How to Enable DNS Over HTTPS With a Custom Resolver on Windows 11
🔍 WiseChecker

How to Enable DNS Over HTTPS With a Custom Resolver on Windows 11

by

DNS over HTTPS encrypts your DNS queries to prevent eavesdropping and tampering by your internet service provider or attackers on your network. Windows 11 includes a built-in option to enable DoH for all network connections, and you can specify any custom resolver such as Cloudflare 1.1.1.1, Google Public DNS, or Quad9. By default, Windows uses your ISP-assigned DNS servers without encryption. This article shows you exactly how to configure a custom DoH resolver using the Settings app, Control Panel, and PowerShell so your DNS traffic stays private.

Key Takeaways: Enabling DNS Over HTTPS With a Custom Resolver

  • Settings > Network & internet > Wi-Fi or Ethernet > Hardware properties > DNS server assignment > Edit: Opens the dialog to switch from automatic to manual DNS and enable DoH.
  • Control Panel > Network and Sharing Center > Change adapter settings > Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties: Alternative method to set DNS servers and enable DoH encryption on Windows 11.
  • PowerShell command Set-DnsClientServerAddress -InterfaceIndex (Get-NetAdapter).ifIndex -ServerAddresses (‘1.1.1.1′,’1.0.0.1’): Applies custom DNS servers via command line; requires additional registry edits to enforce DoH.

ADVERTISEMENT

What DNS Over HTTPS Does on Windows 11

DNS over HTTPS encrypts the DNS lookup using the HTTPS protocol on port 443. Standard DNS sends unencrypted queries on port 53, which any device on your local network or your ISP can read. DoH wraps each query inside a TLS-encrypted HTTP request. The resolver decrypts the request, performs the lookup, and sends the encrypted response back to your PC.

Windows 11 supports DoH natively starting with version 22H2. The feature works with both IPv4 and IPv6 addresses. You must use a resolver that supports DoH. Most public resolvers list their DoH endpoint URLs. For example, Cloudflare uses https://cloudflare-dns.com/dns-query and Google uses https://dns.google/dns-query.

Before you start, make sure your Windows 11 is updated to version 22H2 or newer. To verify, go to Settings > System > About. Under Windows specifications, check the version number. If it is lower than 22H2, run Windows Update and install the latest feature update.

How to Enable DoH With a Custom Resolver Using Settings

  1. Open network settings
    Press the Windows key and type Settings. Press Enter. Go to Network & internet. Choose either Wi-Fi or Ethernet, depending on your active connection.
  2. View hardware properties
    Click Hardware properties for your current network adapter. Look for the section labeled DNS server assignment.
  3. Edit DNS settings
    Click the Edit button next to DNS server assignment. A dialog named Edit DNS settings opens.
  4. Select manual DNS
    In the dropdown, change Automatic to Manual. Toggle IPv4 or IPv6 to On.
  5. Enter custom resolver addresses
    In the Preferred DNS field, type the primary address of your chosen resolver. For Cloudflare, type 1.1.1.1. In the Alternate DNS field, type the secondary address. For Cloudflare, type 1.0.0.1.
  6. Enable DNS over HTTPS
    Below each DNS field, open the dropdown labeled DNS over HTTPS. Select On (automatic template). This tells Windows to use the resolver’s default DoH template. Alternatively, choose On (manual template) and enter the resolver’s DoH URL. For Cloudflare, the URL is https://cloudflare-dns.com/dns-query.
  7. Save and test
    Click Save. Open a browser and visit a test site such as https://1.1.1.1/help to confirm DoH is active. The page shows whether your DNS is encrypted.

ADVERTISEMENT

How to Enable DoH With a Custom Resolver Using Control Panel

  1. Open Network Connections
    Press the Windows key, type Control Panel, and press Enter. Go to Network and Sharing Center. On the left, click Change adapter settings.
  2. Open adapter properties
    Right-click your active network adapter and select Properties. If prompted by User Account Control, click Yes.
  3. Select Internet Protocol Version 4
    In the list, find Internet Protocol Version 4 (TCP/IPv4). Click it to highlight, then click Properties.
  4. Set custom DNS addresses
    Select Use the following DNS server addresses. Enter the preferred and alternate DNS addresses. For Quad9, use 9.9.9.9 and 149.112.112.112.
  5. Enable DoH via the Advanced button
    Click Advanced at the bottom right. Go to the DNS tab. The DNS suffix and NetBIOS settings are not needed for DoH. Click OK to close Advanced. Back in the Properties window, click OK to apply.
  6. Verify DoH is active
    Open a command prompt and run ipconfig /all. Look for the DNS Suffix Search List section. The DNS servers listed should match what you entered. Use the resolver’s test page to confirm encryption.

The Control Panel method does not expose the DoH toggle directly. Windows 11 automatically attempts DoH with resolvers that support it when you set manual DNS addresses. However, the Settings method is more reliable for enforcing encryption.

How to Enable DoH With a Custom Resolver Using PowerShell

  1. Open PowerShell as administrator
    Press the Windows key, type PowerShell. Right-click Windows PowerShell and select Run as administrator. Click Yes when prompted.
  2. Get your interface index
    Run the command Get-NetAdapter | Select-Object Name, ifIndex, Status. Note the ifIndex number for your active network adapter.
  3. Set custom DNS servers
    Run the command Set-DnsClientServerAddress -InterfaceIndex X -ServerAddresses ('1.1.1.1','1.0.0.1') replacing X with your interface index. For Google DNS, use ('8.8.8.8','8.8.4.4').
  4. Enable DoH via registry
    DoH encryption is not enabled by default when using PowerShell. Open Registry Editor by pressing the Windows key, typing regedit, and pressing Enter. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters. Create a new DWORD (32-bit) value named EnableAutoDoh. Set its value to 2. This enables DoH for any resolver that supports it.
  5. Restart the DNS Client service
    In the same PowerShell window, run Restart-Service -Name Dnscache. Then run ipconfig /flushdns to clear the cache.
  6. Verify DoH
    Run Get-DnsClientServerAddress to confirm the DNS servers are set. Open a browser and visit the resolver’s test page.

Common Mistakes and Limitations With DNS Over HTTPS on Windows 11

DoH does not activate after setting custom DNS in Settings

If you selected On (automatic template) but DoH still shows as inactive on the test page, the resolver may not support automatic template detection. Switch to On (manual template) and enter the exact DoH URL for your resolver. Common URLs include https://cloudflare-dns.com/dns-query for Cloudflare, https://dns.google/dns-query for Google, and https://dns.quad9.net/dns-query for Quad9.

DoH breaks after a network change

When you switch Wi-Fi networks or connect to a VPN, Windows may revert to automatic DNS. After connecting to a new network, go back to Settings > Network & internet and verify that the DNS server assignment is still set to Manual with DoH enabled. VPN connections may override DNS settings. Check your VPN client’s settings to allow custom DNS or disable DNS leak protection if it blocks DoH.

PowerShell method does not persist after reboot

The Set-DnsClientServerAddress command applies settings to the current network adapter. If you connect to a different network, the settings do not carry over. Use the Settings method for a per-network configuration. The registry key EnableAutoDoh persists across reboots but only works if a DoH-capable resolver is already set via another method.

Corporate networks block DoH traffic

Some enterprise networks block outbound HTTPS traffic to unknown DNS endpoints. If you cannot reach the DoH URL, contact your network administrator. You can test by running curl https://cloudflare-dns.com/dns-query in a command prompt. If the command fails, the network is blocking the endpoint. Use a different resolver or disable DoH to use the corporate DNS.

Settings Method vs PowerShell Method for DoH Configuration

Item Settings Method PowerShell Method
User interface Graphical, step-by-step dialogs Command line only
DoH encryption Explicit toggle with automatic or manual template Requires registry edit to enable DoH
Per-network persistence Settings apply to the current network only Settings apply to the current network only
Scriptable No Yes, can be automated in batch scripts
Error feedback Visual confirmation of saved settings No confirmation unless you run verification commands

DNS over HTTPS with a custom resolver is now active on your Windows 11 PC. Use the Settings method for the most reliable and straightforward configuration. If you manage multiple machines, the PowerShell method with the EnableAutoDoh registry key allows automated deployment. Test your setup periodically by visiting the resolver’s help page or using a command like nslookup example.com 1.1.1.1 to confirm the response comes from your chosen resolver. For advanced users, consider switching to a resolver that also blocks malware domains, such as Cloudflare 1.1.1.2 or Quad9.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You