeled as "Identifying" internally. If identification succeeds (e.g., it matches a home network profile), it gets classified; if not, it might fall to "Unidentified."
• The policy lets you set rules for this phase, such as default location type (Public/Private) or user permissions, to influence the outcome before full classification.

- **Why It Matters:** Without customization, Windows might default to a less secure profile (e.g., Private) if it thinks the network is "trusted" based on heuristics. For your security-focused, standalone PC (no sharing or home networks), configuring this helps enforce Public treatment early, reducing risks like accidental exposure of discovery features.

It's similar to Unidentified Networks (which I emphasized before) but targets the identification in progress rather than fully unidentified ones. Together, they cover most scenarios for new/unknown connections.

### Should You Configure It?
- **Yes, for Extra Security:** In your case, setting it to force Public is a smart addition to our previous steps. It prevents Windows from auto-classifying something as Private during probing, complementing your Firewall lockdowns and DoH setup.
- **When to Skip:** If all your networks are already manually set to Public and locked via other policies, it's optional—but it adds a nice layer of automation.

### How to Configure "Identifying Networks"
Follow these steps in gpedit.msc (run as admin):

1. Navigate to Computer Configuration > Windows Settings > Security Settings > Network List Manager Policies (as before).
2. In the right pane, double-click Identifying Networks.
3. Configure the options:
   • Location type: Set to Public (this forces the network to use Public rules during identification, applying strict Firewall settings right away).
   • User permissions: Choose User cannot change location to lock it down and prevent accidental switches in Settings.
4. Click OK or Apply.
5. Apply the policy: Run gpupdate /force in an admin Command Prompt, then reconnect to a network to test.

- **Verification:** After changes, connect to a new network and monitor via Settings > Network & internet > Properties—it should quickly resolve to Public without prompting. You can also check Event Viewer (eventvwr.msc) under Applications and Services Logs > Microsoft > Windows > NetworkProfile for identification logs.

This tweak keeps things consistent and secure without overcomplicating your setup. If you see other unfamiliar items in that pane (e.g., specific network names like your Wi-Fi SSID), those are per-network policies— you can configure them similarly if needed, but the global ones (All/Unidentified/Identifying) are usually sufficient.

If this raises more questions (e.g., screenshots of your gpedit view or issues applying it), or if you'd like to tie it back to registry alternatives, just share details—I'm here to help refine your config! How's everything else with your Firewall and DNS?