Step-by-Step: Activating DoH & DoT for Secure Browsing on Windows 11 & Windows Server 2022+
In today’s digital age, safeguarding your online privacy is more crucial than ever. While many of us are diligent about using HTTPS for secure browsing, a critical piece of the privacy puzzle often remains unaddressed: DNS queries. Every time you visit a website, your device sends a DNS query to translate the human-readable domain name (like www.example.com) into an IP address. Traditionally, these queries are sent in plaintext, leaving your browsing habits exposed. This post will guide you through enabling DNS over HTTPS (DoH) or DNS over TLS (DoT) in Windows 11, effectively cloaking this last piece of your digital footprint.
The Final Frontier of Online Privacy: Encrypting Your Digital Footprints
You might be familiar with the padlock icon in your browser, indicating an HTTPS connection. This encrypts the content of the websites you visit, protecting it from prying eyes. However, the DNS requests made to reach those websites have historically been sent unencrypted. This means that anyone monitoring your network traffic – whether it’s your Internet Service Provider (ISP), an administrator on a public Wi-Fi network (like at an airport or café), or a malicious actor performing a Man-in-the-Middle (MitM) attack – could see which websites you’re attempting to access.
By encrypting your DNS queries with DoH or DoT, you overcome this significant privacy hurdle. When combined with consistent HTTPS use for web browsing (many modern browsers can enforce this, or extensions can help), your web activity gains a level of privacy comparable to using a VPN. Your ISP can no longer easily snoop on your DNS requests to profile your interests or sell that data. On unsecured public Wi-Fi, your DNS lookups are shielded from eavesdroppers.
It’s important to note a caveat: While DoH/DoT and HTTPS significantly boost your web browsing privacy, they don’t cover all internet traffic. Software outside your browser, such as some email clients still using unencrypted SMTP (port 25), might transmit data insecurely. In such cases, a comprehensive VPN service (like NordVPN, Mullvad, or Private Internet Access) still offers broader protection by encrypting all traffic from your device.
What are DNS over HTTPS (DoH) and DNS over TLS (DoT)?
Before we dive into the “how-to,” let’s quickly understand these technologies:
- DNS (Domain Name System): Think of it as the internet’s phonebook. It translates website names (e.g., google.com) into numerical IP addresses (e.g., 172.217.160.142) that computers use to connect to each other.
- DNS over HTTPS (DoH): This method sends DNS queries and receives DNS responses over an encrypted HTTPS connection – the same protocol used to secure websites. Windows 11 often refers to this feature simply as “DNS encryption.”
- DNS over TLS (DoT): This method uses a dedicated encrypted channel via Transport Layer Security (TLS) to secure DNS traffic. While DoT is a robust standard, Windows 11’s built-in GUI configuration primarily focuses on DoH. This guide will therefore concentrate on enabling DoH, which is readily accessible through Windows 11 settings.
Why Enable Encrypted DNS in Windows 11?
The benefits are clear:
- Enhanced Privacy: Prevents ISPs, network administrators, and snoopers from seeing the websites you query.
- Increased Security: Protects against DNS spoofing (where an attacker redirects you to a fake website) and MitM attacks on your DNS traffic.
- Safer Public Wi-Fi: Adds a crucial layer of security when using potentially untrusted networks.
Prerequisites for Enabling DoH in Windows 11
Ensure your Windows 11 is up to date. For this guide, we will focus on using well-known DNS resolvers that are typically pre-configured or easily recognized by Windows 11 for DoH, meaning the “Preferred DNS encryption” option should become available automatically once their IP addresses are entered. These include:
- Quad9: Primary
9.9.9.9
, Alternate149.112.112.112
- Cloudflare: Primary
1.1.1.1
, Alternate1.0.0.1
- Google: Primary
8.8.8.8
, Alternate8.8.4.4
If you were to use a custom DoH server not on Microsoft’s auto-discovery list, you might need to add it via PowerShell first using a command like Add-DnsClientDohServerAddress
. However, for the popular services listed above, this extra step is usually not required.
How to Enable DNS over HTTPS (DoH) in Windows 11 (Using Pre-configured Servers)
Follow these steps to configure DoH through the Windows 11 Settings interface:
- Open Windows Settings: Click the Windows Start button and select “Settings” (the gear icon).
- Navigate to Network & Internet: In the Settings window, select “Network & Internet” from the left-hand sidebar.
- Select Your Network Interface: Choose your active internet connection. This could be “Ethernet” if you’re using a wired connection, or “Wi-Fi” if you’re connected wirelessly. Click on it.
- Edit DNS Server Assignment: Scroll down to the “DNS server assignment” section and click the “Edit” button.

- Configure DNS Settings: In the “Edit DNS settings” or “Edit IP settings” dialog:
- Change the setting from “Automatic (DHCP)” to “Manual.”
- Turn on the toggle for IPv4 (and IPv6 if you use it and your chosen DNS provider supports it over IPv6 for DoH).
- In the “Preferred DNS” field, enter the primary IP address of your chosen DoH server (e.g.,
1.1.1.1
for Cloudflare,8.8.8.8
for Google, or9.9.9.9
for Quad9). - In the “Alternate DNS” field, enter the secondary IP address for your chosen provider (e.g.,
1.0.0.1
for Cloudflare,8.8.4.4
for Google, or149.112.112.112
for Quad9). This provides a fallback if the preferred server is unreachable. - Under “Preferred DNS encryption,” the dropdown menu should now be enabled. You can choose:
- Encrypted only (DNS over HTTPS): This is the most secure option. All DNS queries will be sent over DoH. If the server cannot handle DoH or there’s a configuration issue, DNS resolution might fail.
- Encrypted preferred, unencrypted allowed: Windows will attempt to use DoH first. If it fails, it will fall back to traditional unencrypted DNS. This offers better compatibility but you won’t be notified if it falls back to unencrypted.
- (You might also see “Unencrypted only,” which is the default state you are changing from.)

- Save Your Settings: Click the “Save” button. The changes should apply immediately.
Verifying Your Encrypted DNS Setup
To ensure DoH is working correctly, you can visit a DNS leak test website or a service-specific test page. For example, if you configured Cloudflare’s DNS:
- Visit https://one.one.one.one/help/ (formerly 1.1.1.1/help). It should indicate that you are connected to Cloudflare DNS and if “DNS over HTTPS (DoH)” is active.
Other general DNS leak test sites can also show you which DNS servers you are using and often the protocol.
A Note on PowerShell Configuration (For Servers or insider Win11 builds)
As mentioned, Windows 11 aims to auto-configure DoH for known servers once you input their IPs in the GUI. However, if you were using a less common DoH provider, or if the “Preferred DNS encryption” options didn’t appear as expected, you might need to add the DoH server’s details using PowerShell. This is done with the Add-DnsClientDohServerAddress
cmdlet.
For example, if your DNS server IP was 1.2.3.4 with a DoH template of https://example.com/doh/dns-query
, the command would be:
Add-DnsClientDohServerAddress -ServerAddress '1.2.3.4' -DohTemplate 'https://example.com/doh/dns-query' -AllowFallbackToUdp $False -AutoUpgrade $True
You would run this in PowerShell as an administrator. Again, for the popular providers like Cloudflare, Google, and Quad9, this manual addition via PowerShell is generally not necessary for DoH to work via the GUI settings.
Conclusion: Take Control of Your DNS Privacy
Enabling DNS over HTTPS in Windows 11 is a straightforward process that significantly enhances your online privacy and security. By encrypting your DNS queries, you shield your browsing habits from ISPs, network eavesdroppers, and certain types of cyberattacks. It’s a small change with a big impact on your digital footprint.
We encourage you to follow these steps and take control of your DNS privacy. If you found this guide helpful, please share it with others 🙂
Further reading and sources: