Domain Naming System: Enabling DNS over TLS in Windows 11

Posted on Matthew By Matthew No Comments on Domain Naming System: Enabling DNS over TLS in Windows 11
DNS encryption
DoT Configuration in Windows 11

Domain Naming System over TLS, or DoT, is an encrypted DNS protocol. It is seen as a viable alternative to DNS over HTTPS. In this article, we shall discuss “Domain Naming System: Enabling DNS over TLS in Windows 11”. DNS traffic in DoH is simply another HTTPS data stream over port 443. On the other hand, DNS over TLS defines port 853 for encrypting DNS communication and allows it to operate over a TLS tunnel without the requirement for HTTP layering underneath. Please see DNS Bad key 9017: The Cluster Name registration failed of one or more associated DNS names and How to setup a cache-only DNS server.

This enhances DoT and makes it stronger than DoH. It uses TLS encryption over UDP, or Use Datagram Protocol, which is a low-latency communication protocol. Not only that, but it also assures that no undesired changes are made to DNS queries as a result of on-path attacks.

Microsoft is aware of DoT’s capabilities and is planning to incorporate them into its operating system. As a result, Windows 11 now allows users to try DoT, so let’s look at how you can activate it.

It is currently available in Windows Insider Builds but is expected to roll out to Windows Stable versions soon.

Also, see Upgrade Driver Automation Tool: Windows Driver Management, How to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO, and Domain Name System Protocol: Client Registration Issue.

How to Enable Domain Naming System over TLS in Windows 11

In Windows 11, enabling DNS over TLS involves two steps:

  • Set DoT-providing DNS resolver as the main and the sole resolver.
  • Run CMD Commands to enable DoT.

Let’s discuss each of these steps in turn. Other related guides on DNS: A-Z of Domain Name System: All you need to know about DNSHow to disable Lock Screen on Windows 10 via Local Group Policy EditorDomain Name System: How to create a DNS record

1. Set DoT-providing DNS resolver as the main and the sole resolver

First, we must change Windows settings to make the DoT-provided Domain Naming System resolver the primary one. To do this, follow these steps.

Press Win + I key together to open Settings and click on Network & internet. Select Wi-Fi or Ethernet, based on the network you are currently using. Then click on Properties.

DNS security
Network & Internet Settings on Windows.

Go to DNS server assignmentand click on Edit.

DNS configuration
Windows Settings: Network & Internet

Select Manual in the drop-down menu and enable IPv4 and/or IPv6.

DNS privacy
Windows Settings: DNS Configuration

In the Preferred DNS box, enter the IP of the DoT server. Make sure that <resolver-IP-address> (Unencrypted) appears on the “IPv4 DNS servers:” row.

Let’s go on to the next and last step after you have made the necessary adjustments to your settings.

Here are some exciting articles: Check .NET Framework version on Windows, and Batch rename multiple files on Windows

2. Activate DoT Using the CMD Commands

Let us enable DoT using certain commands after we have verified the resolver IP address. To do so, click the Windows key to open the Start menu, launch Command Prompt as an administrator.

DNS encryption
Command Prompt

Run the following commands.

1. netsh dns add global dot=yes
2. netsh dns add encryption server=<DNS-resolver-IP> dothost=: autoupgrade=yes
3. ipconfig /flushdns
image5
Enabling DoT in Command Prompt

This way, DoT or DNS over TLS will be enabled.

How to check if Domain Naming System over TLS is working or not?

We need to run a few commands to see if DNS over TLS is functioning. So, launch Command Prompt in elevated or administrator mode and execute the following command.

netsh dns show global

The output should show that DoT is enabled. If it’s not stating anything like that, try the following command.

netsh dns add global dot=yes

Finally, you can check the specific DNS server’s DoT settings as follows:

netsh dns show encryption

Your DoT is working if the output for your resolver IP indicates that auto-upgrade is set to yes and UDP fallback is set to no. You should review your setup if not. If you do that, DoT should start working. 

Conclusion on Domain Naming System

In addition to DNS over HTTPS, Microsoft supports a second encrypted DNS protocol with DNS over TLS in Windows 11.

Your decision will rely on your specific needs. Whether administrators wish to isolate DNS traffic or prefer a normal HTTPS port connection is a crucial consideration in this choice.

I hope you found this article useful on “Domain Naming System: Enabling DNS over TLS in Windows 11”. Please feel free to leave a comment below.

Rate this post
Network | Monitoring, Windows Tags:, ,

Related Posts

More Related Articles

banner 4 How to Install Windows on VMware Workstation Windows
any Install AnyDesk on Windows for remote Connections Windows
screenshot 2020 04 22 at 23.28.23 Remove saved RDP connections in Windows Windows
Windows 11 How to Change the Lock Screen Wallpaper in Windows 11 Network | Monitoring
MBAM report errors Understanding MBAM compliance state and error status Windows
Screenshot 1 Using IBM Library with Veeam Network | Monitoring

Leave a Reply