Policy
Configure encrypted name resolution
Specifies if the DNS client will perform name resolution over encrypted protocols. By default, the DNS client will do classic DNS name resolution (over UDP or TCP port 53). This setting can enhance the DNS client to use encrypted protocols to resolve domain names. To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: Prohibit encryption: no encrypted name resolution will be performed. Allow encryption: Use encrypted name resolution if the configured servers support it. If they don't support it, try classic name resolution. Require encryption: Allow only encrypted name resolution. If there are no configured DNS servers that handle encryption, name resolution will fail. In addition to the generic encryption policy, additional policies can be configured at the individual protocol level. For example, in order to force DoT name resolution only, a combination of "Require encryption" and "Block DoH" would be needed (vice versa to force DoH). For the example above, it is the admin's responsibility to ensure that if DoT is forced, there are valid DoT servers configured on the machine (vice versa for DoH). If you disable this policy setting, or if you do not configure this policy setting, the DNS client will use locally configured settings. DDR (Discovery of Designated Resolvers) plaintext traffic will be allowed as it is necessary for auto-discovering encryption settings.
be0438bedca4 DNS_Doh Registry
Copy registry mappings
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DoHPolicyHKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DohPolicySettingHKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DotPolicySettingPolicy notes
Specifies if the DNS client will perform name resolution over encrypted protocols. By default, the DNS client will do classic DNS name resolution (over UDP or TCP port 53). This setting can enhance the DNS client to use encrypted protocols to resolve domain names. To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: Prohibit encryption: no encrypted name resolution will be performed. Allow encryption: Use encrypted name resolution if the configured servers support it. If they don't support it, try classic name resolution. Require encryption: Allow only encrypted name resolution. If there are no configured DNS servers that handle encryption, name resolution will fail. In addition to the generic encryption policy, additional policies can be configured at the individual protocol level. For example, in order to force DoT name resolution only, a combination of "Require encryption" and "Block DoH" would be needed (vice versa to force DoH). For the example above, it is the admin's responsibility to ensure that if DoT is forced, there are valid DoT servers configured on the machine (vice versa for DoH). If you disable this policy setting, or if you do not configure this policy setting, the DNS client will use locally configured settings. DDR (Discovery of Designated Resolvers) plaintext traffic will be allowed as it is necessary for auto-discovering encryption settings.