
Microsoft has announced that Windows 10 customers can now configure DNS over HTTPS (DoH) directly from the Settings app starting with the release of Windows 10 Insider Preview Build 20185 to Windows Insiders in the Dev Channel.
The addition of support for the DoH protocol in a future Windows 10 release was announced by Microsoft in November 2018, the inclusion of DNS over TLS (DoT) support also being left on the table.
DoH allows DNS resolution over encrypted HTTPS connections, while DoT encrypts DNS queries via the Transport Layer Security (TLS) protocol, instead of using plain text DNS lookups.
For those unfamiliar with the new Windows 10 channel names, Microsoft has overhauled the Windows Insider program and moved away from release rings and to release channels on June 29, when the:
- Fast Ring became the Dev Channel
- Slow Ring became the Beta Channel
- Release Preview Ring became the Release Preview Channel.
Windows Insiders in the Dev channel who want to upgrade to the new Windows 10 build can check for new updates from the Windows Update dialog.
DoH controls in the Windows 10 Network Settings
As shared by Windows Insider Program senior program manager Brandon LeBlanc, customers can configure encrypted DNS using the Settings app starting with Windows 10 Dev Channel Build 20185.
For Ethernet (wired) connections, users can access the new controls from the pop-up that open after going to Settings > Network & Internet > Status, clicking Properties, and then selecting Edit IP assignment or Edit DNS server assignment.
Users with Wi-Fi (wireless) connections can open the DoH controls pop-up by clicking on their adapter's Properties link, and then selecting Edit IP assignment or Edit DNS server assignment.
According to LeBlanc, the encrypted DNS controls are not yet available by going to individual networks' property pages.

To give DoH a spin, you can add any IP address of a currently supported DoH-enabled DNS server and choose your preferred DNS encryption method to have your DNS queries automatically encrypted.
The full list of DoH DNS servers you can use is available in the table embedded below.
| Server Owner | Server IP addresses |
| Cloudflare | 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 |
| 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 |
|
| Quad9 | 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::fe:9 |
"Once encryption is enabled, you can confirm it’s working by looking at the applied DNS servers in the network properties and see them labeled as '(Encrypted)' servers," LeBlanc explains.
Microsoft also provides instructions on how to use custom DoH servers by manually adding DNS servers with DoH support that aren't in the default auto-promotion list.
Testing if DoH is working
To check if your DNS queries are indeed encrypted, you can use the PacketMon command-line utility to check the network traffic going out to the web over port 53 (the port used for unencrypted DNS queries) — after DoH is toggled on, there should be little to no traffic.
To do this, you have to open a Command Prompt or a PowerShell window, and then run the following commands to reset PacketMon's network traffic filters, add a traffic filter for port 53, and to start real-time traffic logging:
pktmon filter add -p 53
pktmon start --etw -l real-time

Other vendors' DoH adoption and future plans
Mozilla rolled out DNS-over-HTTPS by default to all US-based Firefox users starting with February 25, 2020, enabling Cloudflare's DNS provider and allowing users to change to NextDNS or other custom providers from the browser's network options.
Google is running a limited DoH trial on all platforms (besides Linux and iOS) starting with the release of Chrome 79.
However, unlike Mozilla, Google does not automatically change the DNS provider but, instead, it upgrades Chrome's DNS resolution protocol only when the default DNS provider is DoH-enabled.
US government agencies' CIOs were advised in April to disable third-party encrypted DNS services until an official federal DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready.

Comments
DarthTater - 4 years ago
I having trouble with the command above on the latest Windows 10 Dev build 20190. Any ideas?
C:\WINDOWS\system32>pktmon start --etw -l real-time
Error: Parameter '-l' modifies parameter '--provider'.
DarthTater - 4 years ago
Never mid. I see in the screenshots that the last command is actually using the "-m" parameter and not "-l".
pktmon start --etw -m real-time
zapbuzz - 2 years ago
this is a windows 11 titled marketing version with windows 10 engineering version. Unfortunately if your system doesn't meet windows 11 hardware requirements you cannot use it. Windows 10 marketing version hasn't yet received encrypted DNS and it should if Microsoft was responsible otherwise i'd wait for windows 12 for any real innovation (I tried windows 11)