Configure DNS-over-HTTPS (DoH) on Windows 11

Encrypt Your DNS Traffic Directly in Windows Settings

Windows 11 includes native support for DNS-over-HTTPS (DoH), allowing you to encrypt DNS queries without installing any third-party software. This guide walks you through enabling DoH with CleanBrowsing so your filtered DNS traffic stays private and tamper-proof.

Learn About Pricing

Step 1: What is DNS-over-HTTPS?

DNS-over-HTTPS (DoH) encrypts your DNS queries by sending them over the HTTPS protocol, the same secure channel used by websites. This prevents your ISP, network administrator, or anyone on the same network from seeing which domains you are resolving.

Without DoH, DNS queries are sent in plaintext over port 53, making them visible to anyone who can inspect network traffic. With DoH enabled, your queries are wrapped inside an encrypted HTTPS connection to port 443, making them indistinguishable from normal web traffic.

Windows 11 introduced native DoH support, meaning you can enable encrypted DNS directly in the operating system settings without installing additional software. When combined with CleanBrowsing, you get both encryption and content filtering in a single configuration.

Step 2: Open Windows Network Settings

To begin configuring DoH, you need to access the DNS settings for your active network connection.


For Wi-Fi Connections

  1. Open Settings by pressing Windows + I on your keyboard.
  2. Click Network & internet in the left sidebar.
  3. Click Wi-Fi.
  4. Click on your connected Wi-Fi network name (or click Hardware properties).

For Ethernet Connections

  1. Open Settings by pressing Windows + I on your keyboard.
  2. Click Network & internet in the left sidebar.
  3. Click Ethernet.


Both paths will take you to the network adapter properties page where you can edit DNS settings.

Step 3: Edit DNS Server Assignment

Once you are on the network adapter properties page, locate the DNS server assignment section. By default, it will show Automatic (DHCP), meaning your device is using whatever DNS servers your router or ISP provides.

  1. Find the DNS server assignment section on the page.
  2. Click the Edit button next to it.
  3. In the dropdown that appears, change it from Automatic (DHCP) to Manual.
  4. Toggle the IPv4 switch to On.


You will now see fields for entering preferred and alternate DNS servers, along with encryption options for each.

Step 4: Enter CleanBrowsing DNS Servers

With manual DNS mode enabled, enter the CleanBrowsing Family Filter DNS addresses. These servers filter adult content, malware, and phishing domains while supporting encrypted DNS.


CleanBrowsing Family Filter (Free)

Setting Value
Preferred DNS server 185.228.168.168
Alternate DNS server 185.228.169.168

CleanBrowsing DoH URL

The DoH endpoint for the Family Filter is: 

https://doh.cleanbrowsing.org/doh/family-filter


If you have a paid CleanBrowsing subscription, use your custom filter URL instead: 

https://doh.cleanbrowsing.org/doh/custom-filter/YOUR_CODE


Replace YOUR_CODE with the code found in your CleanBrowsing dashboard under account settings.

Step 5: Enable DoH Encryption

After entering the DNS IP addresses, you need to configure the encryption settings for each server.

  1. Under the Preferred DNS server (185.228.168.168), find the DNS over HTTPS dropdown.
  2. Select On (manual template).
  3. In the DNS over HTTPS template field, enter: 
    https://doh.cleanbrowsing.org/doh/family-filter
  4. Repeat the same for the Alternate DNS server (185.228.169.168) — select On (manual template) and enter the same DoH URL.
  5. Click Save to apply the settings.


Once saved, Windows 11 will encrypt all DNS queries using HTTPS. The DNS server assignment section should now display Encrypted preferred to confirm that DoH is active.


IPv6 Configuration (Optional)

If your network supports IPv6, you can also configure DoH for IPv6. Toggle the IPv6 switch to On and enter:

Setting Value
Preferred DNS server (IPv6) 2a0d:2a00:1::
Alternate DNS server (IPv6) 2a0d:2a00:2::


Use the same DoH template URL for both IPv6 servers.

Step 6: Verify Your Configuration

After saving, confirm that your DNS traffic is both encrypted and filtered.


Check DNS Resolution

Open a Command Prompt or PowerShell window and run: 

nslookup cleanbrowsing.org


The response should return the correct IP address for cleanbrowsing.org. The server listed should be 185.228.168.168 or 185.228.169.168.


Confirm Filtering is Active

Visit cleanbrowsing.org/checkfiltering in your browser. This page will confirm whether CleanBrowsing is filtering your DNS traffic.


Verify Encryption

Return to Settings > Network & internet > Wi-Fi (or Ethernet) and check the DNS server assignment section. It should display:

  • Preferred DNS encryption: Encrypted (DNS over HTTPS)
  • Alternate DNS encryption: Encrypted (DNS over HTTPS)

If you see "Unencrypted" instead, double-check that the DoH template URL is entered correctly and that Windows has recognized the DNS server as DoH-capable.


Troubleshooting

If DoH is not working as expected:

  • Flush DNS cache: Run ipconfig /flushdns in Command Prompt.
  • Restart network adapter: Disable and re-enable your Wi-Fi or Ethernet adapter.
  • Check Windows Update: Ensure Windows 11 is fully updated, as early builds had limited DoH support.
  • Browser overrides: Some browsers (Chrome, Edge, Firefox) have their own DoH settings that may override the system configuration. See our guide on hardening Chrome DNS settings.

CleanBrowsing provides encrypted DNS filtering for families, schools, and organizations.

What is DNS Filtering?