Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

When the DoH feature is enabled, DNS queries on Windows using Powershell and the DNS server will be transmitted over a secure HTTPS connection instead of plain text. This means that by transmitting the DNS query through an encrypted connection, it is shielded from interception by untrusted third parties.

To set up encrypted DNS using PowerShell on Windows 11 Powershell must be run in Administrator mode in order to execute commnands. You will also need to set the DNS value first so that when we force encryption its automatically set. If encryption is set before the DNS value is set, you will have to do it manually again.

NOTE: To obtain your FQDN go to the General page of the Create New Security Policy wizard in the Cloud Services Portal (Cloud Services Portal > Policies > Security Policies > Create New Security Policy > General). Copy the auto-generated FQDN, or click regenerate to generate a new FQDN. Note that DoH per Policy must be enabled in order to obtain the FQDN.

Step 1: Set the Local DNS

Check what interfaces are available by using the Get-NetAdapter cmdlet.

The DNS output.

Step 2: Register the DOH Template.

All other steps are manual in the interface settings. We will be using the Add-DnsClientDohServerAddress cmdlet. You will have to pass two specific options:

  • -ServerAddress

  • -DohTemplate

It will look like this:

Add-DnsClientDohServerAddress -ServerAddress [ip] -DohTemplate [url]

The DohTemplate is referencing the DOH URL. In the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" should be replaced with your unique URL per policy. 

Add-DnsClientDohServerAddress -ServerAddress 52.119.41.200 -DohTemplate https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query

It will generate an output like this. Do note that in the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy. 

ServerAddress  AllowFallbackToUdp AutoUpgrade DohTemplate
-------------  ------------------ ----------- -----------
52.119.41.200    False       False    https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query

You can confirm it was registered by running:

netsh dns show encryption

You will see all the DOH templates available to use. Scroll until you see the entry for the doh.threatdefense.infoblox.com service. Do note that in the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.

Encryption settings for 52.119.41.200  
-------------  ------------------ ----------- -----------
DNS-over-HTTPS    template    :   https://doh.fc6ca07a-0b03-45fb-9feb-7694b14fb249.threatdefense.infoblox.com/dns-query 
Auto-upgrade                  :   no
UDP-fallback                  :   no

The Server IP for DOH will be 52.119.41.200 or 103.80.6.200. While we support IPv6 DNS, we don’t have it configured for DOH yet. We encourage you disable IPv6 on the machine to avoid leaking DNS queries.

Now that the template is registered, we can set encryption. You are able to find the DOH Well Known Servers for your device by checking registry here: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\

Step 3: Force Encryption on DNS

To force encryption we’re going to manipulate the registry keys, but doing so in PowerShell can be a bit more involved than with command prompt. Where we would once use reg add we now have a more involved process.

For this step, we recommend dropping the following into a PowerShell file (i.e., forcedns.ps1) and execute it via PS.

This is what you want in the file:

$RegistryPath = 'HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\52.119.41.200'
$Name         = 'DohFlags'
$Value        = '1'
# Create the key if it does not exist
If (-NOT (Test-Path $RegistryPath)) {
  New-Item -Path $RegistryPath -Force | Out-Null
}  
# Now set the value
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType QWORD -Force

You wil notice that we’re defining where the registry values live here: HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\

You can execute the PS script you create like this:

powershell.exe -ExecutionPolicy Bypass -File "C:\[path to PS script]\forcedns.ps1"

When successful, it should generate an output like this:

DohFlags     : 1
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Interf
               aceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\185.228.168.10
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Interf
               aceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh
PSChildName  : 185.228.168.10
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

Open Settings and navigate to your DNS section. It should look like this.

The edited DNS settings.
  • No labels