For enhanced online privacy and security, Windows 11 lets you use DNS over HTTPS (DoH) to encrypt DNS queries your computer makes while you are browsing or doing other things online. Here’s how to set it up.
Encrypted DNS is more private and secure
Every time you visit a website using a domain name (like “google.com”, for example), your computer sends a request to a Domain Name System (DNS) server. The DNS server takes the domain name and looks for the corresponding IP address in a list. It returns the IP address to your computer, which your computer then uses to connect to the site.
This domain name recovery process has traditionally taken place without encryption on the network. Any intermediary point could intercept the domain names of the sites you visit. With DNS over HTTPS, also known as DoH, communications between your computer and a DoH-compatible DNS server are encrypted. No one can intercept your DNS queries to spy on the addresses you visit or forge responses from the DNS server.
First, choose a supported free DNS service
Since the release of Windows 11, DNS over HTTPS in Windows 11 only works with a certain hard-coded list of free DNS services (you can see the list yourself by running
netsh dns show encryption in a Terminal window).
Here is the current list of supported IPv4 DNS service addresses as of November 2021:
- Google primary DNS: 18.104.22.168
- Secondary Google DNS: 22.214.171.124
- Cloudflare primary DNS: 126.96.36.199
- Secondary Cloudflare DNS: 188.8.131.52
- Primary DNS Quad9: 184.108.40.206
- Secondary DNS Quad9: 149,112,112,112
For IPv6, here is the list of supported DNS service addresses:
- Google primary DNS: 2001: 4860: 4860 :: 8888
- Secondary Google DNS: 2001: 4860: 4860:: 8844
- Cloudflare primary DNS: 2606: 4700: 4700 :: 1111
- Secondary Cloudflare DNS: 2606: 4700: 4700 :: 1001
- Primary DNS Quad9: 2620: fe :: fe
- Secondary DNS Quad9: 2620: fe :: fe: 9
When it comes time to enable DoH in the section below, you will need to choose two pairs of these DNS servers (primary and secondary for IPv4 and IPv6) to use with your Windows 11 PC. As a bonus, using them will most likely speed up your operation. Internet browsing experience.
RELATED: Why you shouldn’t be using your ISP’s default DNS server
Then enable DNS over HTTPS in Windows 11
To start setting up DNS over HTTPS, open the Settings app by pressing Windows + i on your keyboard. Or you can right click on the Start button and select “Settings” from the special menu that appears.
In Settings, click on “Network & Internet” in the sidebar.
In Network & Internet settings, click the name of your primary Internet connection in the list, for example âWi-Fiâ or âEthernetâ. (Do not click on “Properties” near the top of the window, it will not allow you to encrypt your DNS connections.)
On the network connection properties page, select âHardware propertiesâ.
On the Wi-Fi or Ethernet hardware properties page, locate the âDNS Server Assignmentâ option and click the âEditâ button next to it.
In the window that appears, use the drop-down menu to select the âManualâ DNS settings. Next, flip the “IPv4” switch to the “On” position.
In the IPv4 section, enter the primary DNS server address you chose in the section above in the âPreferred DNSâ box (like â220.127.116.11â). Likewise, enter the address of the secondary DNS server in the âAlternate DNSâ box (such as â18.104.22.168â).
Point: If you don’t see the DNS encryption options, you are changing the DNS settings of your Wi-Fi SSID. Make sure to select the connection type in Settings> Network & Internet, then click “Hardware properties” first. .
In the same window, set “Preferred DNS Encryption” and “Alternate DNS Encryption” to “Encrypted Only (DNS over HTTPS)” using the drop-down lists below the DNS addresses you entered in the last step.
After that repeat this process with IPv6.
Toggle the IPv6 switch to the “On” position, then copy a primary IPv6 address from the section above and paste it into the “Preferred DNS” zone. Then copy a corresponding secondary IPv6 address and paste it into the “Alternate DNS” zone.
After that, set the two âDNS Encryptionâ settings to âEncrypted only (DNS over HTTPS)â. Finally, click on âSaveâ.
Back on the Wi-Fi or Ethernet hardware properties page, you will see your DNS servers listed with an “(encrypted)” next to each one.
That’s all you need to do. Close the Settings app and you are good to go. From now on, all your DNS queries will be private and secure. Good navigation !
To note: If you experience network issues after changing these settings, be sure to verify that you entered the IP addresses correctly. An incorrectly entered IP address will make the DNS servers inaccessible. If the addresses appear to be entered correctly, try disabling the “IPv6” switch in the DNS server list. If you configure IPv6 DNS servers on a computer without IPv6 connectivity, it can cause connectivity issues.