How to check whether DNS over HTTPS is working properly
As we wrote about yesterday, with build 19628 Microsoft has added support for DNS over HTTPS to Windows 10. DoH is a great way to increase privacy and security online, and its arrival in Windows 10 has been widely welcomed.
At the moment the feature is only available to Windows Insiders, but it won't be long before it rolls out to everyone. But when you have it up and running, how do you know if DNS over HTTPS is working? Here's how to find out.
See also:
- How to use DNS over HTTPS in Windows 10
- Microsoft releases Windows 10 Build 19628, changes the development branch
- Microsoft releases Windows 10 May 2020 Update to developers
There's no need to use any special software to test that DoH is working as Windows 10 has the Packetmon tool built in, and this will do the job perfectly. Using this utility, you can double check that you can see no plain text DNS traffic from your system. You can access Packetmon using either the Command Prompt or PowerShell.
Microsoft provides the following instructions to let you check DNS over HTTPS:
Start by opening a new Command Prompt or PowerShell window. Run the following command to reset any network traffic filters PacketMon may already have in place.
pktmon filter remove
Run the following command to add a traffic filter for port 53, the port classic DNS uses (and which should now be silent since we're only using DoH).
pktmon filter add -p 53
Run the following command to start a real-time logging of traffic. All port 53 packets will be printed to the command line. If your device is only configured with DoH servers, this should show little to no traffic.
pktmon start --etw -m real-time
If you're trying to test a DoH server that isn't already on our auto-promotion list, such as your ISP's DoH servers, you can add it to our list manually using the command line. First, identify the IP address and the DoH URI template for the server you want to add. Then, run the following command as an administrator:
netsh dns add encryption server=<your-server's-IP-address> dohtemplate=<your-server's-DoH-URI-template>
You can verify the template was applied to the well-known DoH server list by running this command, which should show you the template being used for a given IP address:
netsh dns show encryption server=<your-server's-IP-address>
Now when Windows is configured to use that IP address as a DNS server, it will use DoH instead of classic DNS.
Image credit: asharkyu / Shutterstock