How to Pin a Specific DNS-over-HTTPS Server in Windows 11 Settings
🔍 WiseChecker

How to Pin a Specific DNS-over-HTTPS Server in Windows 11 Settings

by

Quick fix: Open Settings → Network & internet → (your connection) → Edit DNS server assignment, change to Manual, enter the DoH-aware IP, then set DNS over HTTPS to On (manual template) and paste the provider’s DoH URL. Most-used templates: Cloudflare https://cloudflare-dns.com/dns-query, Quad9 https://dns.quad9.net/dns-query, NextDNS https://dns.nextdns.io/<config>.

Windows 11 supports DNS over HTTPS natively, but the UI hides it behind the standard DNS settings. The trick is that the IP you put in and the DoH URL have to agree on the same provider — or Windows uses one for resolution and the other gets ignored. For users who want to use a specific DoH provider (privacy, ad blocking, malware filtering), pinning both sides explicitly is the right move.

Symptom: You want to use a specific DNS-over-HTTPS server (Cloudflare, Quad9, NextDNS, AdGuard, custom) on Windows 11.
Affects: Windows 11 (any edition), version 21H2 or later.
Fix time: 5 minutes per network.

ADVERTISEMENT

How DoH works in Windows 11

Windows’ DoH client uses the configured DNS server IP to dispatch queries, but instead of plain DNS-over-UDP/53, it wraps them in HTTPS to a known template URL. The template either comes from a built-in well-known list (Cloudflare, Google, Quad9 all ship with auto-detected templates) or from a manual template you set. If you use a non-default IP and don’t set the template, Windows falls back to plain DNS — defeating the point.

The Settings UI exposes both knobs, but only if you change to Manual mode first.

Method 1: Pin a well-known DoH server (Cloudflare, Quad9, Google)

  1. Open Settings → Network & internet. Click the connection you’re using (Wi-Fi or Ethernet).
  2. Click the network name (under Wi-Fi) or Hardware properties (Ethernet).
  3. Scroll to DNS server assignment and click Edit.
  4. Change to Manual. Toggle IPv4 on.
  5. Enter Preferred DNS — choose one:

      Cloudflare: 1.1.1.1 and 1.0.0.1

      Quad9: 9.9.9.9 and 149.112.112.112

      Google: 8.8.8.8 and 8.8.4.4
  6. Set DNS over HTTPS to On (automatic template). Windows looks up the well-known template for the IP.
  7. Save. The Status row should now read Encrypted for both IPv4 entries.

For these three providers, automatic template works because Windows ships their well-known DoH URLs.

ADVERTISEMENT

Method 2: Pin a custom DoH server with manual template

For NextDNS, AdGuard, ControlD, or your own DoH endpoint, use the manual template form.

  1. Open the same DNS edit dialog as Method 1.
  2. Set DNS over HTTPS to On (manual template).
  3. Enter the DoH URL exactly as your provider gives it. Examples:

      NextDNS: https://dns.nextdns.io/abc123 (your config ID)

      AdGuard: https://dns.adguard-dns.com/dns-query

      ControlD: https://dns.controld.com/free-p1
  4. Set the matching server IP for the provider in the IP field.
  5. Save.

Without the IP, Windows won’t know where to send the first query (DNS bootstrap is needed before the DoH URL can resolve). Most DoH providers publish both an IP and a URL on their setup pages.

Method 3: Add a custom DoH template via PowerShell

For users who want to pin a DoH server that isn’t in Windows’ well-known list, add it to the system DoH template registry.

  1. Open PowerShell as Administrator.
  2. Run:

    Add-DnsClientDohServerAddress -ServerAddress “94.140.14.14” -DohTemplate “https://dns.adguard-dns.com/dns-query” -AllowFallbackToUdp $False -AutoUpgrade $True
  3. Verify with Get-DnsClientDohServerAddress. The new IP appears with the template.
  4. In Settings, set DNS to On (automatic template) with the matching IP — Windows now finds the template you registered.

The PowerShell registration is machine-wide. Multiple users on the PC all benefit. It survives reboots and Windows feature updates.

How to verify the fix worked

  • In Settings → Network DNS, the row reads Encrypted (…) under each server IP.
  • Run Resolve-DnsName -Name wisechecker.com -Type A -DnsOnly in PowerShell. The answer comes back with normal latency.
  • Visit https://1.1.1.1/help in a browser. The page reports Connected to 1.1.1.1: Yes and Connected to 1.1.1.1 using DNS over HTTPS (DoH): Yes.
  • Run a packet capture with pktmon — outbound traffic on port 853 (DoT) should be absent; port 443 to your DoH provider should be present.

If none of these work

If the row still says Unencrypted, the DoH template didn’t register — double-check that the URL matches exactly (case-sensitive). For corporate networks with deep packet inspection, the firewall may break the TLS handshake to 1.1.1.1; coordinate with IT to allow your chosen DoH endpoint. For VPN connections, Windows uses the VPN’s DNS by default — your DoH settings on the underlying connection won’t apply unless you configure the VPN profile to use the same settings.

Bottom line: Native DoH on Windows 11 is solid — the trick is pairing the right IP with the right template. For built-in providers (Cloudflare, Quad9, Google), automatic template handles it. For everything else, manual template + Add-DnsClientDohServerAddress is the right toolchain.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You