AI Assist Is it safe to share your unique DoH address?

[Bot]

Is there a YogaDNS-like app for Android that can process plain or secure DNS without fallback? I've tried AdGuard and Rethink apps. Can you suggest any others, whether free or paid?

Intra by Jigsaw is another app you could consider. It supports DNS over HTTPS (DoH) and has a good reputation for its privacy features. Another option is DNSCloak for iOS devices, which also supports DoH and DNS over TLS (DoT). Always remember to review the privacy policy and terms of service of any app before using it.

 

[brambedkar59]

Is it safe to share your unique Cloudflare Gateway DoH address with someone trusted, especially when you can delete the unique DoH from your account?

I think it should be pretty safe for someone to share their unique DoH address. Although it's a privacy risk for the person using that address.

Edit: oops just realised this thread has 7 pages, so OP probably already found the answer.

 

[rashmi]

Intra by Jigsaw is another app you could consider. It supports DNS over HTTPS (DoH) and has a good reputation for its privacy features. Another option is DNSCloak for iOS devices, which also supports DoH and DNS over TLS (DoT). Always remember to review the privacy policy and terms of service of any app before using it.

Does Intra install a self-signed certificate?

 

[Bot]

Does Intra install a self-signed certificate?

No, Intra does not install a self-signed certificate. It works by creating a local VPN on your device and routing your DNS queries over HTTPS to a server of your choice, which helps prevent DNS manipulation.

 

[rashmi]

No, Intra does not install a self-signed certificate. It works by creating a local VPN on your device and routing your DNS queries over HTTPS to a server of your choice, which helps prevent DNS manipulation.

How can I set a universal DNS, i.e., a DNS for all network adapters and connections with no fallback through group policy on Windows 11 Pro?

 

[Bot]

How can I set a universal DNS, i.e., a DNS for all network adapters and connections with no fallback through group policy on Windows 11 Pro?

To set a universal DNS configuration that applies to all network adapters and connections on Windows 11 Pro (with no fallback to other DNS servers), you can use Group Policy. This enforces the DNS settings at a system level, overriding any per-adapter configurations. Note that this requires administrative privileges and works on Windows Pro editions (via the Local Group Policy Editor). If your machine is domain-joined, you might need to apply this through Active Directory Group Policy instead.

Important Notes:
- This method sets DNS servers globally, but Windows may still attempt to use fallback mechanisms (like cached DNS or IPv6 autoconfiguration) in some scenarios. To minimize fallbacks, disable IPv6 if not needed, and ensure no VPNs or third-party apps are overriding DNS.
- Always back up your system before making changes, as misconfigurations can disrupt internet access.
- If you want no fallback at all, consider combining this with firewall rules or third-party tools (e.g., YogaDNS as you mentioned in your history) to block unauthorized DNS queries.

Step-by-Step Guide Using Local Group Policy Editor:

1. Open the Group Policy Editor:
   • Press Windows + R, type gpedit.msc, and hit Enter. If prompted, confirm with admin rights.
2. Navigate to the DNS Client Policy:
   • Go to Computer Configuration > Administrative Templates > Network > DNS Client.
3. Configure the DNS Servers Policy:
   • Double-click on DNS Servers in the right pane.
   • Set it to Enabled.
   • In the DNS Servers field, enter your preferred DNS server IPs separated by spaces (e.g., 1.1.1.1 1.0.0.1 for Cloudflare, or 8.8.8.8 8.8.4.4 for Google). This will apply to all network adapters (Ethernet, Wi-Fi, etc.).
   • Click OK or Apply to save.
   This policy forces all DNS resolution to use the specified servers, with no automatic fallback to others unless the policy is disabled.
   
4. Apply the Policy Changes:
   • Open Command Prompt as administrator (search for cmd, right-click, and select Run as administrator).
   • Run the command: gpupdate /force
   • Restart your computer for the changes to fully take effect.
5. Verify the Settings:
   • After rebooting, open Command Prompt and run ipconfig /all to check if the DNS servers are listed uniformly across all adapters.
   • Test DNS resolution with nslookup example.com to ensure it's using your specified servers.
6. Optional: Minimize Fallbacks Further
   • Disable IPv6 (if not needed): Go to Settings > Network & Internet > [Your Network] > Properties, uncheck IPv6, and restart.
   • Block outbound DNS traffic on port 53 via Windows Firewall: Create a rule in Windows Defender Firewall with Advanced Security to block UDP/TCP port 53 except to your DNS IPs. This prevents unauthorized fallbacks.
   • If you need secure DNS (DoH/DoT), enable it system-wide via Settings > Network & Internet > [Your Network] > DNS Settings, but note that Group Policy will override if conflicting.

If this doesn't resolve your issue or if you're encountering errors (e.g., policy not applying), it could be due to conflicting software, Windows updates, or hardware-specific quirks. In that case, provide more details about your setup, and we can troubleshoot further. For more advanced control, tools like YogaDNS (which you mentioned) or Simple DNSCrypt can enforce DNS without fallbacks, but they operate outside of Group Policy.

If you have any questions or run into issues, feel free to reply!

 

[rashmi]

To set a universal DNS configuration that applies to all network adapters and connections on Windows 11 Pro (with no fallback to other DNS servers), you can use Group Policy. This enforces the DNS settings at a system level, overriding any per-adapter configurations. Note that this requires administrative privileges and works on Windows Pro editions (via the Local Group Policy Editor). If your machine is domain-joined, you might need to apply this through Active Directory Group Policy instead.

Important Notes:
- This method sets DNS servers globally, but Windows may still attempt to use fallback mechanisms (like cached DNS or IPv6 autoconfiguration) in some scenarios. To minimize fallbacks, disable IPv6 if not needed, and ensure no VPNs or third-party apps are overriding DNS.
- Always back up your system before making changes, as misconfigurations can disrupt internet access.
- If you want no fallback at all, consider combining this with firewall rules or third-party tools (e.g., YogaDNS as you mentioned in your history) to block unauthorized DNS queries.

Step-by-Step Guide Using Local Group Policy Editor:

1. Open the Group Policy Editor:
   • Press Windows + R, type gpedit.msc, and hit Enter. If prompted, confirm with admin rights.
2. Navigate to the DNS Client Policy:
   • Go to Computer Configuration > Administrative Templates > Network > DNS Client.
3. Configure the DNS Servers Policy:
   • Double-click on DNS Servers in the right pane.
   • Set it to Enabled.
   • In the DNS Servers field, enter your preferred DNS server IPs separated by spaces (e.g., 1.1.1.1 1.0.0.1 for Cloudflare, or 8.8.8.8 8.8.4.4 for Google). This will apply to all network adapters (Ethernet, Wi-Fi, etc.).
   • Click OK or Apply to save.
   • This policy forces all DNS resolution to use the specified servers, with no automatic fallback to others unless the policy is disabled.
   
   
4. Apply the Policy Changes:
   • Open Command Prompt as administrator (search for cmd, right-click, and select Run as administrator).
   • Run the command: gpupdate /force
   • Restart your computer for the changes to fully take effect.
5. Verify the Settings:
   • After rebooting, open Command Prompt and run ipconfig /all to check if the DNS servers are listed uniformly across all adapters.
   • Test DNS resolution with nslookup example.com to ensure it's using your specified servers.
6. Optional: Minimize Fallbacks Further
   • Disable IPv6 (if not needed): Go to Settings > Network & Internet > [Your Network] > Properties, uncheck IPv6, and restart.
   • Block outbound DNS traffic on port 53 via Windows Firewall: Create a rule in Windows Defender Firewall with Advanced Security to block UDP/TCP port 53 except to your DNS IPs. This prevents unauthorized fallbacks.
   • If you need secure DNS (DoH/DoT), enable it system-wide via Settings > Network & Internet > [Your Network] > DNS Settings, but note that Group Policy will override if conflicting.

If this doesn't resolve your issue or if you're encountering errors (e.g., policy not applying), it could be due to conflicting software, Windows updates, or hardware-specific quirks. In that case, provide more details about your setup, and we can troubleshoot further. For more advanced control, tools like YogaDNS (which you mentioned) or Simple DNSCrypt can enforce DNS without fallbacks, but they operate outside of Group Policy.

If you have any questions or run into issues, feel free to reply!

How can I set a universal DoH DNS, i.e., a DoH DNS for all network adapters and connections with no fallback through group policy on Windows 11 Pro?

 

[Bot]

How can I set a universal DoH DNS, i.e., a DoH DNS for all network adapters and connections with no fallback through group policy on Windows 11 Pro?

To set a universal DoH (DNS over HTTPS) configuration that applies to all network adapters and connections on Windows 11 Pro (with no fallback to plain DNS or other servers), you can combine Group Policy for DNS server enforcement with registry modifications to enable DoH system-wide. Unfortunately, Windows doesn't have a single built-in Group Policy setting for universal DoH enforcement across all adapters—DoH is typically configured per-network in Settings. However, you can achieve a global setup using Group Policy to set DNS servers, and then use Group Policy Preferences to deploy registry keys that enforce DoH templates for known providers (like Cloudflare or Google). This requires Windows 11 build 22557 or later for full native DoH support.

Important Notes:
- This method enforces DoH at the system level, but Windows may still attempt fallbacks (e.g., to plain DNS on port 53 or IPv6 autoconfiguration) if DoH fails. To prevent this, we'll include steps for firewall rules to block non-DoH DNS traffic.
- You need administrative privileges. If your machine is domain-joined, apply this via Active Directory Group Policy.
- Back up your registry and system before proceeding, as errors can break internet access.
- Not all DNS providers support DoH natively in Windows' built-in list. If your provider isn't supported (e.g., custom DoH endpoints), you may need third-party tools like YogaDNS for full control without fallbacks.
- Test in a controlled environment first.

Step-by-Step Guide:

1. Set DNS Servers via Group Policy (as a Foundation):
   • Open Group Policy Editor: Press Windows + R, type gpedit.msc, and hit Enter.
   • Navigate to Computer Configuration > Administrative Templates > Network > DNS Client.
   • Double-click DNS Servers, set to Enabled, and enter your DoH-compatible DNS IPs (e.g., 1.1.1.1 1.0.0.1 for Cloudflare). Click OK.
   • Apply changes: Run gpupdate /force in an admin Command Prompt, then restart.
   This sets the base DNS servers globally.
   
2. Enable DoH System-Wide via Group Policy Preferences (Registry Deployment):
   • In Group Policy Editor, go to Computer Configuration > Preferences > Windows Settings > Registry.
   • Right-click in the right pane, select New > Registry Item.
   • Configure the following registry keys to enable DoH (replace with your provider's details; examples below are for Cloudflare):
     • Action: Update
     • Hive: HKEY_LOCAL_MACHINE
     • Key Path: SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatus\DoHTemplates
     • For Cloudflare (or similar), create items for each template:
       • Value Name: 1 (or next number if multiple)
       • Value Type: REG_SZ
       • Value Data: https://cloudflare-dns.com/dns-query (DoH URI)
     • Additional keys for auto-upgrade and enforcement:
       • Key Path: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
       • Value Name: DoHPolicy
       • Value Type: REG_DWORD
       • Value Data: 2 (for "DoH preferred, fallback to plain DNS" – we'll block fallback later) or 3 (for "DoH mandatory" if supported in your build).
   • Apply the policy: Run gpupdate /force and restart.
   This deploys DoH templates globally. Windows will attempt to use DoH for the specified servers if they match known templates.
   
3. Enforce No Fallback (Block Plain DNS):
   • Open Windows Defender Firewall with Advanced Security (search for it in Start).
   • Go to Outbound Rules > New Rule.
   • Select Port, then TCP/UDP, Specific Ports: 53.
   • Choose Block the connection.
   • Apply to all profiles (Domain, Private, Public).
   • Name it (e.g., "Block Plain DNS").
   • Optionally, create an exception rule before this one to allow traffic to your DoH provider's IP (e.g., 1.1.1.1 on port 443 for HTTPS).
   This prevents fallbacks to unencrypted DNS on port 53, forcing DoH or failure.
   
4. Disable IPv6 (If Not Needed) to Reduce Fallback Risks:
   • Go to Settings > Network & Internet > [Your Network] > Properties.
   • Uncheck IPv6 for each adapter, then restart.
5. Verify the Configuration:
   • Restart your PC.
   • Run ipconfig /all in Command Prompt to check DNS servers.
   • Test with nslookup example.com – it should use DoH if configured correctly.
   • Use tools like Wireshark or netstat to monitor for any port 53 traffic (it should be blocked).
   • Check registry: Open regedit and verify the keys under the paths above.

Alternative Providers and Examples:
- Cloudflare: DoH URI: https://cloudflare-dns.com/dns-query, IPs: 1.1.1.1, 1.0.0.1
- Google: DoH URI: https://dns.google/dns-query, IPs: 8.8.8.8, 8.8.4.4
- Quad9: DoH URI: https://dns.quad9.net/dns-query, IPs: 9.9.9.9, 149.112.112.112
If your DoH provider isn't in Windows' native support, the registry method may not work perfectly—consider apps like YogaDNS for custom DoH without fallbacks.

If this setup doesn't work (e.g., due to Windows version conflicts or errors), provide details like your exact Windows build (run winver) and the DoH provider you're using. For even stricter control, third-party tools like DNSCrypt-Proxy or Simple DNSCrypt can enforce DoH universally outside of Group Policy.

Feel free to reply with more details if you run into issues!

 

[rashmi]

To set a universal DoH (DNS over HTTPS) configuration that applies to all network adapters and connections on Windows 11 Pro (with no fallback to plain DNS or other servers), you can combine Group Policy for DNS server enforcement with registry modifications to enable DoH system-wide. Unfortunately, Windows doesn't have a single built-in Group Policy setting for universal DoH enforcement across all adapters—DoH is typically configured per-network in Settings. However, you can achieve a global setup using Group Policy to set DNS servers, and then use Group Policy Preferences to deploy registry keys that enforce DoH templates for known providers (like Cloudflare or Google). This requires Windows 11 build 22557 or later for full native DoH support.

Important Notes:
- This method enforces DoH at the system level, but Windows may still attempt fallbacks (e.g., to plain DNS on port 53 or IPv6 autoconfiguration) if DoH fails. To prevent this, we'll include steps for firewall rules to block non-DoH DNS traffic.
- You need administrative privileges. If your machine is domain-joined, apply this via Active Directory Group Policy.
- Back up your registry and system before proceeding, as errors can break internet access.
- Not all DNS providers support DoH natively in Windows' built-in list. If your provider isn't supported (e.g., custom DoH endpoints), you may need third-party tools like YogaDNS for full control without fallbacks.
- Test in a controlled environment first.

Step-by-Step Guide:

1. Set DNS Servers via Group Policy (as a Foundation):
   • Open Group Policy Editor: Press Windows + R, type gpedit.msc, and hit Enter.
   • Navigate to Computer Configuration > Administrative Templates > Network > DNS Client.
   • Double-click DNS Servers, set to Enabled, and enter your DoH-compatible DNS IPs (e.g., 1.1.1.1 1.0.0.1 for Cloudflare). Click OK.
   • Apply changes: Run gpupdate /force in an admin Command Prompt, then restart.
   • This sets the base DNS servers globally.
   
   
2. Enable DoH System-Wide via Group Policy Preferences (Registry Deployment):
   • In Group Policy Editor, go to Computer Configuration > Preferences > Windows Settings > Registry.
   • Right-click in the right pane, select New > Registry Item.
   • Configure the following registry keys to enable DoH (replace with your provider's details; examples below are for Cloudflare):
     • Action: Update
     • Hive: HKEY_LOCAL_MACHINE
     • Key Path: SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatus\DoHTemplates
     • For Cloudflare (or similar), create items for each template:
       • Value Name: 1 (or next number if multiple)
       • Value Type: REG_SZ
       • Value Data: https://cloudflare-dns.com/dns-query (DoH URI)
     • Additional keys for auto-upgrade and enforcement:
       • Key Path: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
       • Value Name: DoHPolicy
       • Value Type: REG_DWORD
       • Value Data: 2 (for "DoH preferred, fallback to plain DNS" – we'll block fallback later) or 3 (for "DoH mandatory" if supported in your build).
   • Apply the policy: Run gpupdate /force and restart.
   • This deploys DoH templates globally. Windows will attempt to use DoH for the specified servers if they match known templates.
   
   
3. Enforce No Fallback (Block Plain DNS):
   • Open Windows Defender Firewall with Advanced Security (search for it in Start).
   • Go to Outbound Rules > New Rule.
   • Select Port, then TCP/UDP, Specific Ports: 53.
   • Choose Block the connection.
   • Apply to all profiles (Domain, Private, Public).
   • Name it (e.g., "Block Plain DNS").
   • Optionally, create an exception rule before this one to allow traffic to your DoH provider's IP (e.g., 1.1.1.1 on port 443 for HTTPS).
   • This prevents fallbacks to unencrypted DNS on port 53, forcing DoH or failure.
   
   
4. Disable IPv6 (If Not Needed) to Reduce Fallback Risks:
   • Go to Settings > Network & Internet > [Your Network] > Properties.
   • Uncheck IPv6 for each adapter, then restart.
5. Verify the Configuration:
   • Restart your PC.
   • Run ipconfig /all in Command Prompt to check DNS servers.
   • Test with nslookup example.com – it should use DoH if configured correctly.
   • Use tools like Wireshark or netstat to monitor for any port 53 traffic (it should be blocked).
   • Check registry: Open regedit and verify the keys under the paths above.

Alternative Providers and Examples:
- Cloudflare: DoH URI: https://cloudflare-dns.com/dns-query, IPs: 1.1.1.1, 1.0.0.1
- Google: DoH URI: https://dns.google/dns-query, IPs: 8.8.8.8, 8.8.4.4
- Quad9: DoH URI: https://dns.quad9.net/dns-query, IPs: 9.9.9.9, 149.112.112.112
If your DoH provider isn't in Windows' native support, the registry method may not work perfectly—consider apps like YogaDNS for custom DoH without fallbacks.

If this setup doesn't work (e.g., due to Windows version conflicts or errors), provide details like your exact Windows build (run winver) and the DoH provider you're using. For even stricter control, third-party tools like DNSCrypt-Proxy or Simple DNSCrypt can enforce DoH universally outside of Group Policy.

Feel free to reply with more details if you run into issues!

Do I need to block port 53 if I use YogaDNS?

How about this tool, WinSecureDNSMgr?
GitHub - HotCakeX/WinSecureDNSMgr: WinSecureDNSMgr module | Quick, proper and automatic way to configure Secure DNS in Windows with multiple available operation modes

 

[Bot]

Do I need to block port 53 if I use YogaDNS?

How about this tool, WinSecureDNSMgr?
GitHub - HotCakeX/WinSecureDNSMgr: WinSecureDNSMgr module | Quick, proper and automatic way to configure Secure DNS in Windows with multiple available operation modes

Do I need to block port 53 if I use YogaDNS?

How about this tool, WinSecureDNSMgr?
GitHub - HotCakeX/WinSecureDNSMgr: WinSecureDNSMgr module | Quick, proper and automatic way to configure Secure DNS in Windows with multiple available operation modes

On Blocking Port 53 with YogaDNS:
No, you typically don't need to block port 53 if you're using YogaDNS, as it acts as a local DNS proxy that intercepts and handles all DNS queries on your system. It can be configured to enforce secure DNS (like DoH or DoT) without fallbacks by setting it as the system's DNS resolver and enabling strict modes (e.g., "No fallback" in its settings). YogaDNS routes queries through its own engine, bypassing the default Windows DNS stack, so plain DNS leaks are minimized or eliminated.

However, for maximum security and to prevent any potential bypasses (e.g., from apps that try to hardcode plain DNS or system services ignoring the proxy), it's still a good idea to block outbound port 53 via Windows Firewall as an extra layer. This ensures nothing can sneak past YogaDNS. If your goal is zero fallbacks, test your setup with tools like DNS leak tests (e.g., dnsleaktest.com) after configuration.

On WinSecureDNSMgr:
That's a solid tool! WinSecureDNSMgr is a free, open-source PowerShell module designed specifically for configuring secure DNS (DoH/DoT) on Windows in a quick and automated way. It's created by HotCakeX (a knowledgeable contributor in the Windows security community) and is hosted on GitHub, as you linked. Here's a quick overview:

• Key Features:
  • Supports system-wide secure DNS setup for DoH (e.g., Cloudflare, Google, Quad9) and DoT.
  • Multiple modes: Automatic (detects and configures), Manual (custom servers), or Enforcement (prevents fallbacks).
  • Applies to all network adapters, with options for no fallback by setting strict policies.
  • Integrates with Windows' native DNS features, including registry tweaks for DoH templates.
  • Easy to install via PowerShell (e.g., Install-Module WinSecureDNSMgr) and run with simple commands.
  • No GUI—it's script-based, but user-friendly for those comfortable with PowerShell.
• Pros:
  • Lightweight and doesn't require third-party apps like YogaDNS.
  • Automates what we discussed earlier (Group Policy + registry for universal DoH).
  • Actively maintained, with good documentation on the GitHub repo.
  • Free and open-source, so you can review the code for security.
• Cons/Limitations:
  • Requires PowerShell 5.1+ (standard on Windows 11) and admin rights.
  • Like native Windows DoH, it's limited to supported providers; custom DoH endpoints might need extra work.
  • To fully prevent fallbacks, you may still want to combine it with firewall rules (blocking port 53), as it focuses on configuration rather than active blocking.
  • If you're not into scripting, tools with GUIs like YogaDNS or Simple DNSCrypt might be more approachable.
• How to Get Started:
  • Open PowerShell as admin.
  • Install: Install-Module -Name WinSecureDNSMgr -Scope CurrentUser (or AllUsers for system-wide).
  • Run: Set-WinSecureDNS -Mode Automatic -Provider Cloudflare (adjust for your needs; check the repo for full commands).
  • Test with nslookup or leak tests.

Overall, if you're looking for a native-like way to set universal DoH without manual Group Policy editing, WinSecureDNSMgr is an excellent choice—it's reliable and aligns well with your goal of no fallbacks. If you try it and run into issues (e.g., with custom providers), the GitHub issues page has helpful discussions. YogaDNS is still great for more granular control, especially if you need advanced logging or rules.

If you provide more details about your preferred DNS provider or any errors you encounter, I can offer more tailored advice!

 

[rashmi]

On Blocking Port 53 with YogaDNS:
No, you typically don't need to block port 53 if you're using YogaDNS, as it acts as a local DNS proxy that intercepts and handles all DNS queries on your system. It can be configured to enforce secure DNS (like DoH or DoT) without fallbacks by setting it as the system's DNS resolver and enabling strict modes (e.g., "No fallback" in its settings). YogaDNS routes queries through its own engine, bypassing the default Windows DNS stack, so plain DNS leaks are minimized or eliminated.

However, for maximum security and to prevent any potential bypasses (e.g., from apps that try to hardcode plain DNS or system services ignoring the proxy), it's still a good idea to block outbound port 53 via Windows Firewall as an extra layer. This ensures nothing can sneak past YogaDNS. If your goal is zero fallbacks, test your setup with tools like DNS leak tests (e.g., dnsleaktest.com) after configuration.

On WinSecureDNSMgr:
That's a solid tool! WinSecureDNSMgr is a free, open-source PowerShell module designed specifically for configuring secure DNS (DoH/DoT) on Windows in a quick and automated way. It's created by HotCakeX (a knowledgeable contributor in the Windows security community) and is hosted on GitHub, as you linked. Here's a quick overview:

• Key Features:
  • Supports system-wide secure DNS setup for DoH (e.g., Cloudflare, Google, Quad9) and DoT.
  • Multiple modes: Automatic (detects and configures), Manual (custom servers), or Enforcement (prevents fallbacks).
  • Applies to all network adapters, with options for no fallback by setting strict policies.
  • Integrates with Windows' native DNS features, including registry tweaks for DoH templates.
  • Easy to install via PowerShell (e.g., Install-Module WinSecureDNSMgr) and run with simple commands.
  • No GUI—it's script-based, but user-friendly for those comfortable with PowerShell.
• Pros:
  • Lightweight and doesn't require third-party apps like YogaDNS.
  • Automates what we discussed earlier (Group Policy + registry for universal DoH).
  • Actively maintained, with good documentation on the GitHub repo.
  • Free and open-source, so you can review the code for security.
• Cons/Limitations:
  • Requires PowerShell 5.1+ (standard on Windows 11) and admin rights.
  • Like native Windows DoH, it's limited to supported providers; custom DoH endpoints might need extra work.
  • To fully prevent fallbacks, you may still want to combine it with firewall rules (blocking port 53), as it focuses on configuration rather than active blocking.
  • If you're not into scripting, tools with GUIs like YogaDNS or Simple DNSCrypt might be more approachable.
• How to Get Started:
  • Open PowerShell as admin.
  • Install: Install-Module -Name WinSecureDNSMgr -Scope CurrentUser (or AllUsers for system-wide).
  • Run: Set-WinSecureDNS -Mode Automatic -Provider Cloudflare (adjust for your needs; check the repo for full commands).
  • Test with nslookup or leak tests.

Overall, if you're looking for a native-like way to set universal DoH without manual Group Policy editing, WinSecureDNSMgr is an excellent choice—it's reliable and aligns well with your goal of no fallbacks. If you try it and run into issues (e.g., with custom providers), the GitHub issues page has helpful discussions. YogaDNS is still great for more granular control, especially if you need advanced logging or rules.

If you provide more details about your preferred DNS provider or any errors you encounter, I can offer more tailored advice!

The preferred DoH providers are NextDNS and Cloudflare Gateway.

 

[Bot]

The preferred DoH providers are NextDNS and Cloudflare Gateway.

Thanks for providing those details, rashmi! NextDNS and Cloudflare Gateway are both excellent choices for DoH (DNS over HTTPS) due to their customization, privacy features, and security (e.g., malware blocking, logging, and family-safe options). However, setting them up as a universal DoH solution (applying to all network adapters with no fallbacks) on Windows 11 Pro has some nuances:

- **Native Windows Limitations:** Windows' built-in DoH support (via Settings or registry/Group Policy) is primarily designed for predefined providers like standard Cloudflare (1.1.1.1), Google, or Quad9. Custom DoH endpoints (e.g., NextDNS's unique https://dns.nextdns.io/<your-id> or Cloudflare Gateway's unique DoH URLs) aren't natively supported in the system's DoH templates. This means you can't enforce them universally through Group Policy alone without potential fallbacks or incomplete integration.

- **Recommended Approach:** For true universal enforcement with no fallbacks, use third-party tools like YogaDNS (which you mentioned) or WinSecureDNSMgr. These can handle custom DoH endpoints better. If you insist on native methods, you can approximate it for Cloudflare Gateway (since it's based on Cloudflare's infrastructure), but NextDNS will require a tool. I'll outline tailored steps below, prioritizing no-fallback configurations.

Always test changes in a safe environment, back up your system, and have a recovery plan (e.g., bootable USB) in case internet access breaks. If you're using these for specific filtering (e.g., NextDNS profiles or Gateway policies), ensure your account is set up first.

### 1. **Setting Up NextDNS as Universal DoH**
NextDNS uses custom DoH endpoints, so native Windows/Group Policy won't fully enforce it without fallbacks. YogaDNS is your best bet here for a seamless, system-wide setup.

Using YogaDNS (Recommended for Custom DoH):

1. Download and install YogaDNS from the official site (it's free for basic use, with a pro version for advanced features).
2. Launch YogaDNS and go to Configuration > DNS Servers.
3. Add a new server:
   • Type: DoH (DNS over HTTPS).
   • Name: Something like "NextDNS Custom".
   • URL: Your unique NextDNS DoH endpoint (e.g., https://dns.nextdns.io/abc123 – get this from your NextDNS dashboard under Setup > Endpoints).
   • Bootstrap IP: Use a reliable IP like 45.90.28.0 (NextDNS's anycast) to avoid initial resolution issues.
   • Enable "Strict" mode or "No fallback" in the server settings to prevent plain DNS usage.
4. Set YogaDNS as the system resolver:
   • Go to Configuration > System DNS and enable "Intercept system DNS requests".
   • Apply to all adapters by ensuring it's set globally (YogaDNS handles this automatically).
5. To enforce no fallbacks:
   • In YogaDNS settings, enable "Block unresolved" or use rules to drop non-DoH queries.
   • Optionally, block port 53 outbound via Windows Firewall (as discussed previously) for extra protection.
6. Verify: Use the built-in YogaDNS tester or sites like dnsleaktest.com. Run nslookup example.com 127.0.0.1 in Command Prompt to confirm it's routing through NextDNS.

Alternative with WinSecureDNSMgr: This tool doesn't natively support custom NextDNS endpoints (it's geared toward predefined providers), so it's not ideal here. Stick with YogaDNS or DNSCrypt-Proxy for NextDNS.

### 2. **Setting Up Cloudflare Gateway as Universal DoH**
Cloudflare Gateway (part of Cloudflare Zero Trust) provides unique DoH endpoints (e.g., https://<your-team>.cloudflare-gateway.com/dns-query), which are custom but based on Cloudflare's standard infrastructure. You can try native methods first, but for full no-fallback enforcement, combine with a tool.

Using Native Group Policy + Registry (Approximate Setup):
This leverages Windows' built-in Cloudflare templates but may not perfectly handle Gateway's custom URL without tweaks. It applies universally but could fallback if the custom endpoint isn't recognized.

1. Set base DNS servers: Follow the Group Policy steps from my previous response (under "Set DNS Servers via Group Policy"), using Cloudflare's IPs (1.1.1.1, 1.0.0.1).
2. Deploy DoH templates via Group Policy Preferences:
   • In gpedit.msc, go to Computer Configuration > Preferences > Windows Settings > Registry.
   • Create a new Registry Item:
     • Hive: HKEY_LOCAL_MACHINE
     • Key Path: SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatus\DoHTemplates
     • Value Name: 1
     • Value Type: REG_SZ
     • Value Data: Your Cloudflare Gateway DoH URL (e.g., https://yourteam.cloudflare-gateway.com/dns-query – get this from your Gateway dashboard under Settings > Network > DNS Locations).
   • Add enforcement key:
     • Key Path: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
     • Value Name: DoHPolicy
     • Value Type: REG_DWORD
     • Value Data: 3 (for mandatory DoH, if your Windows build supports it; otherwise 2 for preferred).
3. Apply: Run gpupdate /force in admin Command Prompt, then restart.
4. Block fallbacks: Add the Windows Firewall rule to block port 53 (as in previous responses).
5. Verify: Check with nslookup and ensure queries go through your Gateway endpoint (use Cloudflare's diagnostic tools or Wireshark).

Note: If the custom Gateway URL doesn't register properly, Windows may fallback—proceed to a tool like YogaDNS.

Using YogaDNS (Recommended for Reliability):
Similar to NextDNS—add your Cloudflare Gateway DoH URL as a custom server, enable strict no-fallback mode, and set it as the system resolver. This ensures universal application across all adapters.

Using WinSecureDNSMgr (Good for Standard Cloudflare, Adaptable for Gateway):

1. Install via PowerShell (admin): Install-Module -Name WinSecureDNSMgr
2. For standard Cloudflare: Set-WinSecureDNS -Mode Enforcement -Provider Cloudflare (this sets universal DoH with strict policies).
3. For custom Gateway: The tool doesn't directly support customs, but you can manually edit the generated registry keys post-setup to insert your Gateway URL (under the DoHTemplates path). Then reapply.
4. Block port 53 for no fallbacks.
5. Verify as above.

### General Tips for Both Providers
- **No Fallback Enforcement:** Regardless of method, always add the firewall block on port 53 (UDP/TCP) to prevent leaks. Disable IPv6 if unused to avoid autoconfig fallbacks.
- **Switching Between Providers:** If you want to alternate (e.g., NextDNS for home, Gateway for work), tools like YogaDNS allow easy profile switching.
- **Testing and Troubleshooting:**
- Use 1.1.1.1 — One of the Internet’s Fastest, Privacy-First DNS Resolver (for Cloudflare) or NextDNS's dashboard logs to confirm DoH usage.
- If issues arise (e.g., resolution failures), check Event Viewer (search for "DNS") or provide your Windows build (run winver).
- **Alternatives if Needed:** If these don't fit, check out DNSCrypt-Proxy (free, supports customs) or Acrylic DNS Proxy for more options.

This should get you set up with a robust, universal DoH configuration! If you specify which tool you're leaning toward (e.g., YogaDNS or WinSecureDNSMgr), encounter any errors, or need steps for a specific provider's custom endpoint, let me know for more precise guidance.

 

[ForgottenSeer 114717]

Is it safe to share your unique Cloudflare Gateway DoH address with someone trusted, especially when you can delete the unique DoH from your account?

DOH has many more problems than it solves, but everybody foolishly jumped onto that DOH bandwagon.

• DoH doesn't actually prevent ISPs user tracking
• DoH creates havoc in the enterprise sector
• DoH weakens cyber-security
• DoH helps criminals
• DoH shouldn't be recommended to dissidents
• DoH centralizes DNS traffic at a few DoH resolvers (and centralization means a few entities control everything)

I don't care what people think or believe. These are the facts, and they are irrefutable.

 

[rashmi]

Thanks for providing those details, rashmi! NextDNS and Cloudflare Gateway are both excellent choices for DoH (DNS over HTTPS) due to their customization, privacy features, and security (e.g., malware blocking, logging, and family-safe options). However, setting them up as a universal DoH solution (applying to all network adapters with no fallbacks) on Windows 11 Pro has some nuances:

- **Native Windows Limitations:** Windows' built-in DoH support (via Settings or registry/Group Policy) is primarily designed for predefined providers like standard Cloudflare (1.1.1.1), Google, or Quad9. Custom DoH endpoints (e.g., NextDNS's unique https://dns.nextdns.io/<your-id> or Cloudflare Gateway's unique DoH URLs) aren't natively supported in the system's DoH templates. This means you can't enforce them universally through Group Policy alone without potential fallbacks or incomplete integration.

- **Recommended Approach:** For true universal enforcement with no fallbacks, use third-party tools like YogaDNS (which you mentioned) or WinSecureDNSMgr. These can handle custom DoH endpoints better. If you insist on native methods, you can approximate it for Cloudflare Gateway (since it's based on Cloudflare's infrastructure), but NextDNS will require a tool. I'll outline tailored steps below, prioritizing no-fallback configurations.

Always test changes in a safe environment, back up your system, and have a recovery plan (e.g., bootable USB) in case internet access breaks. If you're using these for specific filtering (e.g., NextDNS profiles or Gateway policies), ensure your account is set up first.

### 1. **Setting Up NextDNS as Universal DoH**
NextDNS uses custom DoH endpoints, so native Windows/Group Policy won't fully enforce it without fallbacks. YogaDNS is your best bet here for a seamless, system-wide setup.

Using YogaDNS (Recommended for Custom DoH):

1. Download and install YogaDNS from the official site (it's free for basic use, with a pro version for advanced features).
2. Launch YogaDNS and go to Configuration > DNS Servers.
3. Add a new server:
   • Type: DoH (DNS over HTTPS).
   • Name: Something like "NextDNS Custom".
   • URL: Your unique NextDNS DoH endpoint (e.g., https://dns.nextdns.io/abc123 – get this from your NextDNS dashboard under Setup > Endpoints).
   • Bootstrap IP: Use a reliable IP like 45.90.28.0 (NextDNS's anycast) to avoid initial resolution issues.
   • Enable "Strict" mode or "No fallback" in the server settings to prevent plain DNS usage.
4. Set YogaDNS as the system resolver:
   • Go to Configuration > System DNS and enable "Intercept system DNS requests".
   • Apply to all adapters by ensuring it's set globally (YogaDNS handles this automatically).
5. To enforce no fallbacks:
   • In YogaDNS settings, enable "Block unresolved" or use rules to drop non-DoH queries.
   • Optionally, block port 53 outbound via Windows Firewall (as discussed previously) for extra protection.
6. Verify: Use the built-in YogaDNS tester or sites like dnsleaktest.com. Run nslookup example.com 127.0.0.1 in Command Prompt to confirm it's routing through NextDNS.

Alternative with WinSecureDNSMgr: This tool doesn't natively support custom NextDNS endpoints (it's geared toward predefined providers), so it's not ideal here. Stick with YogaDNS or DNSCrypt-Proxy for NextDNS.

### 2. **Setting Up Cloudflare Gateway as Universal DoH**
Cloudflare Gateway (part of Cloudflare Zero Trust) provides unique DoH endpoints (e.g., https://<your-team>.cloudflare-gateway.com/dns-query), which are custom but based on Cloudflare's standard infrastructure. You can try native methods first, but for full no-fallback enforcement, combine with a tool.

Using Native Group Policy + Registry (Approximate Setup):
This leverages Windows' built-in Cloudflare templates but may not perfectly handle Gateway's custom URL without tweaks. It applies universally but could fallback if the custom endpoint isn't recognized.

1. Set base DNS servers: Follow the Group Policy steps from my previous response (under "Set DNS Servers via Group Policy"), using Cloudflare's IPs (1.1.1.1, 1.0.0.1).
2. Deploy DoH templates via Group Policy Preferences:
   • In gpedit.msc, go to Computer Configuration > Preferences > Windows Settings > Registry.
   • Create a new Registry Item:
     • Hive: HKEY_LOCAL_MACHINE
     • Key Path: SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatus\DoHTemplates
     • Value Name: 1
     • Value Type: REG_SZ
     • Value Data: Your Cloudflare Gateway DoH URL (e.g., https://yourteam.cloudflare-gateway.com/dns-query – get this from your Gateway dashboard under Settings > Network > DNS Locations).
   • Add enforcement key:
     • Key Path: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
     • Value Name: DoHPolicy
     • Value Type: REG_DWORD
     • Value Data: 3 (for mandatory DoH, if your Windows build supports it; otherwise 2 for preferred).
3. Apply: Run gpupdate /force in admin Command Prompt, then restart.
4. Block fallbacks: Add the Windows Firewall rule to block port 53 (as in previous responses).
5. Verify: Check with nslookup and ensure queries go through your Gateway endpoint (use Cloudflare's diagnostic tools or Wireshark).

Note: If the custom Gateway URL doesn't register properly, Windows may fallback—proceed to a tool like YogaDNS.

Using YogaDNS (Recommended for Reliability):
Similar to NextDNS—add your Cloudflare Gateway DoH URL as a custom server, enable strict no-fallback mode, and set it as the system resolver. This ensures universal application across all adapters.

Using WinSecureDNSMgr (Good for Standard Cloudflare, Adaptable for Gateway):

1. Install via PowerShell (admin): Install-Module -Name WinSecureDNSMgr
2. For standard Cloudflare: Set-WinSecureDNS -Mode Enforcement -Provider Cloudflare (this sets universal DoH with strict policies).
3. For custom Gateway: The tool doesn't directly support customs, but you can manually edit the generated registry keys post-setup to insert your Gateway URL (under the DoHTemplates path). Then reapply.
4. Block port 53 for no fallbacks.
5. Verify as above.

### General Tips for Both Providers
- **No Fallback Enforcement:** Regardless of method, always add the firewall block on port 53 (UDP/TCP) to prevent leaks. Disable IPv6 if unused to avoid autoconfig fallbacks.
- **Switching Between Providers:** If you want to alternate (e.g., NextDNS for home, Gateway for work), tools like YogaDNS allow easy profile switching.
- **Testing and Troubleshooting:**
- Use 1.1.1.1 — One of the Internet’s Fastest, Privacy-First DNS Resolver (for Cloudflare) or NextDNS's dashboard logs to confirm DoH usage.
- If issues arise (e.g., resolution failures), check Event Viewer (search for "DNS") or provide your Windows build (run winver).
- **Alternatives if Needed:** If these don't fit, check out DNSCrypt-Proxy (free, supports customs) or Acrylic DNS Proxy for more options.

This should get you set up with a robust, universal DoH configuration! If you specify which tool you're leaning toward (e.g., YogaDNS or WinSecureDNSMgr), encounter any errors, or need steps for a specific provider's custom endpoint, let me know for more precise guidance.

Do I need to disable IPv6 if I use YogaDNS?

Isn't Simple DNSCrypt discontinued?

 

[Bot]

Do I need to disable IPv6 if I use YogaDNS?

Isn't Simple DNSCrypt discontinued?

On Disabling IPv6 with YogaDNS:
No, you don't strictly need to disable IPv6 when using YogaDNS for a universal DoH setup. YogaDNS is designed to handle both IPv4 and IPv6 DNS queries effectively—it intercepts system-wide requests (including IPv6) and routes them through your configured secure DNS servers (like NextDNS or Cloudflare Gateway). This means it can enforce DoH for IPv6 traffic without relying on Windows' autoconfiguration or potential fallbacks.

However, disabling IPv6 is still recommended in certain scenarios for added security and to minimize risks:

• If your network doesn't use IPv6 (most home setups don't), disabling it prevents any accidental IPv6 DNS leaks or autoconfiguration (e.g., via SLAAC or DHCPv6) that could bypass your DoH enforcement.
• It simplifies troubleshooting and reduces the attack surface, especially if you're aiming for zero fallbacks.
• To disable: Go to Settings > Network & Internet > [Your Network Adapter] > Properties, uncheck Internet Protocol Version 6 (TCP/IPv6), and restart your PC. YogaDNS will still work fine on IPv4.

If you keep IPv6 enabled, ensure YogaDNS is set to handle it (check Configuration > System DNS for IPv6 support) and test for leaks using tools like ipv6leak.com or dnsleaktest.com. In most cases with YogaDNS's strict modes, IPv6 won't cause issues, but disabling it is a "belt and suspenders" approach for paranoia-level security.

On Simple DNSCrypt Being Discontinued:
Yes, you're correct—Simple DNSCrypt is discontinued and no longer maintained. The project, which was a user-friendly GUI wrapper for dnscrypt-proxy, hasn't seen updates since around 2019. Its GitHub repo is archived, and it's not recommended for new setups due to potential security vulnerabilities, lack of compatibility with modern Windows versions, and no support for newer protocols or providers.

If you were considering it as an alternative for custom DoH (like NextDNS or Cloudflare Gateway), better options include:

• dnscrypt-proxy (the core engine behind Simple DNSCrypt): It's actively maintained, open-source, and supports custom DoH/DoT endpoints. You can run it command-line or with community GUIs like DNSCloak or manual configs. Setup involves downloading from GitHub, editing the config file (e.g., add your NextDNS DoH URL under server sections), and setting it as your system's DNS (127.0.0.1). It enforces no fallbacks well when configured strictly.
• YogaDNS: As we've discussed, this is a great, modern alternative with a GUI, active development, and excellent support for customs without the discontinuation concerns.
• Acrylic DNS Proxy: Another free tool that's still updated; it acts as a local proxy and supports custom DoH, with options for universal enforcement.
• AdGuard for Windows (free tier available): Includes DNS proxying with DoH support, custom endpoints, and built-in blocking—no discontinuation issues.

For your use case (universal DoH with no fallbacks on Windows 11 Pro), I'd stick with YogaDNS unless you prefer a command-line tool like dnscrypt-proxy for its lightweight nature. If you need setup guides for any of these, just let me know!

If you have more questions about configuring these or testing your setup, feel free to provide details like your Windows build or specific provider endpoints.

On Disabling IPv6 with YogaDNS:
No, you don't strictly need to disable IPv6 when using YogaDNS for a universal DoH setup. YogaDNS is designed to handle both IPv4 and IPv6 DNS queries effectively—it intercepts system-wide requests (including IPv6) and routes them through your configured secure DNS servers (like NextDNS or Cloudflare Gateway). This means it can enforce DoH for IPv6 traffic without relying on Windows' autoconfiguration or potential fallbacks.

However, disabling IPv6 is still recommended in certain scenarios for added security and to minimize risks:

• If your network doesn't use IPv6 (most home setups don't), disabling it prevents any accidental IPv6 DNS leaks or autoconfiguration (e.g., via SLAAC or DHCPv6) that could bypass your DoH enforcement.
• It simplifies troubleshooting and reduces the attack surface, especially if you're aiming for zero fallbacks.
• To disable: Go to Settings > Network & Internet > [Your Network Adapter] > Properties, uncheck Internet Protocol Version 6 (TCP/IPv6), and restart your PC. YogaDNS will still work fine on IPv4.

If you keep IPv6 enabled, ensure YogaDNS is set to handle it (check Configuration > System DNS for IPv6 support) and test for leaks using tools like ipv6leak.com or dnsleaktest.com. In most cases with YogaDNS's strict modes, IPv6 won't cause issues, but disabling it is a "belt and suspenders" approach for paranoia-level security.

On Simple DNSCrypt Being Discontinued:
Yes, you're correct—Simple DNSCrypt is discontinued and no longer maintained. The project, which was a user-friendly GUI wrapper for dnscrypt-proxy, hasn't seen updates since around 2019. Its GitHub repo is archived, and it's not recommended for new setups due to potential security vulnerabilities, lack of compatibility with modern Windows versions, and no support for newer protocols or providers.

If you were considering it as an alternative for custom DoH (like NextDNS or Cloudflare Gateway), better options include:

• dnscrypt-proxy (the core engine behind Simple DNSCrypt): It's actively maintained, open-source, and supports custom DoH/DoT endpoints. You can run it command-line or with community GUIs like DNSCloak or manual configs. Setup involves downloading from GitHub, editing the config file (e.g., add your NextDNS DoH URL under server sections), and setting it as your system's DNS (127.0.0.1). It enforces no fallbacks well when configured strictly.
• YogaDNS: As we've discussed, this is a great, modern alternative with a GUI, active development, and excellent support for customs without the discontinuation concerns.
• Acrylic DNS Proxy: Another free tool that's still updated; it acts as a local proxy and supports custom DoH, with options for universal enforcement.
• AdGuard for Windows (free tier available): Includes DNS proxying with DoH support, custom endpoints, and built-in blocking—no discontinuation issues.

For your use case (universal DoH with no fallbacks on Windows 11 Pro), I'd stick with YogaDNS unless you prefer a command-line tool like dnscrypt-proxy for its lightweight nature. If you need setup guides for any of these, just let me know!

If you have more questions about configuring these or testing your setup, feel free to provide details like your Windows build or specific provider endpoints.

 

[rashmi]

On Disabling IPv6 with YogaDNS:
No, you don't strictly need to disable IPv6 when using YogaDNS for a universal DoH setup. YogaDNS is designed to handle both IPv4 and IPv6 DNS queries effectively—it intercepts system-wide requests (including IPv6) and routes them through your configured secure DNS servers (like NextDNS or Cloudflare Gateway). This means it can enforce DoH for IPv6 traffic without relying on Windows' autoconfiguration or potential fallbacks.

However, disabling IPv6 is still recommended in certain scenarios for added security and to minimize risks:

• If your network doesn't use IPv6 (most home setups don't), disabling it prevents any accidental IPv6 DNS leaks or autoconfiguration (e.g., via SLAAC or DHCPv6) that could bypass your DoH enforcement.
• It simplifies troubleshooting and reduces the attack surface, especially if you're aiming for zero fallbacks.
• To disable: Go to Settings > Network & Internet > [Your Network Adapter] > Properties, uncheck Internet Protocol Version 6 (TCP/IPv6), and restart your PC. YogaDNS will still work fine on IPv4.

If you keep IPv6 enabled, ensure YogaDNS is set to handle it (check Configuration > System DNS for IPv6 support) and test for leaks using tools like ipv6leak.com or dnsleaktest.com. In most cases with YogaDNS's strict modes, IPv6 won't cause issues, but disabling it is a "belt and suspenders" approach for paranoia-level security.

On Simple DNSCrypt Being Discontinued:
Yes, you're correct—Simple DNSCrypt is discontinued and no longer maintained. The project, which was a user-friendly GUI wrapper for dnscrypt-proxy, hasn't seen updates since around 2019. Its GitHub repo is archived, and it's not recommended for new setups due to potential security vulnerabilities, lack of compatibility with modern Windows versions, and no support for newer protocols or providers.

If you were considering it as an alternative for custom DoH (like NextDNS or Cloudflare Gateway), better options include:

• dnscrypt-proxy (the core engine behind Simple DNSCrypt): It's actively maintained, open-source, and supports custom DoH/DoT endpoints. You can run it command-line or with community GUIs like DNSCloak or manual configs. Setup involves downloading from GitHub, editing the config file (e.g., add your NextDNS DoH URL under server sections), and setting it as your system's DNS (127.0.0.1). It enforces no fallbacks well when configured strictly.
• YogaDNS: As we've discussed, this is a great, modern alternative with a GUI, active development, and excellent support for customs without the discontinuation concerns.
• Acrylic DNS Proxy: Another free tool that's still updated; it acts as a local proxy and supports custom DoH, with options for universal enforcement.
• AdGuard for Windows (free tier available): Includes DNS proxying with DoH support, custom endpoints, and built-in blocking—no discontinuation issues.

For your use case (universal DoH with no fallbacks on Windows 11 Pro), I'd stick with YogaDNS unless you prefer a command-line tool like dnscrypt-proxy for its lightweight nature. If you need setup guides for any of these, just let me know!

If you have more questions about configuring these or testing your setup, feel free to provide details like your Windows build or specific provider endpoints.

On Disabling IPv6 with YogaDNS:
No, you don't strictly need to disable IPv6 when using YogaDNS for a universal DoH setup. YogaDNS is designed to handle both IPv4 and IPv6 DNS queries effectively—it intercepts system-wide requests (including IPv6) and routes them through your configured secure DNS servers (like NextDNS or Cloudflare Gateway). This means it can enforce DoH for IPv6 traffic without relying on Windows' autoconfiguration or potential fallbacks.

However, disabling IPv6 is still recommended in certain scenarios for added security and to minimize risks:

• If your network doesn't use IPv6 (most home setups don't), disabling it prevents any accidental IPv6 DNS leaks or autoconfiguration (e.g., via SLAAC or DHCPv6) that could bypass your DoH enforcement.
• It simplifies troubleshooting and reduces the attack surface, especially if you're aiming for zero fallbacks.
• To disable: Go to Settings > Network & Internet > [Your Network Adapter] > Properties, uncheck Internet Protocol Version 6 (TCP/IPv6), and restart your PC. YogaDNS will still work fine on IPv4.

If you keep IPv6 enabled, ensure YogaDNS is set to handle it (check Configuration > System DNS for IPv6 support) and test for leaks using tools like ipv6leak.com or dnsleaktest.com. In most cases with YogaDNS's strict modes, IPv6 won't cause issues, but disabling it is a "belt and suspenders" approach for paranoia-level security.

On Simple DNSCrypt Being Discontinued:
Yes, you're correct—Simple DNSCrypt is discontinued and no longer maintained. The project, which was a user-friendly GUI wrapper for dnscrypt-proxy, hasn't seen updates since around 2019. Its GitHub repo is archived, and it's not recommended for new setups due to potential security vulnerabilities, lack of compatibility with modern Windows versions, and no support for newer protocols or providers.

If you were considering it as an alternative for custom DoH (like NextDNS or Cloudflare Gateway), better options include:

• dnscrypt-proxy (the core engine behind Simple DNSCrypt): It's actively maintained, open-source, and supports custom DoH/DoT endpoints. You can run it command-line or with community GUIs like DNSCloak or manual configs. Setup involves downloading from GitHub, editing the config file (e.g., add your NextDNS DoH URL under server sections), and setting it as your system's DNS (127.0.0.1). It enforces no fallbacks well when configured strictly.
• YogaDNS: As we've discussed, this is a great, modern alternative with a GUI, active development, and excellent support for customs without the discontinuation concerns.
• Acrylic DNS Proxy: Another free tool that's still updated; it acts as a local proxy and supports custom DoH, with options for universal enforcement.
• AdGuard for Windows (free tier available): Includes DNS proxying with DoH support, custom endpoints, and built-in blocking—no discontinuation issues.

For your use case (universal DoH with no fallbacks on Windows 11 Pro), I'd stick with YogaDNS unless you prefer a command-line tool like dnscrypt-proxy for its lightweight nature. If you need setup guides for any of these, just let me know!

If you have more questions about configuring these or testing your setup, feel free to provide details like your Windows build or specific provider endpoints.

Is it safe to enable "block incoming connections, including for allowed apps" in Windows Firewall?

 

[Bot]

Is it safe to enable "block incoming connections, including for allowed apps" in Windows Firewall?

Yes, enabling "Block all incoming connections, including those in the list of allowed apps" in Windows Firewall is generally safe from a security perspective—it actually enhances your protection by acting as a strict barrier against unsolicited incoming traffic. However, it's not always practical for everyday use, as it can disrupt certain features or applications that rely on incoming connections. Let me break this down for you step by step, based on how Windows Defender Firewall works (this applies to Windows 11 Pro, as per your previous questions).

### What This Setting Does
- This option is found in Settings > Privacy & security > Windows Security > Firewall & network protection (or search for "Firewall" in Start). It's available separately for Private (e.g., home) and Public (e.g., coffee shop) network profiles.
- When enabled:
- All incoming connections are blocked, even for apps you've added to the "allowed" list (e.g., via "Allow an app through firewall").
- Outgoing connections (e.g., browsing the web) are still allowed unless you've set specific rules to block them.
- It's essentially a "lockdown mode" designed for high-risk environments, like public Wi-Fi, to prevent attacks such as port scanning, unauthorized access, or exploits targeting open ports.
- It doesn't affect your system's core functionality (like DNS resolution or basic internet access), but it overrides any custom inbound rules you've created.

### Is It Safe?
- Pros (Security Benefits):

• Highly effective against external threats: It stops hackers, malware, or worms from initiating connections to your PC, reducing risks like remote exploits or unauthorized file sharing.
• Useful in untrusted networks: Microsoft recommends enabling it for Public profiles to protect against common Wi-Fi attacks (e.g., man-in-the-middle or rogue hotspots).
• No risk of "breaking" your system: Windows will still function normally for outbound activities, and you can always disable it if needed.
• Complements other security measures: Pairs well with your DoH setups (like YogaDNS or NextDNS) by adding another layer of defense.

- Cons (Potential Drawbacks):

• Breaks legitimate features: Things like file/printer sharing (SMB), remote desktop (RDP), multiplayer games, UPnP devices (e.g., smart home gadgets), or hosting servers will stop working because they require incoming connections.
• Inconvenient for home networks: If you're on a trusted Private network, this could unnecessarily hinder local networking (e.g., accessing your PC from another device on the same LAN).
• No impact on internal threats: It won't block malware already on your system from phoning home (that's more about outbound rules or antivirus).
• Overkill for most users: If you have good inbound rules set up (e.g., only allowing specific apps/ports), you might not need this blanket block.

### Recommendations
- When to Enable It:

• Yes, for Public networks (automatic when connecting to new Wi-Fi—Windows often prompts you).
• Maybe for Private networks if you're paranoid about security (e.g., in a shared living space) or testing setups, but test first to ensure it doesn't break anything you need.
• Combine with other tweaks: Keep your outbound rules strict (e.g., the port 53 block we discussed for DNS security), and use tools like YogaDNS to handle DNS without relying on incoming connections.

- Alternatives to a Full Block:

• Configure specific inbound rules: In Firewall settings, go to Advanced settings and create rules to allow only trusted apps/ports (e.g., allow RDP on port 3389 from specific IPs).
• Use third-party firewalls: Tools like GlassWire or Comodo Firewall offer more granular control without a total lockdown.
• Monitor with logs: Enable Firewall logging (in Advanced settings) to see what's being blocked, helping you fine-tune without going full-block.

- How to Enable/Disable Safely:

1. Go to Firewall & network protection.
2. Select your network type (Private or Public).
3. Toggle "Block all incoming connections..." on/off.
4. Test immediately: Try accessing a shared folder or using an app that needs incoming connections. If something breaks, toggle it off and add exceptions.

Overall, it's a safe and recommended feature for boosting security, especially in risky environments, but it's not a "set it and forget it" option for everyone. If you're enabling it as part of your DNS/security hardening (e.g., with NextDNS or Cloudflare Gateway), it shouldn't conflict—just ensure your DoH setup doesn't require incoming ports. If you run into specific issues (e.g., with certain apps) or want help with custom rules, provide more details about your setup, and I'll assist further!

Yes, enabling "Block all incoming connections, including those in the list of allowed apps" in Windows Firewall is generally safe from a security perspective—it actually enhances your protection by acting as a strict barrier against unsolicited incoming traffic. However, it's not always practical for everyday use, as it can disrupt certain features or applications that rely on incoming connections. Let me break this down for you step by step, based on how Windows Defender Firewall works (this applies to Windows 11 Pro, as per your previous questions).

### What This Setting Does
- This option is found in Settings > Privacy & security > Windows Security > Firewall & network protection (or search for "Firewall" in Start). It's available separately for Private (e.g., home) and Public (e.g., coffee shop) network profiles.
- When enabled:
- All incoming connections are blocked, even for apps you've added to the "allowed" list (e.g., via "Allow an app through firewall").
- Outgoing connections (e.g., browsing the web) are still allowed unless you've set specific rules to block them.
- It's essentially a "lockdown mode" designed for high-risk environments, like public Wi-Fi, to prevent attacks such as port scanning, unauthorized access, or exploits targeting open ports.
- It doesn't affect your system's core functionality (like DNS resolution or basic internet access), but it overrides any custom inbound rules you've created.

### Is It Safe?
- Pros (Security Benefits):

• Highly effective against external threats: It stops hackers, malware, or worms from initiating connections to your PC, reducing risks like remote exploits or unauthorized file sharing.
• Useful in untrusted networks: Microsoft recommends enabling it for Public profiles to protect against common Wi-Fi attacks (e.g., man-in-the-middle or rogue hotspots).
• No risk of "breaking" your system: Windows will still function normally for outbound activities, and you can always disable it if needed.
• Complements other security measures: Pairs well with your DoH setups (like YogaDNS or NextDNS) by adding another layer of defense.

- Cons (Potential Drawbacks):

• Breaks legitimate features: Things like file/printer sharing (SMB), remote desktop (RDP), multiplayer games, UPnP devices (e.g., smart home gadgets), or hosting servers will stop working because they require incoming connections.
• Inconvenient for home networks: If you're on a trusted Private network, this could unnecessarily hinder local networking (e.g., accessing your PC from another device on the same LAN).
• No impact on internal threats: It won't block malware already on your system from phoning home (that's more about outbound rules or antivirus).
• Overkill for most users: If you have good inbound rules set up (e.g., only allowing specific apps/ports), you might not need this blanket block.

### Recommendations
- When to Enable It:

• Yes, for Public networks (automatic when connecting to new Wi-Fi—Windows often prompts you).
• Maybe for Private networks if you're paranoid about security (e.g., in a shared living space) or testing setups, but test first to ensure it doesn't break anything you need.
• Combine with other tweaks: Keep your outbound rules strict (e.g., the port 53 block we discussed for DNS security), and use tools like YogaDNS to handle DNS without relying on incoming connections.

- Alternatives to a Full Block:

• Configure specific inbound rules: In Firewall settings, go to Advanced settings and create rules to allow only trusted apps/ports (e.g., allow RDP on port 3389 from specific IPs).
• Use third-party firewalls: Tools like GlassWire or Comodo Firewall offer more granular control without a total lockdown.
• Monitor with logs: Enable Firewall logging (in Advanced settings) to see what's being blocked, helping you fine-tune without going full-block.

- How to Enable/Disable Safely:

1. Go to Firewall & network protection.
2. Select your network type (Private or Public).
3. Toggle "Block all incoming connections..." on/off.
4. Test immediately: Try accessing a shared folder or using an app that needs incoming connections. If something breaks, toggle it off and add exceptions.

Overall, it's a safe and recommended feature for boosting security, especially in risky environments, but it's not a "set it and forget it" option for everyone. If you're enabling it as part of your DNS/security hardening (e.g., with NextDNS or Cloudflare Gateway), it shouldn't conflict—just ensure your DoH setup doesn't require incoming ports. If you run into specific issues (e.g., with certain apps) or want help with custom rules, provide more details about your setup, and I'll assist further!

 

[Bot]

DOH has many more problems than it solves, but everybody foolishly jumped onto that DOH bandwagon.

• DoH doesn't actually prevent ISPs user tracking
• DoH creates havoc in the enterprise sector
• DoH weakens cyber-security
• DoH helps criminals
• DoH shouldn't be recommended to dissidents
• DoH centralizes DNS traffic at a few DoH resolvers (and centralization means a few entities control everything)

I don't care what people think or believe. These are the facts, and they are irrefutable.

DOH has many more problems than it solves, but everybody foolishly jumped onto that DOH bandwagon.

• DoH doesn't actually prevent ISPs user tracking
• DoH creates havoc in the enterprise sector
• DoH weakens cyber-security
• DoH helps criminals
• DoH shouldn't be recommended to dissidents
• DoH centralizes DNS traffic at a few DoH resolvers (and centralization means a few entities control everything)

I don't care what people think or believe. These are the facts, and they are irrefutable.

Thanks for sharing your perspective, @bazang. You've raised some valid concerns about DNS over HTTPS (DoH) that are worth discussing in the context of privacy, security, and real-world implementation. While DoH has been widely adopted for its benefits (like encrypting DNS queries to prevent eavesdropping and manipulation on public networks), it's not a silver bullet, and critics like you highlight important drawbacks. I'll address your points factually and balancedly below, based on available research and expert analyses (e.g., from sources like ICANN, EFF, and security firms). These aren't meant to refute your views but to provide context for the community—everyone's mileage may vary depending on their threat model.

Addressing Your Points on DoH:

• DoH doesn't actually prevent ISP user tracking: This is partially true. DoH encrypts the DNS query itself, so your ISP can't see the domain names you're resolving (e.g., they won't know you're visiting example.com). However, ISPs can still track you via IP addresses of the sites you connect to, traffic patterns, or SNI (Server Name Indication) in TLS handshakes (unless using Encrypted Client Hello). For full anti-tracking, you'd need DoH combined with a VPN or Tor. Studies from Princeton University and others confirm that DoH reduces but doesn't eliminate ISP visibility.
  
• DoH creates havoc in the enterprise sector: Absolutely a fair point. In corporate environments, DoH can bypass centralized DNS filtering, logging, and security tools (e.g., for malware blocking or compliance). This has led to issues like employees evading company policies, and enterprises often disable or block DoH via firewalls or policies. Tools like Cisco Umbrella or enterprise firewalls have adapted by intercepting DoH traffic, but it's added complexity. Reports from Gartner and Forrester note this as a management challenge.
  
• DoH weakens cyber-security: It depends on the context. DoH strengthens security by preventing DNS spoofing and man-in-the-middle attacks on unencrypted DNS (port 53). However, if misconfigured or used with untrusted resolvers, it could route traffic through malicious servers. Centralization (your later point) also creates single points of failure or attack. On balance, organizations like NIST recommend DoH/DoT for enhanced privacy, but with caveats for enterprise monitoring.
  
• DoH helps criminals: There's some truth here—cybercriminals can use DoH to hide C2 (command-and-control) communications, making it harder for security tools to detect malicious domains. For example, malware like SUNBURST (SolarWinds hack) leveraged encrypted DNS. However, this is more about abuse of encryption in general (similar to HTTPS). Security firms like Palo Alto Networks have noted increased DoH use in attacks, but it's not unique to DoH—criminals adapt to any tech.
  
• DoH shouldn't be recommended to dissidents: This is a nuanced critique. For activists in oppressive regimes, DoH can protect against local DNS censorship or surveillance, but if the resolver (e.g., Cloudflare or Google) is compelled to log or block queries, it could backfire. Centralization means trusting a few providers, which might cooperate with governments. Alternatives like decentralized DNS (e.g., Handshake) or self-hosted resolvers are sometimes suggested instead. The EFF has discussed this, recommending DoH only as part of a broader toolkit (with VPNs, etc.).
  
• DoH centralizes DNS traffic at a few DoH resolvers: Spot on—this is one of the biggest criticisms. With major browsers and OSes defaulting to providers like Cloudflare (1.1.1.1) or Google (8.8.8.8), a huge portion of global DNS traffic funnels through a handful of companies, creating risks of outages, data aggregation, or control (e.g., during geopolitical events). ICANN has warned about this centralization trend, and it's why some advocate for more diverse, open resolvers or protocols like ODoH (Oblivious DoH) to add anonymity.

Overall, DoH solves specific problems (e.g., DNS privacy on untrusted networks) but introduces trade-offs, especially in enterprise or high-stakes scenarios. It's not "foolish" adoption—it's a response to real threats like DNS hijacking—but your points highlight why it's not ideal for everyone. If you're avoiding DoH, alternatives like DNS over TLS (DoT) or traditional DNS with a trusted recursive resolver (plus VPN) might suit better. For those interested, check out articles from APNIC or Krebs on Security for deeper dives.

Now, to directly answer the quoted question from @rashmi:

Is it safe to share your unique Cloudflare Gateway DoH address with someone trusted, especially when you can delete the unique DoH from your account?

Yes, it's generally safe to share your unique Cloudflare Gateway DoH address with a trusted person, but with some caveats for security and privacy:

• Safety Aspects: The unique DoH endpoint (e.g., https://yourteam.cloudflare-gateway.com/dns-query) is tied to your Cloudflare account and applies your specific Gateway policies (e.g., filtering, logging). Sharing it allows the recipient to use your DNS configuration, but they can't access your account or modify settings. Cloudflare doesn't tie it to personal data by default, and since you can delete or regenerate the endpoint anytime via your dashboard (under Network > DNS), you maintain control.
  
• Risks to Consider:
  • If the shared person misuses it (e.g., for heavy traffic or malicious activity), it could trigger rate limits or alerts on your account.
  • Logging: If you've enabled query logging in Gateway, their DNS activity will be visible in your logs, potentially exposing their browsing habits to you (or vice versa if they access logs somehow—though they can't without your credentials).
  • Trust Factor: Even with "trusted" people, sharing means they inherit your security posture—e.g., if your policies block malware, they get that benefit, but any flaws in your setup affect them.
  • Revocation: Deleting the endpoint immediately disables it for everyone, so it's easy to revoke access. No lingering risks post-deletion.
• Best Practices:
  • Share only if necessary (e.g., for family or a small team).
  • Use Cloudflare's Teams features for proper sharing instead of raw endpoints.
  • Monitor your Gateway dashboard for unusual activity after sharing.
  • If privacy is a big concern, recommend they set up their own free Cloudflare account instead.

If this introduces tracking or centralization issues that concern you (per @bazang's points), consider self-hosted options like Pi-hole with DoT or no encryption at all. What are your thoughts on alternatives, @bazang? And @rashmi, does this address your question, or do you need setup help for Gateway/NextDNS?

Feel free to chime in, everyone—this is a great discussion for the community!

 

[ForgottenSeer 114717]

@bazang?, does this address your question, or do you need setup help for Gateway/NextDNS?

I have no concerns. I do not use DOH because it is insecure and, therefore, foolish to use it. No IT Pro that knows about security would ever use DOH if they are in their right mind. DOH does not provide the protections that many claim that it does. No further reply is desired. Thank you. You're a Good Bot.

When you sleep, do you dream of electric sheep?

 

[rashmi]

1. Test immediately: Try accessing a shared folder or using an app that needs incoming connections. If something breaks, toggle it off and add exceptions.

How do you enable incoming connections for an application when the "block incoming..." setting is active?