Windows 11 keeps disabling DNS over http

I am giving NextDNS a test run, and it's been fine... until I tried setting it up on my sole Windows 11 machine. This is not on a domain. It's Win11 Pro, no beta software, nothing like that. I do have NordVPN on it, along with WSL, but nothing that's not on my Win10 machines, which work fine.

The NextDNS client pops up constantly with this 'set global DoH' error I've pasted an image of. It happens so often it makes the machine unusable if the NextDNS client is installed. I don't use any GPOs, but whatever. I ran GPResult and I found that this particular entry related to DNS over HTTP is enabled with the value set to "Prohibit DoH."

So I change it to "Allow DoH" and exit. Well, within one second, it's been changed back. I can't leave this value unconfigured or change it, because it will be set back to these settings immediately. Whatever is changing it is polling multiple times per second, since the change back is essentially instantaneous. I am running gpedit.msc as an administrator, in case that matters.

So I systematically went thru shutting down every running app/Windows Service that wasn't specifically part of Windows, and it still happens. Nothing I can do will make it stop changing it to 'Prohibit DoH,' thus generating the constant NexDNS client errors.

What's interesting is that this machine is essentially identical to another (in terms of programs installed) Windows 10 machine that has no issues.

I am completely at a loss here, as I've spent several hours trying to track this down. I would like to use it, but this makes it unusable.

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Would you be possible to try diagnose as to why and how the GP setting is reverting the allowance of DOH, because that seems to be your main issue here, the fact you know how to resolve it (DOH disallowed) but are held back because it simply defaults back to prohibiting it, is there any kind of policy you have (other than GP) that might be enforcing DOH to be blocked?

  • I finally had time to dig in with ProcMon, and I found the issue, but I don't think there's a good solution. It's the Cisco AnyConnect VPN Client v.4.10. It changes that GPO, but only on Windows 11, which is why things work fine on otherwise identically-configured Windows 10 machines. This is for use with their own DNS product, Umbrella (OpenDNS), which is geared towards businesses.

    I looked on the Cisco website to see if v.4.9 was still available, and it no longer is. So it appears the only option is to remove the VPN client from my Windows 11 machine.

Like Follow
  • 1 yr agoLast active
  • 2Replies
  • 280Views
  • 2 Following