Using Encrypted DNS on Windows with PowerShell (DOH)
- Gary Leicht
When the DoH feature is enabled, DNS queries on Windows using Powershell and the DNS server will be transmitted over a secure HTTPS connection instead of plain text. This means that by transmitting the DNS query through an encrypted connection, it is shielded from interception by untrusted third parties.
To set up encrypted DNS using PowerShell on Windows 11 Powershell must be run in Administrator mode in order to execute commnands. You will also need to set the DNS value first so that when we force encryption its automatically set. If encryption is set before the DNS value is set, you will have to do it manually again.
When traffic is sent over DoH, reports in the Infoblox Portal should show the source as "Unknown."
When traffic is sent over DoH, reports in the Infoblox Portal should show the source as "Unknown."
NOTE: To obtain your FQDN go to the General page of the Create New Security Policy wizard in the Infoblox Portal (Infoblox Services Portal > Configuration > Security). Copy the auto-generated FQDN, or click regenerate to generate a new FQDN. Note that DoH per Policy must be enabled in order to obtain the FQDN. The format should be https://FQDN/dns-query.
Step 1: Set the Local DNS
Check what interfaces are available by using the Get-NetAdapter cmdlet.
Step 2: Register the DOH Template.
All other steps are manual in the interface settings. We will be using the Add-DnsClientDohServerAddress cmdlet. You will have to pass two specific options:
-ServerAddress
-DohTemplate
It will look like this:
Add-DnsClientDohServerAddress -ServerAddress [ip] -DohTemplate [url]
The DohTemplate is referencing the DOH URL. In the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" should be replaced with your unique URL per policy.
Add-DnsClientDohServerAddress -ServerAddress 52.119.41.200 -DohTemplate https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query
It will generate an output like this. Do note that in the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.
ServerAddress AllowFallbackToUdp AutoUpgrade DohTemplate
------------- ------------------ ----------- -----------
52.119.41.200 False False https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query
You can confirm it was registered by running:
You will see all the DOH templates available to use. Scroll until you see the entry for the doh.threatdefense.infoblox.com service. Do note that in the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.
Â
The Server IP for DOH will be 52.119.41.200 or 103.80.6.200. While we support IPv6 DNS, we don’t have it configured for DOH yet. We encourage you disable IPv6 on the machine to avoid leaking DNS queries.
Now that the template is registered, we can set encryption. You are able to find the DOH Well Known Servers for your device by checking registry here:Â \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\
Step 3: Force Encryption on DNS
To force encryption we’re going to manipulate the registry keys, but doing so in PowerShell can be a bit more involved than with command prompt. Where we would once use reg add we now have a more involved process.
For this step, we recommend dropping the following into a PowerShell file (i.e., forcedns.ps1) and execute it via PS.
This is what you want in the file:
You wil notice that we’re defining where the registry values live here: HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\
You can execute the PS script you create like this:
When successful, it should generate an output like this:
Open Settings and navigate to your DNS section. It should look like this.
