Privacy Tools #DNS#privacy#Windows 11

How to Enable DNS-over-HTTPS on Windows 11 (Step-by-Step)

Stop your ISP from logging every domain you visit. Enable encrypted DNS in Windows 11 in under 5 minutes — no third-party software required.

5 min read

Every time you visit a website, your device sends a DNS query — a plaintext request that says “what’s the IP address for google.com?” By default, these queries go unencrypted to your ISP’s DNS servers, where they’re logged and in some countries sold or shared with third parties.

DNS-over-HTTPS (DoH) encrypts these queries so your ISP only sees encrypted traffic, not the domains you’re looking up. Windows 11 supports DoH natively — no third-party apps required.

What you’ll need

  • Windows 11 (any version)
  • A DNS provider that supports DoH (Cloudflare, Google, or NextDNS)
  • 5 minutes

Step 1: Choose a DNS provider

ProviderIPv4DoH URLNotes
Cloudflare (1.1.1.1)1.1.1.1https://cloudflare-dns.com/dns-queryFastest, privacy-focused, no logging
Google8.8.8.8https://dns.google/dns-queryFast, but Google logs queries
NextDNSCustomCustom per accountConfigurable filtering, family-safe options

For most users, Cloudflare is the right choice — it’s fast, free, and has a clear no-logging privacy policy audited by KPMG.

Step 2: Open Windows DNS settings

  1. Press Windows + I to open Settings
  2. Go to Network & Internet
  3. Click your active connection (Wi-Fi or Ethernet)
  4. Click Hardware properties
  5. Under DNS server assignment, click Edit

Step 3: Switch to manual DNS and enable DoH

  1. Change the dropdown from Automatic (DHCP) to Manual
  2. Enable IPv4
  3. Set Preferred DNS: 1.1.1.1
  4. Change DNS over HTTPS dropdown to On (automatic template)
  5. Set Alternate DNS: 1.0.0.1
  6. Set that DNS over HTTPS to On (automatic template) as well
  7. Click Save

Windows will automatically use the DoH endpoint associated with each IP address (it knows Cloudflare’s DoH URL for 1.1.1.1).

Step 4: Verify it’s working

Open PowerShell and run:

Resolve-DnsName cloudflare.com -Server 1.1.1.1

If it resolves, DNS is working. To confirm the encryption is active:

  1. Visit 1.1.1.1/help in your browser
  2. Look for Using DNS over HTTPS (DoH): Yes

If it shows “No”, double-check that you saved the settings and that you’re testing on the correct network adapter.

Step 5: Enable for IPv6 (if your network uses it)

Repeat the process for IPv6 in the same settings panel:

  • Preferred DNS: 2606:4700:4700::1111
  • Alternate DNS: 2606:4700:4700::1001
  • Both set to On (automatic template)

Using NextDNS for filtering

If you want custom filtering (blocking ads, trackers, or adult content at the DNS level), NextDNS is worth considering. It’s free for up to 300,000 queries per month.

  1. Create an account at nextdns.io
  2. Your account gives you a unique DNS ID (e.g., abc123)
  3. Your DoH URL will be: https://dns.nextdns.io/abc123
  4. Enter this as a custom DoH URL in Windows DNS settings

NextDNS lets you configure blocklists, allowlists, and view query logs per device — much more granular than a plain resolver.

What DoH doesn’t protect against

  • Your VPN provider’s DNS leaks — if you use a VPN, make sure DNS queries route through the VPN, not out your local adapter
  • SNI (Server Name Indication) — some traffic analysis can still infer which sites you visit by looking at TLS handshake data, even with DoH. Encrypted Client Hello (ECH) addresses this but isn’t universally supported yet
  • Browser DNS settings — Firefox and Chrome have their own DoH settings that override Windows. Check your browser settings separately if you want end-to-end encrypted DNS

The impact on your ISP logs

Before DoH: Your ISP sees every domain you query, in plaintext, with timestamps. After DoH: Your ISP sees encrypted HTTPS traffic to 1.1.1.1. They can see you’re using Cloudflare’s DNS, but not which domains you’re looking up.

That’s a meaningful privacy improvement for five minutes of work.

#DNS #privacy #Windows 11 #DoH #encrypted DNS #ISP #networking