Using Encrypted DNS on Windows with PowerShell (DOH)
- Gary Leicht
When the DoH feature is enabled, DNS queries made on Windows by using PowerShell and the DNS server will be transmitted over a secure HTTPS connection instead of as plain text. This means that a DNS query transmitted through an encrypted connection is shielded from interception by untrusted third parties.
To set up encrypted DNS by using PowerShell on Windows 11, make sure that PowerShell is run in Administrator mode, which allows executing commands. You will also need to set the DNS value first, so that when we force encryption, it is set automatically. If encryption is set before the DNS value is set, you will have to do it manually again.
When traffic is sent over DoH, reports in the Infoblox Portal should show the source as Unknown.
NOTE: To obtain your FQDN, go to the General page of the Create New Security Policy wizard in the Infoblox Portal (Infoblox Services Portal > Configuration > Security), and copy the auto-generated FQDN or click Regenerate to generate a new FQDN. To obtain the FQDN, DoH per Policy must be enabled. The format should be https://FQDN/dns-query.
Step 1: Set the Local DNS.
Check what interfaces are available, by using the Get-NetAdapter cmdlet.
Step 2: Register the DoH template.
All other steps are manual in the interface settings. We will use the Add-DnsClientDohServerAddress cmdlet and pass two options:
-ServerAddress
-DohTemplate
The command will look like this:
Add-DnsClientDohServerAddress -ServerAddress [ip] -DohTemplate [url]
The DohTemplate is referencing the DOH URL. In the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" should be replaced with your unique URL per policy.
Add-DnsClientDohServerAddress -ServerAddress 52.119.41.200 -DohTemplate https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query
The command will generate an output such as that shown below, where “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.
ServerAddress AllowFallbackToUdp AutoUpgrade DohTemplate
------------- ------------------ ----------- -----------
52.119.41.200 False False https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query
To confirm that the template was registered, run the following:
netsh dns show encryption
You will see all the DoH templates available to use. Scroll until you see the entry for the doh.threatdefense.infoblox.com service. In the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.
Encryption settings for 52.119.41.200
------------- ------------------ ----------- -----------
DNS-over-HTTPS template : https://doh.fc6ca07a-0b03-45fb-9feb-7694b14fb249.threatdefense.infoblox.com/dns-query
Auto-upgrade : no
UDP-fallback : no
The Server IP for DOH will be 52.119.41.200 or 103.80.6.200. While we support IPv6 DNS, we do not have it configured for DoH yet. We encourage you to disable IPv6 on the machine, to avoid leaking DNS queries.
Now that the template is registered, we can set encryption. You are able to find the DoH Well Known Servers for your device by checking registry here: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\
Step 3: Force encryption on DNS
To force encryption, we will manipulate the registry keys by using PowerShell. This process can be a bit more involved than that we would follow for the command prompt, where we would use reg add.
For this step, we recommend dropping the following into a PowerShell file (i.e., forcedns.ps1) and executing it via PS.
This is what you want in the file:
$RegistryPath = 'HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\52.119.41.200'
$Name = 'DohFlags'
$Value = '1'
# Create the key if it does not exist
If (-NOT (Test-Path $RegistryPath)) {
New-Item -Path $RegistryPath -Force | Out-Null
}
# Now set the value
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType QWORD -Force
You will notice that we are defining where the registry values live, here: HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\
Unique interface ID:
The unique interface ID is located within the registry path. An example unique interface ID is {b8c2ef47-639d-4b00-96f4-b8e3c8a30618}.
Example: $RegistryPath = ‘HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\52.119.41.200'.
To retrieve your Windows system’s unique device identifie, see Retrieving a Windows System Unique Interface ID.
To execute the PS script you create, do this:
powershell.exe -ExecutionPolicy Bypass -File "C:\[path to PS script]\forcedns.ps1"
When successful, it should generate an output like this:
DohFlags : 1
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Interf
aceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\185.228.168.10
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Interf
aceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh
PSChildName : 185.228.168.10
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Open Settings and navigate to your DNS section. It should look like this.
