How to Enable DNS Over TLS (DoT) in Windows 11

As the internet evolves, attack strategies have also become more harmful and sophisticated. That’s why encrypting DNS traffic is essential for improving internet privacy and preventing unauthorized surveillance or DNS spoofing attacks. One way to implement this is by activating DNS over TLS (DoT), a secure DNS protocol that encrypts Domain Name System (DNS) traffic over Transport Layer Security (TLS).

Windows 11 natively supports DNS over HTTPS (DoH) through a registry-based method. In this guide, we’ll walk you through everything you need to know to enable DNS over TLS in Windows 11, including prerequisites, step-by-step configuration methods, and ways to verify it’s working properly.

Prerequisites

But before you proceed, here are some prerequisites your system needs to meet first:

• Applies to all editions of Windows 11: These steps work across Windows 11 Home, Pro, and Enterprise editions.
• Access to DoT-compatible DNS servers:  You’ll need to use DNS providers that support DNS over TLS, such as Quad9, Cloudflare, or NextDNS.
• Administrator privileges: This method requires administrator rights.
• Requires Build 25158 or later: The feature is supported starting with Windows 11 Insider Build 25158+ (feature rollout may vary).

Aside from that, you need to configure your network adapter to use a DoT-capable DNS server. Here’s how:

1. Press Windows key + I to open Settings.
2. Go to Network & Internet.
   • For Wi-Fi: Wi-Fi > your connected network > Hardware properties
   • For Ethernet: Ethernet > Properties
3. Under DNS server assignment, click Edit.
4. Switch to Manual and enable IPv4.
5. Enter Quad9 DNS addresses:
   • Preferred DNS: 9.9.9.9
   • Alternate DNS: 149.112.112.112
6. (Optional) Configure IPv6:
   • Preferred DNS: 2620:fe::fe
   • Alternate DNS: 2620:fe::9
7. Repeat for both preferred and alternate entries.
8. Click Save and reconnect your network.

Once this is set, you can proceed with the Registry Editor method to enforce encrypted DNS.

Steps for configuring DNS over TLS (DoT)

⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.

💡 Note: There is no registry key to force DoT-only behavior. This method enables encrypted DNS and leaves the protocol choice (DoT or DoH) up to Windows and the resolver.

To configure DNS over TLS (DoT) in Windows 11, you can use the Registry Editor. This method is best for advanced users or IT administrators managing multiple systems.

Here are the steps:

1. Open the Registry Editor:
   • Press the Windows key + R, type regedit, and press Enter.
2. Navigate to the DNS client parameters:
   • Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
3. Create or modify resolver entries:
   • In this step, you’ll configure registry values that tell Windows to use encrypted DNS. While Microsoft does not offer a registry setting for DoT only, these values enforce encrypted DNS behavior. Windows will negotiate either DoT or DoH, depending on what the specified DNS server supports. Here’s how to do it:
     • Add the DoHServerList key. Right-click in the right pane and choose New > String Value.
     • Name it: DoHServerList
     • Double-click it and enter a secure resolver URL, such as: https://dns.quad9.net/dns-query
     • Add the DoHPolicy key. Right-click in the right pane and choose New > DWORD (32-bit) Value.
     • Name it: DoHPolicy
     • Double-click it and set its value to 2

This setting enforces encrypted DNS resolution (DoH or DoT, whichever is supported).

How to verify DNS over TLS is working

Once you’ve configured a secure DNS resolver, confirm that DNS over TLS is active. There are two methods you can use to do this:

Method 1: Easiest method – nslookup

The easiest way to confirm that DNS over TLS is active is by running a quick lookup test:

1. Press the the Windows key, type cmd, and open Command Prompt.
2. Run the following command:

nslookup google.com

3. If DoT is correctly configured, you should see your secure DNS server at the top of the output. For example:

Server: dns9.quad9.net

Address: 9.9.9.9

If the result shows your configured DoT-capable resolver (e.g., Quad9, Cloudflare, NextDNS), then encrypted DNS is working.

Method 2: Advanced verification – netstat, Wireshark, PowerShell

For deeper confirmation that DoT (not DoH or plaintext DNS) is in use, you can also do the following:

1. Press the Windows key to open the Start Menu, type PowerShell. Click PowerShell.
2. Run the following command: Get-DnsClientDohServerAddress. This will display a list of configured encrypted DNS servers on your system.
   • If your DoT/DoH-capable resolver (e.g., Quad9, Cloudflare, or NextDNS) appears in the output, then encrypted DNS is active.
   • If no entries are listed, or only plaintext resolvers appear, the configuration did not apply correctly.
3. To confirm that DoT (not DoH or plaintext DNS) is being used, you can use netstat to look for outgoing connections on port 853, which is reserved for DNS over TLS.
   • Run the following command: netstat -an | findstr :853
   • If you see entries showing an ESTABLISHED connection to your DNS server on port 853, DoT is active.
4. You can also use Wireshark or netstat to confirm encrypted DNS traffic on port 853 (for DoT).
   • Open Wireshark and start a capture on your active network interface.
   • In the filter bar, enter the following: tcp.port == 853
   • This displays only DNS over TLS traffic. If you see packets to or from your configured DNS server (e.g., 9.9.9.9), that confirms DoT is in use.
5. Alternatively, check your DNS resolver’s diagnostics using a browser after configuration.

⚠️ Things to look out for

Why use DNS over TLS?

There are several reasons why using DNS over TLS has become essential. Here are some of them:

• Protect DNS: By encrypting DNS lookups, DoT shields endpoint queries from eavesdropping and manipulation.
• Improve privacy for endpoint DNS resolution: DoT ensures that domain lookups cannot be easily tracked.
• Support secure DNS communication: Using DNS over TLS enforces protection for communications where DNS interception is more likely, such as in enterprise environments and over public networks.
• Comply with modern security policies: Some industries, regulatory frameworks, or security baselines recommend or require encrypted DNS protocols.

Additional considerations

Here are some factors you need to consider when enabling DNS over LS (DoT):

• TCP port 853: DoT uses port 853; ensure it is not blocked by firewalls or network policies. If you’re using Windows Defender Firewall, you may need to allow outbound TCP connections on port 853 via Windows Defender Firewall with Advanced Security.
• Disable fallback to plaintext DNS: Fallback: -AllowFallbackToUdp $false ensures that no plaintext DNS is used if encryption fails.
• Split tunneling/VPNs: Encrypted DNS may conflict with DNS settings pushed by corporate VPNs.
• Group Policy limitations: Native GPO support for DoT is limited. The use of scripting is recommended for enterprise deployment.

Enabling DNS over TLS (DoT) in Windows 11

In the era of sophisticated online intrusions and cyberattacks, enabling DNS over TLS has become a valuable defense to improve your system’s privacy posture. This strategy encrypts DNS traffic and reduces the risk of interception or spoofing. While configuration is not readily available via GUI, DoT can be configured using registry edits. You can confirm configuration success with PowerShell or a network trace that port 853 (DoT) is used.

Related topics:

• What Is DNS? Definition & How It Works
• How to Configure a DNS Server: A Step-by-Step Guide
• What Is a TLS Handshake & How Does It Work?
• What Is HTTPS?