DNS over TLS, also known as DoT, is an encrypted DNS protocol. It is seen as a viable alternative to DNS over HTTPS. DNS traffic in DoH is simply another HTTPS data stream over port 443. On the other hand, DNS over TLS defines port 853 for encrypting DNS communication and allows it to operate over a TLS tunnel without the requirement for HTTP layering underneath. This enhances DoT and makes it stronger than DoH.
It uses TLS encryption over UDP, or Use Datagram Protocol, which is a low-latency communication protocol. Not only that, but it also assures that no undesired changes are made to DNS queries as a result of on-path attacks.
Other related guides on DNS: A-Z of Domain Name System: All you need to know about DNS, How to disable Lock Screen on Windows 10 via Local Group Policy Editor, Domain Name System: How to create a DNS record, DNS Bad key 9017: The Cluster Name registration failed of one or more associated DNS names and How to setup a cache-only DNS server.
Microsoft is aware of DoT’s capabilities and is planning to incorporate them into its operating system. As a result, Windows 11 now allows users to try DoT, so let’s look at how you can activate it.
It is currently available in Windows Insider Builds but is expected to roll out to Windows Stable versions soon.
How to Enable DNS over TLS in Windows 11
In Windows 11, enabling DNS over TLS involves two steps:
- Set DoT-providing DNS resolver as the main and the sole resolver.
- Run CMD Commands to enable DoT.
Let’s discuss each of these steps in turn.
1. Set DoT-providing DNS resolver as the main and the sole resolver
First, we must change Windows settings to make the DoT-provided DNS resolver the primary one. To do this, follow these steps.
- Press Win + I key together to open Settings and click on Network & internet.
- Select Wi-Fi or Ethernet, based on the network you are currently using. Then click on Properties.
- Go to DNS server assignmentand click on Edit.
- Select Manual in the drop-down menu and enable IPv4 and/or IPv6.
- In the Preferred DNS box, enter the IP of the DoT server. Make sure that <resolver-IP-address> (Unencrypted) appears on the “IPv4 DNS servers:” row.
Let’s go on to the next and last step after you have made the necessary adjustments to your settings.
2. Activate DoT Using the CMD Commands
Let us enable DoT using certain commands after we have verified the resolver IP address. To do so, click the Windows key to open the Start menu, launch Command Prompt as an administrator.
Run the following commands.
1. netsh dns add global dot=yes
2. netsh dns add encryption server=<DNS-resolver-IP> dothost=: autoupgrade=yes
3. ipconfig /flushdns
This way, DoT or DNS over TLS will be enabled.
How to check if DNS over TLS is working or not?
We need to run a few commands to see if DNS over TLS is functioning. So, launch Command Prompt in elevated or administrator mode and execute the following command.
netsh dns show global
The output should show that DoT is enabled. If it’s not stating anything like that, try the following command.
netsh dns add global dot=yes
Finally, you can check the specific DNS server’s DoT settings as follows:
netsh dns show encryption
Your DoT is working if the output for your resolver IP indicates that auto-upgrade is set to yes and UDP fallback is set to no. You should review your setup if not. If you do that, DoT should start working.
In addition to DNS over HTTPS, Microsoft supports a second encrypted DNS protocol with DNS over TLS in Windows 11. Your decision will rely on your specific needs. Whether administrators wish to isolate DNS traffic or prefer a normal HTTPS port connection is a crucial consideration in this choice.