How to Enable Encrypted DNS on Windows 11

Why Enable Encrypted DNS on Windows 11?

By default, DNS queries are sent in plain text over UDP port 53. This means your ISP, network administrator, or anyone on your local network can see every domain you visit. Encrypted DNS solves this by wrapping your DNS queries in TLS or HTTPS encryption.

• DNS-over-HTTPS (DoH) sends DNS queries inside HTTPS on port 443 — the same port used for web traffic. This makes it very difficult to block or detect.
• DNS-over-TLS (DoT) sends DNS queries encrypted via TLS on port 853. It is a dedicated protocol that is easier for network admins to manage but may be blocked on some networks.

This guide shows you how to configure DoH on Windows 11.

Step-by-Step Setup Instructions

Follow these steps to enable encrypted DNS on Windows 11:

1. Open Network Settings
   Click Start, then open Settings (Win + I). Navigate to Network & Internet. Select Wi-Fi or Ethernet depending on your connection type.
2. Open DNS server assignment
   Click on your active network connection (e.g., your Wi-Fi network name or Ethernet). Scroll down to DNS server assignment and click the Edit button.
3. Switch to Manual DNS
   In the Edit DNS settings dialog, change the dropdown from Automatic (DHCP) to Manual. Toggle IPv4 to On.
4. Enter preferred DNS server
   In the Preferred DNS field, enter 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google). Under DNS over HTTPS, select Encrypted only (DNS over HTTPS) from the dropdown.
5. Enter alternate DNS server
   In the Alternate DNS field, enter 1.0.0.1 (Cloudflare) or 8.8.4.4 (Google). Again, set DNS over HTTPS to Encrypted only (DNS over HTTPS).
6. Save and verify
   Click Save. Open a Command Prompt and run nslookup example.com to confirm DNS resolution works. You can also visit a DNS leak test site to confirm encrypted DNS is active.

After configuring encrypted DNS, it is recommended to clear your DNS cache and test the configuration using a DNS leak test site.

Recommended Encrypted DNS Providers

These providers support encrypted DNS and are compatible with Windows 11:

Verify Your Encrypted DNS Setup

After configuring encrypted DNS on Windows 11, run our DNS Privacy Check to verify your queries are encrypted and your ISP cannot see your DNS traffic.

Encrypted DNS Guides for Other Platforms

Set up encrypted DNS on all your devices for comprehensive protection:

• macOS (DoH & DoT)
• Android (DoT)
• iPhone & iPad (DoH & DoT)
• Firefox (DoH)
• Chrome (DoH)
• Microsoft Edge (DoH)
• Linux (systemd-resolved) (DoT)
• Unbound (DoT)
• Router (DoH & DoT)

Related Resources

• DoH vs DoT: Which encrypted DNS protocol should you use?
• DNS Privacy & Security Check tool
• Best private DNS servers
• All DNS guides
• Browse DNS servers by country

Frequently Asked Questions

Does Windows 11 support DNS-over-HTTPS natively?

Yes. Starting with Windows 11 (and Windows 10 build 19628+), Microsoft added native DNS-over-HTTPS support. You can configure it directly in Settings under Network & Internet without installing any third-party software.

Which DNS servers support DoH on Windows 11?

Windows 11 has a built-in list of recognized DoH servers including Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9). When you enter these IPs, the "Encrypted only" option becomes available automatically.

Can I use DNS-over-TLS on Windows 11?

Windows 11 natively supports DNS-over-HTTPS (DoH) but does not have built-in support for DNS-over-TLS (DoT). If you need DoT, you can use a third-party client like Stubby or configure it on your router instead.

How do I verify encrypted DNS is working on Windows 11?

After configuring DoH, visit a DNS leak test website like dnsleaktest.com or use our DNS Privacy Check tool. The test should show your chosen DNS provider (e.g., Cloudflare) rather than your ISP, confirming queries are encrypted and routed correctly.