Microsoft adds Windows 10 DNS over HTTPS settings section

Microsoft has announced that Windows 10 customers can now configure DNS over HTTPS (DoH) directly from the Settings app starting with the release of Windows 10 Insider Preview Build 20185 to Windows Insiders in the Dev Channel.

The addition of support for the DoH protocol in a future Windows 10 release was announced by Microsoft in November 2018, the inclusion of DNS over TLS (DoT) support also being left on the table.

DoH allows DNS resolution over encrypted HTTPS connections, while DoT encrypts DNS queries via the Transport Layer Security (TLS) protocol, instead of using plain text DNS lookups.

For those unfamiliar with the new Windows 10 channel names, Microsoft has overhauled the Windows Insider program and moved away from release rings and to release channels on June 29, when the:

  • Fast Ring became the Dev Channel
  • Slow Ring became the Beta Channel
  • Release Preview Ring became the Release Preview Channel.

Windows Insiders in the Dev channel who want to upgrade to the new Windows 10 build can check for new updates from the Windows Update dialog.

DoH controls in the Windows 10 Network Settings

As shared by Windows Insider Program senior program manager Brandon LeBlanc, customers can configure encrypted DNS using the Settings app starting with Windows 10 Dev Channel Build 20185.

For Ethernet (wired) connections, users can access the new controls from the pop-up that open after going to Settings > Network & Internet > Status, clicking Properties, and then selecting Edit IP assignment or Edit DNS server assignment.

Users with Wi-Fi (wireless) connections can open the DoH controls pop-up by clicking on their adapter's Properties link, and then selecting Edit IP assignment or Edit DNS server assignment.

According to LeBlanc, the encrypted DNS controls are not yet available by going to individual networks' property pages.

Windows 10 DoH controls in Settings app
Windows 10 DoH controls in the Settings app (Microsoft)

To give DoH a spin, you can add any IP address of a currently supported DoH-enabled DNS server and choose your preferred DNS encryption method to have your DNS queries automatically encrypted.

The full list of DoH DNS servers you can use is available in the table embedded below.

Server Owner Server IP addresses
Cloudflare 1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
Google 8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844
Quad9 9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::fe:9

"Once encryption is enabled, you can confirm it’s working by looking at the applied DNS servers in the network properties and see them labeled as '(Encrypted)' servers," LeBlanc explains.

Microsoft also provides instructions on how to use custom DoH servers by manually adding DNS servers with DoH support that aren't in the default auto-promotion list.

Testing if DoH is working

To check if your DNS queries are indeed encrypted, you can use the PacketMon command-line utility to check the network traffic going out to the web over port 53 (the port used for unencrypted DNS queries) — after DoH is toggled on, there should be little to no traffic.

To do this, you have to open a Command Prompt or a PowerShell window, and then run the following commands to reset PacketMon's network traffic filters, add a traffic filter for port 53, and to start real-time traffic logging:

pktmon filter remove
pktmon filter add -p 53
pktmon start --etw -l real-time

Monitoring Windows 10 plain text DNS traffic

Other vendors' DoH adoption and future plans

Mozilla rolled out DNS-over-HTTPS by default to all US-based Firefox users starting with February 25, 2020, enabling Cloudflare's DNS provider and allowing users to change to NextDNS or other custom providers from the browser's network options.

Google is running a limited DoH trial on all platforms (besides Linux and iOS) starting with the release of Chrome 79.

However, unlike Mozilla, Google does not automatically change the DNS provider but, instead, it upgrades Chrome's DNS resolution protocol only when the default DNS provider is DoH-enabled.

US government agencies' CIOs were advised in April to disable third-party encrypted DNS services until an official federal DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready.

Related Articles:

Microsoft just killed the Windows 10 Beta Channel for good

New Windows 10 0x80073CFA fix requires installing WinAppSDK 3 times

Microsoft pulls WinAppSDK update breaking Windows 10 app uninstalls

Microsoft testing Windows 11 support for third-party passkeys

Windows 10 KB5046714 update fixes bug preventing app uninstalls