What is DNS over HTTPS (DoH) & How to Enable in Windows 10

When your web browser accesses a website, it needs to first translate the friendly URL (ex. stealthbits.com) to the public IP address of the server that hosts that website. This is known as a “DNS lookup”, and traditional DNS is unencrypted (unlike modern HTTPS web traffic that’s almost entirely secured via HTTPS these days).

Since HTTPS encrypts your communications with websites once you’ve established a connection, you may be wondering why it matters that DNS, the initial lookup of the website, remains unencrypted. With unencrypted DNS, attackers on the same network as you can view which websites you’re browsing and potentially re-route your DNS lookups to malicious websites and phishing scams.

To prevent this and increase security while browsing the internet, DNS over HTTPS (DoH) was introduced to pair the necessary workflow of DNS lookups with the encryption power of HTTPS. Traditional DNS lookups are performed unencrypted over port 53, but with DoH lookups instead occur inside HTTPS traffic over port 443. This prevents attackers from monitoring your browsing habits or re-directing you to malicious websites simply by snooping DNS traffic.

This is the simple, high-level view of DNS over HTTPS, but it’s all you really need to know from an end-user perspective. It’s a best practice to enable DNS over HTTPS when possible, which is what we’ll outline below for Windows 10.

While out of the scope of this blog, Apple has also announced DNS over HTTPS support for iOS/macOS, and Cloudflare offers their powerful 1.1.1.1 DNS resolver to add DNS lookup security to various mobile and desktop operating systems.

Many web browsers (ex. Firefox and Chrome-based browsers) also support DoH if you’d prefer to enable it on a per-application basis, rather than at the OS-level. However, enabling DoH in your OS benefits applications that don’t natively support DoH by giving them that ability. Plus, DNS lookups have traditionally been a function of the OS rather than web browsers.

How To Enable DNS over HTTPS in Windows 10

Enabling DoH in Windows 10 provides the functionality for all users and applications requesting DNS lookups, including all web browsers. Keep in mind Windows 10 should be up to date to ensure the DoH feature is available (Build 19628 or higher to enable DoH via a registry edit and Build 20185 or higher to enable DoH via the Settings > Network & Internet menu).

Enabling DoH in the Windows 10 Registry

To enable DNS over HTTPS in the Windows 10 registry (Build 19628 or higher):

• Open Registry Editor
• Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
• Create a new DWORD named “EnableAutoDoh”, with a value of 2
• Reboot the host

You’ll then need to change your network connection’s primary and alternate DNS servers to one of the following, under your adapter’s Internet Protocol Version 4 (TCP/IPv4) properties.

The following are currently supported for DNS over HTTPS in Windows 10:

• Cloudflare – Primary: 1.1.1.1, Alternate: 1.0.0.1
• Google – Primary:8.8.8.8, Alternate: 8.8.4.4
• Quad9 – Primary: 9.9.9.9, Alternate: 149.112.112.112

Enabling DoH via the Windows 10 Settings > Network & Internet Menu

To enable DNS over HTTPS in the Settings > Network & Internet menu (Build 20185 or higher):

• Open Settings
• Search for and open Network status
• Under Network status, open the Properties menu for the desired internet connection
• Click Edit under DNS settings
• Select the Manual option, and then specify Preferred DNS and Alternate DNS IP addresses. DoH providers currently supported by Windows 10 are:
  • Cloudflare – Primary: 1.1.1.1, Alternate: 1.0.0.1
  • Google – Primary:8.8.8.8, Alternate: 8.8.4.4
  • Quad9 – Primary: 9.9.9.9, Alternate: 149.112.112.112
• Select Encrypted only (DNS over HTTPS) for encryption under Preferred DNS and Alternate DNS
• If desired, you can configure the same for IPv6 (the previous steps were for IPv4)

Per Microsoft, “Once encryption is enabled, you can confirm it’s working by looking at the applied DNS servers in the network properties and see them labelled as ‘(Encrypted)’ servers”.

Stealthbits Technologies

IDENTIFY THREATS. SECURE DATA. REDUCE RISK.

Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.

For more information, please visit stealthbits.com.