Configure encrypted name resolution
Supported on: At least Windows Server 20H2, Windows 10 Version 20H2
Registry
Software\Policies\Microsoft\Windows NT\DNSClient Options
DoHPolicy enum - Require encryption
->
3 - Allow encryption
->
2 - Prohibit encryption
->
1
DohPolicySetting enum - Allow DoH
->
0 - Block DoH
->
1
DotPolicySetting enum - Allow DoT
->
0 - Block DoT
->
1
Description
Specifies if the DNS client will perform name resolution over encrypted protocols. By default, the DNS client will do classic DNS name resolution (over UDP or TCP port 53). This setting can enhance the DNS client to use encrypted protocols to resolve domain names. To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: Prohibit encryption: no encrypted name resolution will be performed. Allow encryption: Use encrypted name resolution if the configured servers support it. If they don't support it, try classic name resolution. Require encryption: Allow only encrypted name resolution. If there are no configured DNS servers that handle encryption, name resolution will fail. In addition to the generic encryption policy, additional policies can be configured at the individual protocol level. For example, in order to force DoT name resolution only, a combination of "Require encryption" and "Block DoH" would be needed (vice versa to force DoH). For the example above, it is the admin's responsibility to ensure that if DoT is forced, there are valid DoT servers configured on the machine (vice versa for DoH). If you disable this policy setting, or if you do not configure this policy setting, the DNS client will use locally configured settings. DDR (Discovery of Designated Resolvers) plaintext traffic will be allowed as it is necessary for auto-discovering encryption settings.