From Newsgroup: alt.comp.os.windows-10

Privacy Tutorial:
Setting up system-wide DoH for the 1st time on Windows

This is written ad-hoc, as I learned how to set it up myself.
Please improve if you have experience setting up system-wide DoH.

DoH === DNS over HTTPS
a. Meaning your DNS queries are encrypted in transit,
so outsiders on the network (like ISPs, public Wi-Fi operators,
or snoops) can't easily see which sites you're looking up.
b. Your DNS queries also blend in with regular secure web traffic,
making it harder for third parties to block or tamper with
your DNS requests.

Works on Windows 10, version 2004 (Build 19628) Preview Build.
Also works on Windows 10, version 2004 (Build 19041) & later.
Works even better on Windows 11 because of added GUI support.
Tested only on Microsoft Windows [Version 10.0.19045.6216].
Please test on Windows 11 for the team & report if successful.

Known Public DNS Providers Supporting DoH (please contribute!)
a. Cloudflare, 1.1.1.1, 1.0.0.1 (Fast, privacy-focused)
b. Google, 8.8.8.8, 8.8.4.4 (Global coverage)
c. Quad9, 9.9.9.9, 149.112.112.112 (Blocks known malicious domains)
d. AdGuard DNS, 94.140.14.14, 94.140.15.15, (Optional ad/malware blocking)
e. NextDNS, uses a per-user custom setup via <https://help.nextdns.io>

Setup Assumptions:
a. Router gateway 192.168.0.1
b. Static PC IP 192.168.0.2
c. Router Wi-Fi SSID SSID_optout_nomap
d. Network adapter name "Wi-Fi"

Manual GUI Method
1. Press Win+I to open Settings
2. Network & Internet -> Status
3. Click the active Wi-Fi connection "Properties" button
4. Under "IP settings", click "Edit"
5. Change dropdown from "Automatic (DHCP)" to "Manual"
6. Toggle IPv4 ON
7. Enter:
IP address: 192.168.0.2
Subnet prefix length: 24 (i.e., netmask 255.255.255.0)
Gateway: 192.168.0.1
8. DNS servers (example: Cloudflare DoH):
Preferred DNS: 1.1.1.1
Alternate DNS: 1.0.0.1
9. Press "Save" to save your current configuration.
10. Windows 11 exposes per-adapter "Encrypted only" options.
Windows 10 does not expose a "Preferred DNS encryption" dropdown.
Auto DoH enables encrypted DNS if the resolver supports it.
To use DoH in Windows 10, you must enable Auto DoH via the registry.
Win+R > cmd (Ctrl+Shift+Enter)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /t REG_DWORD /d 2 /f
REM 2 = always attempt DoH if supported
11. Reboot to apply registry changes:
shutdown /r /t 0
12. Verify DNS resolution is working post-setup:
Win+R > cmd (Ctrl+Shift+Enter)
ipconfig /all
nslookup -type=soa example.com
Also https://1.1.1.1/help to confirm DoH = Yes
(Turn off browser-built-in DoH for this test).

Note: Windows 10 vs. Windows 11 exhibit different behaviors:
In Windows 10 there is no per-adapter 'Encrypted only' setting.
Auto DoH attempts encryption with known resolvers.
If blocked, it may fall back to plaintext.

Windows 11 instructions (with GUI toggle)
Settings > Network & Internet > Wi-Fi > your network
[This GUI option may not appear unless the DNS server supports DoH]
Hardware properties > Edit DNS.
Set DNS servers (e.g., 1.1.1.1 and 1.0.0.1).
For each resolver, set DNS encryption to "Encrypted only (DNS over HTTPS)." Save and verify as above.

If DoH is not working, check:
a. Your DNS provider supports DoH
b. Browser DoH is disabled for testing
c. Registry key is correctly set
d. Reboot was performed after registry change

Command-Line Method (should work both for Win10/Win11)
A. Set static IP, subnet mask, and gateway
netsh interface ip set address name="Wi-Fi" static 192.168.0.2 255.255.255.0 192.168.0.1
B. Set preferred DNS
netsh interface ip set dns name="Wi-Fi" static 1.1.1.1
C. Add alternate DNS
netsh interface ip add dns name="Wi-Fi" 1.0.0.1 index=2
D. Disconnect and reconnect to Wi-Fi
netsh wlan disconnect
netsh wlan connect name="SSID_optout_nomap"
E. Enable Auto DoH via registry (requires reboot)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /t REG_DWORD /d 2 /f
Note: Enable Auto DoH (2 = always attempt DoH if supported)
F. Verify settings
ipconfig /all

If you want to disable Auto DoH and revert to standard DNS behavior:
a. Open an elevated command prompt:
Win+R > cmd (Ctrl+Shift+Enter)
b. Run the following command:
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /f
c. Reboot to apply changes:
shutdown /r /t 0
This removes the registry key and disables automatic DoH negotiation.

If you prefer to keep the registry key but toggle off Auto DoH:
a. Open an elevated command prompt:
Win+R > cmd (Ctrl+Shift+Enter)
b. Run the following command:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableAutoDoh /t REG_DWORD /d 0 /f
c. Reboot to apply changes:
shutdown /r /t 0
Setting EnableAutoDoh to 0 disables automatic DoH negotiation
while preserving the key for future use.

In summary, this was written ad hoc as I learned the tasks
so I could help others set up their own Windows DoH support.

Be advised I've only done it once.
Then I wrote this up to help you do it too.

Note: This tutorial configures IPv4 only.
I've never used IPv6 so I've never needed to set it up.
However, IPv6 DoH setup should be similar, as far as I know.

If you know more about DoH setup, please add your contribution.
The goal is for everyone to benefit from every thread & post.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-10

How to check for a DNS leak from the Windows command line

You can get clues about a DNS leak using nslookup, or curl,
but neither performs a full DNS leak test on their own.

curl ipinfo.io/ip
curl https://api64.ipify.org
curl icanhazip.com
nslookup ipinfo.io

etc.

Everyone is likely aware how easy it is to check for DNS leaks using a web browser, but since I have some SOCKS5-proxified web browsers, I needed to compare DNS leak results between the overall system & those proxified apps.

This is one of the many standard browser-based DNS leak tests:
1. Go to <https://www.dnsleaktest.com> in your web browser
2. Click the [Standard Test] or [Extended Test] button
3. If the shown DNS servers are from your VPN, you're likely good to go;
however, if you see your ISP's DNS, that's perhaps likely a leak.

Looking up how to test for DNS leaks from the command line, I found this:
1. Download the 'dnsleaktest' Windows binary
<https://github.com/macvk/dnsleaktest>
<https://github.com/macvk/dnsleaktest/releases/download/v1.3/dnsleaktest.exe>
Name: dnsleaktest.exe
Size: 5336576 bytes (5211 KiB)
SHA256: 7BD8DC8505FCB498A91C24471995EE6DF6DC491283BD1571C9D67B3ED0C9F847

2. Run "dnsleaktest.exe" from the Windows command line.
C:\> dnsleaktest.exe

3. That will show your external IP and the DNS servers your system
is using. If those DNS servers belong to your ISP or are outside
your VPN, you've perhaps got a leak.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-10

Update:
Both Windows 10 & Windows 11 suck at system-wide DNS encryption setup.

YogaDNS intercepts Windows DNS queries & routes thru encrypted protocols

*YogaDNS* Version 1.47 (2025.04.30)
Windows (x86, x64, ARM) 7, 8, 10, 11, Server 2012, 2016, 2019, 2022
<https://yogadns.com/download/>
<https://yogadns.com/download/YogaDNSSetup.exe>
Name: YogaDNSSetup.exe
Size: 8369736 bytes (8173 KiB)
SHA256: C790B930B990D3906124CBFF26A634D6400460F1E24616E41A88A6DF0EAE0CE4

Windows 10 does not have native support for DNS-over-HTTPS (DoH) at the
system level unless you're using experimental builds and doing some manual configuration. Even then, it's limited and not easily managed via
PowerShell or the GUI.

Windows 11 does support DoH natively at the operating system level.
However Windows 11's native DoH doesn't support DoQ, DNSCrypt, or DoH3.
<https://www.reddit.com/r/nextdns/comments/16vue7u/yogadns_and_native_private_dns_on_windows_11/>

Tools like YogaDNS are popular because they intercept DNS traffic & route
it through encrypted channels like DoH, DoT, or DoQ, regardless of what Powershell commands your Windows supports.

YogaDNS is a trialware->free Windows DNS client that intercepts
DNS queries at the system level & routes them through encrypted protocols
a. DoH (DNS over HTTPS) including DoH3
b. DoT (DNS over TLS)
c. DoQ (DNS over QUIC)
d. DNSCrypt

With YogaDNS, DNS DNS queries are encrypted before they leave your PC.

After 30 days, what do you end up with as the "free" version:
A. Only one DNS server is allowed (e.g., Cloudflare 1.1.1.1)
B. Only two customizable rules (e.g., use YogaDNS for all web sites)
C. It no longer automatically launches (you can launch it manually)
D. It no longer runs in the background (it can be minimized though)

Rules are like filters that tell it how to handle websites or networks.
Example 1 Use Cloudflare for all websites.
Example 2 Exclude local network devices.

To overcome the automatic-launch limitation, you can manually add it to
your Windows startup using Task Scheduler or to your Startup folder.
1. Press Win + R, type shell:startup, and hit Enter.
2. Copy the YogaDNS shortcut into that Startup folder.

To clarify the lack of background services in the free version, the free version of YogaDNS must remain open to function, but it can be minimized to
the system tray (i.e., iconified). That way, it won't clutter your screen,
but if you close it completely, its system-wide DNS protection stops.

Windows version information that this was tested on:
PowerShell: 5.1.19041.6216
Windows: 10.0.19045.6216
Based on output from these two admin commands:
C:\Windows\system32> powershell $PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
5 1 19041 6216
C:\Windows\system32> ver
Microsoft Windows [Version 10.0.19045.6216]

My system is running Windows 10 Version 22H2 (Build 19045.6216) which is
the final major release of Windows 10l It's a fully updated Windows 10
(22H2) but PowerShell is still showing the original base version (19041),
but with the same patch level (6216) because PowerShell 5.1 is baked into Windows 10. That means it doesn't get version bumps with every OS update. Microsoft kept the PowerShell versioning aligned with the original base
(19041) even though the Windows 10 22H2 OS itself has evolved.

What this means is key DNS features in Windows 11 are missing or limited.

These are not available in Windows 10 (19045.6216):
a. Native DNS-over-HTTPS (DoH) support
b. DoH configuration via Settings UI
c. DoQ, DNSCrypt, DoH3 support
d. DoH via Group Policy / Registry (but you can run registry hacks)
e. DoH via netsh dns show encryption (limited on Windows 10 vs 11)
f. PowerShell DNS cmdlets (limited on Windows 10 versus on Windows 11)
g. DNS leak protection during boot (limited more on Windows 10 than 11)

This means that it's "easier" to set up system-wide encrypted DNS on
Windows 11 but even for advanced protocols like DoQ or DNSCrypt, neither Windows 10 nor Windows 11 supports them natively, so tools like YogaDNS are still useful for both platforms.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-10

On Tue, 26 Aug 2025 13:49:23 +0700, JJ wrote :

After 30 days, what do you end up with as the "free" version:

That's not freeware. That's crippleware.

You bring up a good point in that it's not completely functional after 30d.
The problem with freeware, is finding one that is fully functional.

I don't yet know of a fully functional DoH tool for Windows 10/11.
Do you?

If not, then we're stuck with this as the best choice that we have so far.

I get where you're coming from because you get more in the first 30 days
than you get after the 31st day. But it is free to use after that.

So while it doesn't have all the functionality, it has enough of it.
Is that crippled or not?

Dunno. I guess it depends on how badly you need the functionality it has.
I suspect you need it badly if you want to run DoH on Windows 10 or older.

Because Windows 10 and Windows 11 do not have good GUIs for DoH setup.
So the question becomes what's a good freeware DoH setup tool for Windows?
--- Synchronet 3.21a-Linux NewsLink 1.2