Windows 11 now includes support for DNS over HTTPS to improve your online privacy, and here's how to configure the feature.
On Windows 11, you can enable DNS over HTTPS (DoH) for a more secure and private online experience, and in this guide, you will learn how.
DNS over HTTPS is a networking protocol designed to encrypt Domain Name System (DNS) queries using the Hypertext Transfer Protocol Secure (HTTPS) protocol. The main purpose of DoH is to protect these queries to increase user privacy and security by stopping malicious individuals from viewing and manipulating DNS traffic originating from your computer to prevent things like man-in-the-middle attacks.
First, Choose a Supported Free DNS Service
As of Windows 11's release, DNS over HTTPS in Windows 11 only works with a certain hard-coded list of free DNS services (you can see the list yourself by running.
netsh dns show encryption
in a Terminal window).
Here's the current list of supported IPv4 DNS service addresses :
- Google DNS Primary: 8.8.8.8
- Google DNS Secondary: 8.8.4.4
- Cloudflare DNS Primary: 1.1.1.1
- Cloudflare DNS Secondary: 1.0.0.1
- Quad9 DNS Primary: 9.9.9.9
- Quad9 DNS Secondary: 149.112.112.112
For IPv6, here is the list of supported DNS service addresses:
- Google DNS Primary: 2001:4860:4860::8888
- Google DNS Secondary: 2001:4860:4860::8844
- Cloudflare DNS Primary: 2606:4700:4700::1111
- Cloudflare DNS Secondary: 2606:4700:4700::1001
- Quad9 DNS Primary: 2620:fe::fe
- Quad9 DNS Secondary: 2620:fe::fe:9
When it comes time to enable DoH in the section below, you'll need to choose two pairs of these DNS servers—primary and secondary for IPv4 and IPv6—to use with your Windows 11 PC. As a bonus, using these will very likely speed up your internet browsing experience.
Next, Enable DNS over HTTPS in Windows 11
To get started setting up DNS over HTTPS, open the Settings app by pressing Windows+i on your keyboard. Or you can right-click the Start button and select "Settings" in the special menu that appears.
- In Settings, click "Network & Internet" in the sidebar.
- In Network & Internet settings, click the name of your primary internet connection in the list, such as "Wi-Fi" or "Ethernet." (Don't click "Properties" near the top of the window—that won't let you encrypt your DNS connections.)
- On the network connection's properties page, select "Hardware Properties."
- On the Wi-Fi or Ethernet hardware properties page, locate the "DNS Server Assignment" option and click the "Edit" button beside it.
- In the window that pops up, use the drop-down menu to select "Manual" DNS settings. Then flip the "IPv4" switch to the "On" position.
- In the IPv4 section, enter the primary DNS server address you chose from the section above in the "Preferred DNS" box (such as "8.8.8.8"). Similarly, enter the secondary DNS server address in the "Alternate DNS" box (such as "8.8.4.4").
- In the same window, set "Preferred DNS Encryption" and "Alternate DNS Encryption" to "Encrypted Only (DNS over HTTPS)" using the drop-down boxes below the DNS addresses you entered in the last step.
- Turn off the “Fallback to plaintext” toggle switch. If you enable this feature, the system will encrypt DNS traffic, but it allows queries to be sent without encryption.
- After that, repeat this process with IPv6.
Flip the IPv6 switch to the "On" position, and then copy a primary IPv6 address in the section aboveand paste it into the "Preferred DNS" box. Next, copy a matching secondary IPv6 address and paste it into the "Alternate DNS" box.
After that, set both "DNS encryption" settings to "Encrypted Only (DNS over HTTPS)." Finally, click "Save."
Back on the Wi-Fi or Ethernet hardware properties page, you'll see your DNS servers listed with an "(Encrypted)" beside each one of them.
After you complete the steps, you will know whether the DNS over HTTPS has been configured correctly on Windows 11.