/
Using Encrypted DNS on Windows with PowerShell (DOH)
Document toolboxDocument toolbox

Using Encrypted DNS on Windows with PowerShell (DOH)

Owned by Gary Leicht
Last updated: Feb 12, 2025
3 min read

When the DoH feature is enabled, DNS queries made on Windows by using PowerShell and the DNS server will be transmitted over a secure HTTPS connection instead of as plain text. This means that a DNS query transmitted through an encrypted connection is shielded from interception by untrusted third parties.

To set up encrypted DNS by using PowerShell on Windows 11, make sure that PowerShell is run in Administrator mode, which allows executing commands. You will also need to set the DNS value first, so that when we force encryption, it is set automatically. If encryption is set before the DNS value is set, you will have to do it manually again.

When traffic is sent over DoH, reports in the Infoblox Portal should show the source as Unknown.

NOTE: To obtain your FQDN, go to the General page of the Create New Security Policy wizard in the Infoblox Portal (Infoblox Services Portal > Configuration > Security), and copy the auto-generated FQDN or click Regenerate to generate a new FQDN. To obtain the FQDN, DoH per Policy must be enabled. The format should be https://FQDN/dns-query.

Step 1: Set the Local DNS.

Check what interfaces are available, by using the Get-NetAdapter cmdlet.

The DOH template output.
Image: The DOH template output.

Step 2: Register the DoH template.

All other steps are manual in the interface settings. We will use the Add-DnsClientDohServerAddress cmdlet and pass two options:

  • -ServerAddress

  • -DohTemplate

The command will look like this:

Add-DnsClientDohServerAddress -ServerAddress [ip] -DohTemplate [url]

The DohTemplate is referencing the DOH URL. In the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" should be replaced with your unique URL per policy.

Add-DnsClientDohServerAddress -ServerAddress 52.119.41.200 -DohTemplate https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query

The command will generate an output such as that shown below, where “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.

ServerAddress AllowFallbackToUdp AutoUpgrade DohTemplate ------------- ------------------ ----------- ----------- 52.119.41.200 False False https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query

To confirm that the template was registered, run the following:

netsh dns show encryption

You will see all the DoH templates available to use. Scroll until you see the entry for the doh.threatdefense.infoblox.com service. In the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.

Encryption settings for 52.119.41.200 ------------- ------------------ ----------- ----------- DNS-over-HTTPS template : https://doh.fc6ca07a-0b03-45fb-9feb-7694b14fb249.threatdefense.infoblox.com/dns-query Auto-upgrade : no UDP-fallback : no

 

The Server IP for DOH will be 52.119.41.200 or 103.80.6.200. While we support IPv6 DNS, we do not have it configured for DoH yet. We encourage you to disable IPv6 on the machine, to avoid leaking DNS queries.

Now that the template is registered, we can set encryption. You are able to find the DoH Well Known Servers for your device by checking registry here: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\

Step 3: Force encryption on DNS

To force encryption, we will manipulate the registry keys by using PowerShell. This process can be a bit more involved than that we would follow for the command prompt, where we would use reg add.

For this step, we recommend dropping the following into a PowerShell file (i.e., forcedns.ps1) and executing it via PS.

This is what you want in the file:

$RegistryPath = 'HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\52.119.41.200' $Name = 'DohFlags' $Value = '1' # Create the key if it does not exist If (-NOT (Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null } # Now set the value New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType QWORD -Force

You will notice that we are defining where the registry values live, here: HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\

Unique interface ID:
The unique interface ID is located within the registry path. An example unique interface ID is {b8c2ef47-639d-4b00-96f4-b8e3c8a30618}.

Example:
$RegistryPath = ‘HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\52.119.41.200'.

To retrieve your Windows system’s unique device identifie, see Retrieving a Windows System Unique Interface ID.

To execute the PS script you create, do this:

powershell.exe -ExecutionPolicy Bypass -File "C:\[path to PS script]\forcedns.ps1"

When successful, it should generate an output like this:

DohFlags : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Interf aceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\185.228.168.10 PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Interf aceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh PSChildName : 185.228.168.10 PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

Open Settings and navigate to your DNS section. It should look like this.

The edited DNS settings.
Image: The edited DNS settings.

Related content