Subject: Re: Privacy Tutorial: Setting up system-wide DoH for the 1st time on Windows

How to check for a DNS leak from the Windows command line

You can get clues about a DNS leak using nslookup, or curl,
but neither performs a full DNS leak test on their own.

curl ipinfo.io/ip
curl https://api64.ipify.org
curl icanhazip.com
nslookup ipinfo.io

etc.

Everyone is likely aware how easy it is to check for DNS leaks using a web browser, but since I have some SOCKS5-proxified web browsers, I needed to compare DNS leak results between the overall system & those proxified apps.

This is one of the many standard browser-based DNS leak tests:
1. Go to <https://www.dnsleaktest.com> in your web browser
2. Click the [Standard Test] or [Extended Test] button
3. If the shown DNS servers are from your VPN, you're likely good to go;
however, if you see your ISP's DNS, that's perhaps likely a leak.

Looking up how to test for DNS leaks from the command line, I found this:
1. Download the 'dnsleaktest' Windows binary
<https://github.com/macvk/dnsleaktest>
<https://github.com/macvk/dnsleaktest/releases/download/v1.3/dnsleaktest.exe>
Name: dnsleaktest.exe
Size: 5336576 bytes (5211 KiB)
SHA256: 7BD8DC8505FCB498A91C24471995EE6DF6DC491283BD1571C9D67B3ED0C9F847

2. Run "dnsleaktest.exe" from the Windows command line.
C:\> dnsleaktest.exe

3. That will show your external IP and the DNS servers your system
is using. If those DNS servers belong to your ISP or are outside
your VPN, you've perhaps got a leak.

--- MBSE BBS v1.1.2 (Linux-x86_64)
* Origin: BWH Usenet Archive (https://usenet.blueworldho (3:633/280.2@fidonet)

Subject: Re: Privacy Tutorial: Setting up system-wide DoH for the 1st time on Windows

Update:
Both Windows 10 & Windows 11 suck at system-wide DNS encryption setup.

YogaDNS intercepts Windows DNS queries & routes thru encrypted protocols

*YogaDNS* Version 1.47 (2025.04.30)
Windows (x86, x64, ARM) 7, 8, 10, 11, Server 2012, 2016, 2019, 2022
<https://yogadns.com/download/>
<https://yogadns.com/download/YogaDNSSetup.exe>
Name: YogaDNSSetup.exe
Size: 8369736 bytes (8173 KiB)
SHA256: C790B930B990D3906124CBFF26A634D6400460F1E24616E41A88A6DF0EAE0CE4

Windows 10 does not have native support for DNS-over-HTTPS (DoH) at the
system level unless you're using experimental builds and doing some manual configuration. Even then, it's limited and not easily managed via
PowerShell or the GUI.

Windows 11 does support DoH natively at the operating system level.
However Windows 11's native DoH doesn't support DoQ, DNSCrypt, or DoH3.
<https://www.reddit.com/r/nextdns/comments/16vue7u/yogadns_and_native_private_dns_on_windows_11/>

Tools like YogaDNS are popular because they intercept DNS traffic & route
it through encrypted channels like DoH, DoT, or DoQ, regardless of what Powershell commands your Windows supports.

YogaDNS is a trialware->free Windows DNS client that intercepts
DNS queries at the system level & routes them through encrypted protocols
a. DoH (DNS over HTTPS) including DoH3
b. DoT (DNS over TLS)
c. DoQ (DNS over QUIC)
d. DNSCrypt

With YogaDNS, DNS DNS queries are encrypted before they leave your PC.

After 30 days, what do you end up with as the "free" version:
A. Only one DNS server is allowed (e.g., Cloudflare 1.1.1.1)
B. Only two customizable rules (e.g., use YogaDNS for all web sites)
C. It no longer automatically launches (you can launch it manually)
D. It no longer runs in the background (it can be minimized though)

Rules are like filters that tell it how to handle websites or networks.
Example 1 Use Cloudflare for all websites.
Example 2 Exclude local network devices.

To overcome the automatic-launch limitation, you can manually add it to
your Windows startup using Task Scheduler or to your Startup folder.
1. Press Win + R, type shell:startup, and hit Enter.
2. Copy the YogaDNS shortcut into that Startup folder.

To clarify the lack of background services in the free version, the free version of YogaDNS must remain open to function, but it can be minimized to
the system tray (i.e., iconified). That way, it won't clutter your screen,
but if you close it completely, its system-wide DNS protection stops.

Windows version information that this was tested on:
PowerShell: 5.1.19041.6216
Windows: 10.0.19045.6216
Based on output from these two admin commands:
C:\Windows\system32> powershell $PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
5 1 19041 6216
C:\Windows\system32> ver
Microsoft Windows [Version 10.0.19045.6216]

My system is running Windows 10 Version 22H2 (Build 19045.6216) which is
the final major release of Windows 10l It's a fully updated Windows 10
(22H2) but PowerShell is still showing the original base version (19041),
but with the same patch level (6216) because PowerShell 5.1 is baked into Windows 10. That means it doesn't get version bumps with every OS update. Microsoft kept the PowerShell versioning aligned with the original base
(19041) even though the Windows 10 22H2 OS itself has evolved.

What this means is key DNS features in Windows 11 are missing or limited.

These are not available in Windows 10 (19045.6216):
a. Native DNS-over-HTTPS (DoH) support
b. DoH configuration via Settings UI
c. DoQ, DNSCrypt, DoH3 support
d. DoH via Group Policy / Registry (but you can run registry hacks)
e. DoH via netsh dns show encryption (limited on Windows 10 vs 11)
f. PowerShell DNS cmdlets (limited on Windows 10 versus on Windows 11)
g. DNS leak protection during boot (limited more on Windows 10 than 11)

This means that it's "easier" to set up system-wide encrypted DNS on
Windows 11 but even for advanced protocols like DoQ or DNSCrypt, neither Windows 10 nor Windows 11 supports them natively, so tools like YogaDNS are still useful for both platforms.

--- MBSE BBS v1.1.2 (Linux-x86_64)
* Origin: BWH Usenet Archive (https://usenet.blueworldho (3:633/280.2@fidonet)

Subject: Re: Privacy Tutorial: Setting up system-wide DoH for the 1st time on Windows

On Tue, 26 Aug 2025 13:49:23 +0700, JJ wrote :

After 30 days, what do you end up with as the "free" version:

That's not freeware. That's crippleware.

You bring up a good point in that it's not completely functional after 30d.
The problem with freeware, is finding one that is fully functional.

I don't yet know of a fully functional DoH tool for Windows 10/11.
Do you?

If not, then we're stuck with this as the best choice that we have so far.

I get where you're coming from because you get more in the first 30 days
than you get after the 31st day. But it is free to use after that.

So while it doesn't have all the functionality, it has enough of it.
Is that crippled or not?

Dunno. I guess it depends on how badly you need the functionality it has.
I suspect you need it badly if you want to run DoH on Windows 10 or older.

Because Windows 10 and Windows 11 do not have good GUIs for DoH setup.
So the question becomes what's a good freeware DoH setup tool for Windows?

--- MBSE BBS v1.1.2 (Linux-x86_64)
* Origin: BWH Usenet Archive (https://usenet.blueworldho (3:633/280.2@fidonet)