How to configure DoH on Windows Server 2022?

How to configure DoH on Windows Server 2022?

I. Presentation

New to Windows Server 2022 is support for DNS over HTTPS (DoH) within the operating system ‘s DNS client . The objective of DNS over HTTPS is to secure DNS requests between the DNS client, in this case the Windows Server 2022 machine, and the DNS server, by encapsulating DNS traffic in an HTTPS connection. In this tutorial, we will see how to configure DoH on Windows Server 2022 .

DNS over HTTPS: the HTTPS protocol is used to establish the connection , which implies that we use a standard port and which will be that of HTTPS: port 443. DNS traffic will be encapsulated within the HTTPS connection , knowing that this connection benefits from encryption via TLS. Thus, the DNS request is secure whereas in normal times, it transits in the clear on the network, because the DNS traffic is not encrypted. Having support within the system’s DNS client will allow this feature to be taken advantage of across the machine, not just in the browser: modern browsers support DoH.

Note : DoH, as described in this article, is also supported on Windows 11.

II. Use encrypted DNS in Windows Server 2022

On your Windows Server 2022 machine, open the settings panel , click on the ” Network and Internet ” section. Then choose ” Ethernet ” on the left and in the middle part, click on the network card, as the picture below.

Windows Server 2022 - Ethernet Settings

Under the ” DNS Settings ” section , click ” Edit “.

Windows Server 2022 - DNS Settings

A window is displayed and allows you to switch to ” Manual ” mode to define yourself a DNS server to use for name resolution. Here, in the ” IPv4 ” section, you will need to indicate the IP address of the DoH-compliant DNS resolver you wish to use. Let’s take the example of the DNS from Quad9, which responds to the IP address ” 9.9.9.9 “. Once the IP address has been indicated, the option below the input area unlocks and gives access to a menu that allows you to switch to ” Encrypted only (DNS over HTTPS) ” mode.

Windows Server 2022 - Set Encrypted DNS (DoH)

Then, just validate directly or add a secondary DNS. Now your server’s DNS queries are encrypted! As you will surely have understood, this type of configuration cannot be applied if the local server uses a domain controller as a DNS server, for example. On the other hand, you can mount your own DoH resolver…

III. Windows Server 2022: the list of supported DoH resolvers

If you do not indicate “9.9.9.9” but another IP address, it is possible that the option does not unlock, and therefore it is not possible to switch to secure mode. In fact, Windows includes a list of supported DoHs that are declared in the system : if the IP address entered does not match one of these IP addresses, the option remains locked.

The following PowerShell command gets this list:

Get-DNSClientDohServerAddress

We can see that there are those of Quad9, but also of Google (8.8.8.8…) and Cloudflare (1.1.1.1….).

Windows Server 2022 - Get-DNSClientDohServerAddress

You should know that this list is not fixed, and that you can add new DoH-compatible DNS resolvers. If we take the example of AdGuard, whose DoH resolver responds to queries that follow the pattern ” https://dns.adguard.com/dns-query ” and whose one of the servers at the IP address ” 94.140.15.15 “, it can be added like this:

Add-DnsClientDohServerAddress -ServerAddress '94.140.15.15 ' -DohTemplate ' https://dns.adguard.com/dns-query ' -AllowFallbackToUdp $False -AutoUpgrade $True
Windows Server 2022 - Add-DnsClientDohServerAddress

Thus, if we return to the system’s DNS settings, and indicate “94.140.15.15” as the DNS server IP address, Windows will give us access to the options to switch to encrypted DNS mode.

IV. Conclusion

To conclude, I draw your attention to the existence of a GPO setting (local and Active Directory) available with Windows Server 2022 which allows you to impose the use of a DoH resolver. Be careful, if you choose the ” Require DoH ” mode but the DNS configured on the server does not support it, the DNS resolution will fail. This setting named ” Configure DNS name resolution over HTTPs (DoH) ” is available here: Computer Configuration > Policies > Administrative Templates > Network > DNS Client.

GPO - DoH Configuration

Nowadays, DNS-over-HTTPS remains unknown and little implemented on servers. For a server that directly accesses the internet via an external DNS resolver, I find it worthwhile to make sure to use a DoH resolver to secure DNS queries. At least, we are filling a real gap in the DNS protocol… Finally, and even if DNS-over-HTTPS is interesting, because it provides additional security, it may be surpassed by DNS-over-QUIC even before have actually been adopted.

Leave a Comment

Your email address will not be published. Required fields are marked *