Configure Encrypted DNS on Windows 11 (DOH)

This article will show how to configured encrypted DNS on Windows 11 using DNS-over-HTTPS.

 

Configuring encrypted DNS on Windows 11 requires multiple steps, but it is the preferred method over traditional DNS (IPv4 and IPv6). You will require basic knowledge of PowerShell and access to the Settings menu.

Step 1: Register DNS-over-HTTPS (DOH) Provider

The first step to the whole process is registering an encrypted DNS provider with Windows. This is done via PowerShell, and needs to be run as an administrator.

 

We will be using the Add-DnsClientDohServerAddress cmdlet. You will have to pass two specific options:

 

  • -ServerAddress
  • -DohTemplate

 

It will look like this:

 

Add-DnsClientDohServerAddress -ServerAddress [ip] -DohTemplate [url]

 

The DohTemplate is referencing the DOH URL, so if you're working with CleanBrowsing filters it would be based on DOH url we provider in your dashboard:

 

Add-DnsClientDohServerAddress -ServerAddress 185.228.168.10 -DohTemplate https://doh.cleanbrowsing.org/doh/custom-filter/[key]/

 

It will generate an output like this:

 

ServerAddress  AllowFallbackToUdp AutoUpgrade DohTemplate
-------------  ------------------ ----------- -----------
185.228.168.10 False              False       https://doh.cleanbrowsing.org/doh/custom-filter/[key]/

 

You can confirm it was registered by running:

 

netsh dns show encryption

 

You will see all the DOH templates available to use. Scroll until you see the entry for CleanBrowsing. Should look like this (but with your URL):

 

Encryption settings for 185.228.168.10
----------------------------------------------------------------------
DNS-over-HTTPS template     : https://doh.cleanbrowsing.org/doh/custom-filter/[key]/
Auto-upgrade                : no
UDP-fallback                : no

 

Whether using the Free, or Paid, filters, the Server IP for DOH will always be 185.228.168.10. While we support IPv6 DNS, we don't have it configured for DOH yet. We encourage you disable IPv6 on the machine to avoid leaking DNS queries.

 

Now that the template is registered, we can set encryption.

Step 2: Enable Encryption on DNS Traffic

For the average user, you can set encryption via the Windows user interface.

 

Click your Windows key and search for "settings".

 

Click on Network & Internet.

 

Click Edit next to DNS Server Assignment.

CB-WindowsSettings-Network

This will open a new modal dialog on your screen.

 

From this page, set the method to "Manual".

 

Turn on IPv4.

 

Add the Preferred DNS value as 185.228.168.10

 

The minute you add the IP it should enable the Preferred DNS Encryption drop down. Select Encrypted Only (DNS over HTTPS).

CleanBrowsing - Setting Encrypted DNS on Windows 11

That should be it. All traffic should now be encrypted over DNS. We will share how to do this via PowerShell for more advanced administrators in a different article.

Was this article helpful?

Verify Connection & Troubleshooting

After configuring your device or router you can verify your configuration by visiting DNS Leak Test and running the standard test.

We provide a more in depth guide on Verifying and Debugging Connections.

Need Support?

Can't find the answer you're looking for?
Contact Support