I Encrypted DNS, such as those that rely on the DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ) protocols, use an encryption layer to protect domain name resolution activities. in order to protect the privacy and security of communications between clients and DNS servers.
With DoT, the communication between the DNS client (for example, the user’s computer or smartphone) and the DNS server is encrypted via a TLS connection. The goal is to protect the DNS requests avoiding possible interceptions and modifications by third parties.
DoH, on the other hand, uses the HTTPS protocol to encrypt DNS requests and responses while DNS over QUIC (DoQ) is somewhat considered as its successor. The latter delivers better performance compared to DoT and DoH thanks to the characteristics of the QUIC protocol, designed to reduce latency and improve reliability.
What does it mean for Windows 11 to discover encrypted DNS
By using encrypted DNS you can improve the safety and the privacy of communications. Internet providers and any figure placed between the user’s client and remote servers will not be able to in any way verify which sites the user visits nor provide a IP address different from that set at the DNS record level by the managers of the various domains (DNS hijacking).
As a rule, users can configure their devices and web browsers in order to use a server DNS which uses one of the encryption protocols mentioned in the introduction.
What’s new, however, is that Windows 11 becomes capable of performing an operation auto-discovery on the network or identify the encrypted DNS servers that are available and consequently enable their use. The operation is possible using the standard DNR (Discovery of Network-designated Resolvers) and querying the local DHCP server. The DNR-compliant DHCP server responds by providing the IP addresses of the encrypted DNS server, the protocols it supports, the port numbers and the authentication data.
Enable the DNR feature to automatically set up encrypted DNS in Windows 11
As Amanda Langowski and Brandon LeBlanc (Microsoft) explain, the news is for the moment limited to preview versions of Windows 11 but will soon also arrive in release stable operating system. Among other things, the DNR function can be activated by typing the following in a terminal window opened with administrator rights:
reg add HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters /v EnableDnr /t REG_DWORD /d 1 /f
Leveraging DNR, the use of encrypted DNS servers indicated by the server DHCP locale it is automatically set by Windows 11 at the operating system level, without the need for any manual intervention. In case you want to later disable the featurejust issue the following command:
reg add HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters /v EnableDnr /t REG_DWORD /d 0 /f