Enabling DNS over HTTPS (DoH) on Windows 10

DNS over HTTPS (DoH) support appeared on Windows 10 2004 build (May 2020 Update). Now Windows 10 can resolve names over HTTPS protocol using the built-in DoH client. In this article we’ll tell what DNS over HTTPS protocol is used for, how to enable and use it on latest Windows 10 builds.

When your computer connects to a DNS server to resolve names, it sends and receives DNS requests/responses over the Internet in clear text. An attacker can intercept your traffic, detect what resources you have visited or manipulate your DNS traffic using a man-in-the-middle type of attack. The DNS over HTTPS protects user data privacy by encrypting all DNS queries. The DoH protocol encapsulates DNS queries into HTTPS traffic and sends them to a DNS server (you need use use a special DNS server with DoH support).

Windows 10 2004 does’t yet have a GPO parameter or an option in the graphic interface to enable DNS-over-HTTPS. Currently, you can only enable DoH on latest Windows 10 builds via the registry:

1. Run the regedit.exe;
2. Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
3. Create a new DWORD parameter with the name EnableAutoDoh and value 2;
   
   
   You can also create this registry parameter using the New-ItemProperty cmdlet:
   $EnableDNSoverHTTPSKey = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters'
$EnableDNSoverHTTPSParameter = 'EnableAutoDoh'
New-ItemProperty -Path $EnableDNSoverHTTPSKey -Name $EnableDNSoverHTTPSParameter -Value 2 -PropertyType DWord –Force
   
4. Then restart the DNS client service. To do it, reboot your computer, since you won’t be able to restart the dnscase service normally (Restart-Service -Name Dnscache –force command returns the following error: Collection was modified; enumeration operation may not execute).

Then you will have to change the DNS settings of your network connection. You need to specify DNS servers with DNS over HTTPS support. Not all of DNS servers support DoH yet. The table below shows a list of public DNS servers with DNS over HTTPS support.

Open the network connection window (Control Panel -> Network and Internet -> Network and Sharing Center or ncpa.cpl). Then change the current DNS server IP addresses to the addresses of DNS servers that support DoH in the network adapter properties.

Then your DNS client will use HTTPS (443) protocol instead of standard UDP/TCP port 53 for DNS name resolution.

Using PktMon.exe, a tool to capture network traffic (we told about it earlier), you can make sure that no DNS request are sent from the computer over 53 port.

Remove all current Packet Monitor filters:

pktmon filter remove

Create a new filter for default DNS port (53):

pktmon filter add -p 53

Start real-time traffic monitoring (the traffic will be shown in the console):

pktmon start --etw -p 0 -l real-time

If you have configured DNS over HTTPS correctly, there will be no traffic on Port 53 (the screenshot below shows the console output with DoH enabled and disabled).

In the last year, DNS over HTTPS has been implemented in all popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera). You can enable DoH support in each of them. Thus, all DNS queries from your browser will be encrypted (DNS traffic of other apps will still sent as a plain text).

DNS over HTTPS and DNS over TLS will create a lot of troubles for corporate network administrators, since it will be harder to restrict access to external resources from internal networks.