Subject: Privacy Tutorial: Setting up system-wide DoH for the 1st time on Windows
Privacy Tutorial:
Setting up system-wide DoH for the 1st time on Windows
This is written ad-hoc, as I learned how to set it up myself.
Please improve if you have experience setting up system-wide DoH.
DoH === DNS over HTTPS
a. Meaning your DNS queries are encrypted in transit,
so outsiders on the network (like ISPs, public Wi-Fi operators,
or snoops) can't easily see which sites you're looking up.
b. Your DNS queries also blend in with regular secure web traffic,
making it harder for third parties to block or tamper with
your DNS requests.
Works on Windows 10, version 2004 (Build 19628) Preview Build.
Also works on Windows 10, version 2004 (Build 19041) & later.
Works even better on Windows 11 because of added GUI support.
Tested only on Microsoft Windows [Version 10.0.19045.6216].
Please test on Windows 11 for the team & report if successful.
Known Public DNS Providers Supporting DoH (please contribute!)
a. Cloudflare, 1.1.1.1, 1.0.0.1 (Fast, privacy-focused)
b. Google, 8.8.8.8, 8.8.4.4 (Global coverage)
c. Quad9, 9.9.9.9, 149.112.112.112 (Blocks known malicious domains)
d. AdGuard DNS, 94.140.14.14, 94.140.15.15, (Optional ad/malware blocking)
e. NextDNS, uses a per-user custom setup via <
https://help.nextdns.io>
Setup Assumptions:
a. Router gateway 192.168.0.1
b. Static PC IP 192.168.0.2
c. Router Wi-Fi SSID SSID_optout_nomap
d. Network adapter name "Wi-Fi"
Manual GUI Method
1. Press Win+I to open Settings
2. Network & Internet -> Status
3. Click the active Wi-Fi connection "Properties" button
4. Under "IP settings", click "Edit"
5. Change dropdown from "Automatic (DHCP)" to "Manual"
6. Toggle IPv4 ON
7. Enter:
IP address: 192.168.0.2
Subnet prefix length: 24 (i.e., netmask 255.255.255.0)
Gateway: 192.168.0.1
8. DNS servers (example: Cloudflare DoH):
Preferred DNS: 1.1.1.1
Alternate DNS: 1.0.0.1
9. Press "Save" to save your current configuration.
10. Windows 11 exposes per-adapter "Encrypted only" options.
Windows 10 does not expose a "Preferred DNS encryption" dropdown.
Auto DoH enables encrypted DNS if the resolver supports it.
To use DoH in Windows 10, you must enable Auto DoH via the registry.
Win+R > cmd (Ctrl+Shift+Enter)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /t REG_DWORD /d 2 /f
REM 2 = always attempt DoH if supported
11. Reboot to apply registry changes:
shutdown /r /t 0
12. Verify DNS resolution is working post-setup:
Win+R > cmd (Ctrl+Shift+Enter)
ipconfig /all
nslookup -type=soa example.com
Also
https://1.1.1.1/help to confirm DoH = Yes
(Turn off browser-built-in DoH for this test).
Note: Windows 10 vs. Windows 11 exhibit different behaviors:
In Windows 10 there is no per-adapter 'Encrypted only' setting.
Auto DoH attempts encryption with known resolvers.
If blocked, it may fall back to plaintext.
Windows 11 instructions (with GUI toggle)
Settings > Network & Internet > Wi-Fi > your network
[This GUI option may not appear unless the DNS server supports DoH]
Hardware properties > Edit DNS.
Set DNS servers (e.g., 1.1.1.1 and 1.0.0.1).
For each resolver, set DNS encryption to "Encrypted only (DNS over HTTPS)." Save and verify as above.
If DoH is not working, check:
a. Your DNS provider supports DoH
b. Browser DoH is disabled for testing
c. Registry key is correctly set
d. Reboot was performed after registry change
Command-Line Method (should work both for Win10/Win11)
A. Set static IP, subnet mask, and gateway
netsh interface ip set address name="Wi-Fi" static 192.168.0.2 255.255.255.0 192.168.0.1
B. Set preferred DNS
netsh interface ip set dns name="Wi-Fi" static 1.1.1.1
C. Add alternate DNS
netsh interface ip add dns name="Wi-Fi" 1.0.0.1 index=2
D. Disconnect and reconnect to Wi-Fi
netsh wlan disconnect
netsh wlan connect name="SSID_optout_nomap"
E. Enable Auto DoH via registry (requires reboot)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /t REG_DWORD /d 2 /f
Note: Enable Auto DoH (2 = always attempt DoH if supported)
F. Verify settings
ipconfig /all
If you want to disable Auto DoH and revert to standard DNS behavior:
a. Open an elevated command prompt:
Win+R > cmd (Ctrl+Shift+Enter)
b. Run the following command:
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /f
c. Reboot to apply changes:
shutdown /r /t 0
This removes the registry key and disables automatic DoH negotiation.
If you prefer to keep the registry key but toggle off Auto DoH:
a. Open an elevated command prompt:
Win+R > cmd (Ctrl+Shift+Enter)
b. Run the following command:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /t REG_DWORD /d 0 /f
c. Reboot to apply changes:
shutdown /r /t 0
Setting EnableAutoDoh to 0 disables automatic DoH negotiation
while preserving the key for future use.
In summary, this was written ad hoc as I learned the tasks
so I could help others set up their own Windows DoH support.
Be advised I've only done it once.
Then I wrote this up to help you do it too.
Note: This tutorial configures IPv4 only.
I've never used IPv6 so I've never needed to set it up.
However, IPv6 DoH setup should be similar, as far as I know.
If you know more about DoH setup, please add your contribution.
The goal is for everyone to benefit from every thread & post.
--- MBSE BBS v1.1.2 (Linux-x86_64)
* Origin: BWH Usenet Archive (
https://usenet.blueworldho (3:633/280.2@fidonet)