Why DNS Over HTTPS Sometimes Fails on Windows 11
🔍 WiseChecker

Why DNS Over HTTPS Sometimes Fails on Windows 11

by

Quick fix: DNS over HTTPS (DoH) requires DNS server supporting DoH (Cloudflare, Google, Quad9). Settings → Network & internet → pick connection → DNS server assignment → Edit. Pick Encrypted only (DNS over HTTPS) → verify DNS server is DoH-capable (e.g., 1.1.1.1, 8.8.8.8). For DoH server not responding: switch to alternate (Cloudflare 1.0.0.1 or Quad9 9.9.9.9).

DoH encrypts DNS queries. Fails when: DNS server doesn’t support DoH, network blocks port 443 to DoH endpoints, captive portal interfering. Fallback to alternate DoH provider or disable DoH.

Symptom: DNS over HTTPS sometimes fails on Windows 11.
Affects: Windows 11.
Fix time: ~10 minutes.

ADVERTISEMENT

What causes this

DoH (DNS over HTTPS): encrypts DNS queries. Failures from:

  • DNS server not supporting DoH (rare for major).
  • Network firewall blocking DoH endpoints.
  • Captive portal needing port 53 (unencrypted).
  • Specific DNS server temporary outage.
  • Mismatched IP / cert.

Method 1: Switch DoH provider

The standard route.

  1. Open Settings → Network & internet → pick Wi-Fi / Ethernet.
  2. Click DNS server assignment → Edit.
  3. Manual DNS settings.
  4. Preferred DNS: 1.1.1.1 (Cloudflare).
  5. Encrypted only: pick.
  6. Alternate: 1.0.0.1.
  7. OK.
  8. For Google: 8.8.8.8 / 8.8.4.4.
  9. For Quad9: 9.9.9.9 / 149.112.112.112.
  10. For OpenDNS: 208.67.222.222 / 208.67.220.220.
  11. Test: nslookup google.com. Should resolve.

This is the standard fix.

ADVERTISEMENT

Method 2: Disable DoH temporarily for testing

For diagnostic.

  1. Settings → Network & internet → pick connection → DNS server assignment → Edit.
  2. Change Encrypted only to Unencrypted preferred, encrypted only when possible or Unencrypted only.
  3. Save.
  4. Test: if works, DoH is the issue.
  5. For captive portal scenarios: temporarily disable DoH, sign in to portal, re-enable.
  6. For chronic: use Cloudflare 1.1.1.1 app which handles DoH at app level.
  7. For corporate networks blocking DoH: contact IT.

This is the diagnostic.

Method 3: Configure DoH per-app

For browser-only DoH.

  1. If system DoH unreliable: use browser-level DoH instead.
  2. Edge: edge://settings/privacy → Security → Use secure DNS. Pick custom DNS provider.
  3. Chrome / Brave: chrome://settings/security → Secure DNS.
  4. Firefox: Settings → Privacy & Security → Network Settings → Enable DNS over HTTPS.
  5. Browser-level DoH works even when system DoH fails.
  6. For chronic system DoH issues + working browser DoH: leave system at default (auto), use browser DoH.
  7. For VPN with own DNS: VPN handles DNS. System DoH may not matter.

This is the per-app route.

How to verify the fix worked

  • Browsing works.
  • nslookup google.com resolves.
  • Settings shows DoH active for connection.
  • Test at cloudflare.com/ssl/encrypted-sni/ — shows if DNS is encrypted.

If none of these work

If chronic: Network MTU / proxy: corporate networks may have specific config. Use IT-approved DNS. For specific app failures while DNS works: not DNS issue. Other network problem. For Wi-Fi captive portals: temporarily disable DoH, sign in, re-enable. For chronic IPv6 + DoH issues: disable IPv6 temporarily. For Windows 11 specific build: known DoH bugs. Update to latest. Last resort: don’t use DoH: regular DNS (port 53) usually works. Privacy trade-off.

Bottom line: Settings → Network & internet → DNS → pick DoH-capable provider (Cloudflare 1.1.1.1, Quad9 9.9.9.9). For chronic: switch provider or use browser-level DoH instead of system.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You