This article will show how to configured encrypted DNS on Windows 11 using DNS-over-HTTPS.
Configuring encrypted DNS on Windows 11 requires multiple steps, but it is the preferred method over traditional DNS (IPv4 and IPv6). You will require basic knowledge of PowerShell and access to the Settings menu.
Step 1: Register DNS-over-HTTPS (DOH) Provider
The first step to the whole process is registering an encrypted DNS provider with Windows. This is done via PowerShell, and needs to be run as an administrator.
We will be using the Add-DnsClientDohServerAddress cmdlet. You will have to pass two specific options:
- -ServerAddress
- -DohTemplate
It will look like this:
Add-DnsClientDohServerAddress -ServerAddress [ip] -DohTemplate [url]
The DohTemplate is referencing the DOH URL, so if you’re working with CleanBrowsing filters it would be based on DOH url we provider in your dashboard:
Add-DnsClientDohServerAddress -ServerAddress 185.228.168.10 -DohTemplate https://doh.cleanbrowsing.org/doh/custom-filter/[key]/
It will generate an output like this:
ServerAddress AllowFallbackToUdp AutoUpgrade DohTemplate ------------- ------------------ ----------- ----------- 185.228.168.10 False False https://doh.cleanbrowsing.org/doh/custom-filter/[key]/
You can confirm it was registered by running:
netsh dns show encryption
You will see all the DOH templates available to use. Scroll until you see the entry for CleanBrowsing. Should look like this (but with your URL):
Encryption settings for 185.228.168.10 ---------------------------------------------------------------------- DNS-over-HTTPS template : https://doh.cleanbrowsing.org/doh/custom-filter/[key]/ Auto-upgrade : no UDP-fallback : no
Whether using the Free, or Paid, filters, the Server IP for DOH will always be 185.228.168.10. While we support IPv6 DNS, we don’t have it configured for DOH yet. We encourage you disable IPv6 on the machine to avoid leaking DNS queries.
Now that the template is registered, we can set encryption.
Step 2: Enable Encryption on DNS Traffic
For the average user, you can set encryption via the Windows user interface.
Click your Windows key and search for “settings“.
Click on Network & Internet.
Click Edit next to DNS Server Assignment.
This will open a new modal dialog on your screen.
From this page, set the method to “Manual“.
Turn on IPv4.
Add the Preferred DNS value as 185.228.168.10
The minute you add the IP it should enable the Preferred DNS Encryption drop down. Select Encrypted Only (DNS over HTTPS).
That should be it. All traffic should now be encrypted over DNS. We will share how to do this via PowerShell for more advanced administrators in a different article.