Enable DoH natively on Windows 11

Hello all,

Since the release of Windows 11, I was able to active DoH natively on all my devices. Up till now, I didn't have any issues and I can confirm in the analytics that indeed everything is properly encrypted.

I've written a small PowerShell script for it, since you need to add the DoH severs manually before it works. Also, I've added a general binding of the DNS severs to the WiFi and Ethernet adapter, so that you don't have to fill this in by yourself.

Here's the code. Feel free to use or improve it.

#requires -RunAsAdministrator

$id = Read-Host "NextDNS ID"
$device = Read-Host "Device Name (Leave empty if annonymous)"
$template = "https://dns.nextdns.io/" + $id + "/" + $device

$ipv6a = "2a07:a8c0::" + $id.substring(0,2) + ":" + $id.substring(2,4)
$ipv6b = "2a07:a8c1::" + $id.substring(0,2) + ":" + $id.substring(2,4)

Write-Host Adding DOH servers... -ForegroundColor Green
Remove-DnsClientDohServerAddress -ServerAddress,, $ipv6a, $ipv6b -Erroraction Ignore | Out-Null
Add-DnsClientDohServerAddress -ServerAddress -DohTemplate $template -AllowFallbackToUdp $False -AutoUpgrade $True
Add-DnsClientDohServerAddress -ServerAddress -DohTemplate $template -AllowFallbackToUdp $False -AutoUpgrade $True
Add-DnsClientDohServerAddress -ServerAddress $ipv6a -DohTemplate $template -AllowFallbackToUdp $False -AutoUpgrade $True
Add-DnsClientDohServerAddress -ServerAddress $ipv6b -DohTemplate $template -AllowFallbackToUdp $False -AutoUpgrade $True

Write-Host Redirect DNS to DOH... -ForegroundColor Green
Get-NetIPConfiguration | where InterfaceAlias -match "^Wi-Fi|^Ethernet" | ForEach { ($_).InterfaceIndex } | ForEach { Set-DnsClientServerAddress -InterfaceIndex $_ -ServerAddresses,, $ipv6a, $ipv6b }
5replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • If you use our windows client, it will do what your powershell script is doing with a UI when installed in a windows 11.

  • What in this code would I replace with my own details? I'm not very familiar with PowerShell but I can copy and paste this if I know what to replace with my own config.

      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 mths ago
      • Reported - view

      Britton Hall not needed. You can config that in network GUI 

  • My given Resolver is 118 instead of 129. Maybe add that as a read-host after config ID. (Since  its on the same page.) Would also allow one place to edit ip similar to ipv6 setup atm.

    Anyways just want to say thanks for typing this up, don't know why the app doesn't have a option for a installer-less/service-less setup run for windows 11.

  • Emerald Star's script was very helpful. I've used it as a starting point for a more complete (and comfortable) script that also sets the DohFlags registry value without which the DNS queries are unencrypted.

    You can find my script here: https://github.com/helgeklein/Win-DNS-DoH-PoSh

Like2 Follow
  • 14 hrs agoLast active
  • 5Replies
  • 592Views
  • 5 Following