DNS: Windows 11 has native support for DNS over HTTPS

[Mikaela]

Description

URL of affected page: https://privacyguides.org/providers/dns/

See also #166 and https://github.com/privacyguides/privacyguides.org/discussions/117#discussioncomment-1440335 (quick how)

[Mikaela]

Settings (Windows - I (capital i)), Web & Internet, Properties (it's top middle) DNS Settings, click customize.

The options are:

• only unencrypted
• only encrypted (DNS & HTTPS)
• Encrypted primary, unencrypted allowed

I think this may be usual varying quality of Finnish localization of Windows. And I should really set a better set of servers and enable IPv6 DNS.

Additionally only Microsoft supported servers have DoH, so a list of those should be looked up for this issue.

[Mikaela]

Interestingly it appears that Microsoft hasn't allowed Quad9's secondary IPv6 DNS server for encryption.

Edit: any secondary IPv6 DNS server?

[ghost]

It is also only for Ethernet as far as I know. Not available for WiFi Connections.

[dngray]

This would definitely, be worth adding, perhaps to a separate page. This is where the "Guides" part of Privacy Guides comes in.

The reason would be because we might want to add instruction for systemd/systemd#8639 (when that is finally completed) and https://www.zdnet.com/article/apple-adds-support-for-encrypted-dns-doh-and-dot/.

[Mikaela]

It is also only for Ethernet as far as I know. Not available for WiFi Connections.

It is available for both, however all adapters need to be configured separately. My setup includes ethernet and WiFi, I am yet to try USB ones, but imagine they will work similarly

[Mikaela]

I accidentally learned a bit more about this from Microsoft Docs: Secure DNS Client over HTTPS (DoH):

• Windows 11 Pro users can require DoH from Group Policy Computer Configuration\Policies\Administrative Templates\Network\DNS Client
• In PowerShell Get-DNSClientDohServerAddress tells the default DoH servers
  • the defaults are Cloudflare, Google and Quad9 (answering my second comment on looking up the defaults)
• Still in PowerShell adding a server is Add-DnsClientDohServerAddress -ServerAddress '<resolver-IP-address>' -DohTemplate '<resolver-DoH-template>' -AllowFallbackToUdp $False -AutoUpgrade $True

All of the above can be found from Microsoft Docs: Secure DNS Client over HTTPS (DoH).

[Mikaela]

The previous comment's registry modfications appear to be the following:

Enforce DoH

This is still letting me disable DoH though, but adjusting the group policy from previous comment still lets me disable DoH in the UI, so I am not entirely sure on this working as expected

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"DoHPolicy"=dword:00000003

Adding DNS servers

This turned out to be a lot more simple (examples below are Mullvad DoH, Adguard DoH and Quad9 ECS DoH (not recommended for privacy, ECS leaks more information))

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\193.19.108.2]
"Template"="https://doh.mullvad.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\194.242.2.2]
"Template"="https://doh.mullvad.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a07:e340::2]
"Template"="https://doh.mullvad.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a10:50c0::ad1:ff]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2a10:50c0::ad2:ff]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\94.140.14.14]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\94.140.15.15]
"Template"="https://dns.adguard.com/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::11]
"Template"="https://dns11.quad9.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::fe:11]
"Template"="https://dns11.quad9.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\9.9.9.11]
"Template"="https://dns11.quad9.net/dns-query"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\149.112.112.11]
"Template"="https://dns11.quad9.net/dns-query"

Basically execute regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers, create new keys named IPv4 or IPv6 address and within them New string (REG_SZ) named Template containing the query-address. The Windows defaults also appear here and the previous server adding command appears here (and I am yet to figure out what is the command to revert it considering it's so much easier in registry editor).

[Mikaela]

Self-assigning as an issue I care about and may be PRing by myself so it will be visible in /issues, please feel free to send a PR on this regardless should I not have done that at the time.

[gracjankn]

I made a pull request. #783

[dngray]

Resolved in #767