Skip to content
WhySoGeek.
How To

Enable DNS over HTTPS in Windows 11 (2026)

Encrypt your DNS queries so your ISP and network snoops cannot see the sites you visit. Here is the built-in Windows 11 setup, no extra software.

Sam Carter 8 min read
Cover image for Enable DNS over HTTPS in Windows 11 (2026)
Photo: Maguide / flickr (BY 2.0)

Every time you visit a website, your PC asks a DNS server to translate the name into an IP address, and by default that question travels in plain text. Anyone on the path, including your ISP and anyone sniffing public Wi-Fi, can log every domain you look up. DNS over HTTPS wraps those lookups in encryption, and Windows 11 has it built in.

Quick answer

Open Settings, go to Network and internet, click your Wi-Fi or Ethernet connection, then Hardware properties, and Edit the DNS server assignment. Switch it to Manual, turn IPv4 on, enter an encrypted DNS provider such as Cloudflare (1.1.1.1) or Quad9 (9.9.9.9), set DNS over HTTPS to On, and Save. Windows shows each server with "(Encrypted)" next to it once it is working.

Key takeaways

  • DNS over HTTPS (DoH) encrypts your domain lookups so ISPs and network snoops cannot read them.
  • Windows 11 supports DoH natively; no third-party app is needed.
  • You must use a DoH-aware provider, such as Cloudflare, Google, or Quad9.
  • Set it per connection under Hardware properties, then confirm the "(Encrypted)" label.
  • DoH hides which sites you look up, not your traffic; it is one layer, not a full VPN.

What DNS over HTTPS actually protects

DoH encrypts the DNS query itself, so an eavesdropper on your network can no longer see that you asked for a particular domain. It also makes it harder for a network to silently redirect your lookups. What it does not do is hide the destination IP once you connect, or encrypt the page contents (HTTPS already handles that).

ConcernDoH helps?
ISP logging which domains you visitYes, the lookup is encrypted
Public Wi-Fi snooping your DNSYes
DNS-based redirection and tamperingReduces risk
Hiding your IP addressNo, use a VPN
Encrypting page contentAlready done by HTTPS

For redirection attacks specifically, DoH is a strong mitigation; if you suspect your router has been tampered with, pair this with the checks in our guide to detecting and stopping router DNS hijacking.

Pick a DoH provider

Choose a provider based on what you want: raw privacy, speed, or built-in filtering.

ProviderPrimary IPv4Notes
Cloudflare1.1.1.1Fast, privacy-focused, no logging of personal data
Google8.8.8.8Reliable, widely used
Quad99.9.9.9Blocks known malicious domains

Windows 11 recognizes these well-known providers automatically and applies their DoH endpoints when you enter the matching IP address.

The Windows 11 DNS server assignment dialog set to Manual with an encrypted DNS provider entered and DNS over HTTPS turned on
Photo: Yubinerd123 / wikimedia (BY-SA 4.0)

Turn on DoH in Windows 11

    1. Press Windows+I, open Network and internet, and click your active Wi-Fi or Ethernet connection.
    2. Click Hardware properties, then click Edit next to DNS server assignment.
    3. Change the dropdown from Automatic to Manual and turn the IPv4 switch on.
    4. Enter your provider's Preferred DNS (for example, 1.1.1.1) and set DNS over HTTPS to On.
    5. Optionally repeat for IPv6, then click Save.

Back on the Hardware properties page, each DNS server should now show "(Encrypted)" beside it. If it says "(Unencrypted)," the IP you entered is not a recognized DoH provider, so double-check the address.

Warning

Setting manual DNS overrides any DNS your network hands out. On a corporate or school network that relies on internal DNS, this can break access to intranet resources. Use automatic DNS on those networks, or ask IT for an approved DoH configuration.

Verify and troubleshoot

Confirm DoH is really active rather than assuming. The "(Encrypted)" label in settings is the quickest check. You can also visit a provider's connection test page (for example, Cloudflare's) which reports whether your DNS is being resolved securely.

If browsing breaks after enabling DoH:

  • Wrong IP: re-check the provider address; a typo drops you to unencrypted or fails entirely.
  • Network conflict: some captive-portal and enterprise networks block external DoH; revert to automatic there.
  • General DNS errors: if lookups fail even after reverting, work through our guide to fixing "DNS server not responding" in Windows 11.

Browser DoH vs system DoH

There is one subtlety worth understanding. Some browsers, notably Firefox and Chrome, have their own built-in DoH setting that operates independently of Windows. If your browser is configured to use its own encrypted DNS provider, that overrides the system setting for browser traffic only. Setting DoH at the Windows level, as described here, covers your whole system: apps, updaters, and background services, not just the browser.

For most people, configuring it once at the Windows level is cleaner because it applies everywhere. If you also enable it in your browser, make sure both point at providers you trust, and be aware that a mismatch (browser using one provider, Windows another) is harmless but can make troubleshooting confusing. When in doubt, pick one place to manage DoH and leave the other on its default.

Encrypted DNS on your other devices

DoH on your PC protects that PC only. Your phone, tablet, and smart-home gadgets still leak their lookups unless you handle them separately. The most thorough approach is to encrypt DNS at the router or run a filtering resolver on your network, which covers every device at once. If you already run one, our guide to setting up Pi-hole on a Raspberry Pi pairs network-wide ad blocking with upstream encrypted DNS for whole-home coverage.

What to do right now

  • Decide what you want from your DNS: privacy (Cloudflare), reliability (Google), or malware filtering (Quad9).
  • Open Network and internet, your connection, Hardware properties, and edit the DNS assignment.
  • Set it to Manual, enter your provider, and turn DNS over HTTPS on for IPv4 (and IPv6 if you use it).
  • Confirm each server shows "(Encrypted)."
  • On managed work or school networks, leave DNS on Automatic to avoid breaking internal resources.

Frequently asked questions

Does DNS over HTTPS replace a VPN?

No. DoH encrypts only your DNS lookups, so it hides which domains you request. A VPN also hides your IP address and encrypts all your traffic. They solve different problems and can be used together.

Will DoH slow down my browsing?

For most people the difference is negligible, and a fast provider like Cloudflare can even be quicker than a slow ISP resolver. Any encryption overhead is tiny compared to normal page load time.

How do I know DoH is actually working?

Check the Hardware properties page: each DNS server should read "(Encrypted)." You can also run your provider's browser-based connection test, which confirms secure DNS resolution.

Can my ISP still see what sites I visit with DoH on?

Your ISP can no longer read your DNS lookups, but it can still see the destination IP addresses you connect to. For most sites that reveals far less than the domain name, but it is not complete anonymity.

Should I enable DoH on my work laptop?

Only if IT allows it. Manual DNS overrides internal resolvers, which can break access to intranet sites and internal tools. Keep automatic DNS on managed networks unless told otherwise.

#windows-11#privacy#networking

Sources & further reading

Keep reading