Policy
Configure encrypted name resolution
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, WindowsServer2016
Specifies if the DNS client will perform name resolution over encrypted protocols. By default, the DNS client will do classic DNS name resolution (over UDP or TCP port 53). This setting can enhance the DNS client to use encrypted protocols to resolve domain names. To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: Prohibit encryption: no encrypted name resolution will be performed. Allow encryption: Use encrypted name resolution if the configured servers support it. If they don't support it, try classic name resolution. Require encryption: Allow only encrypted name resolution. If there are no configured DNS servers that handle encryption, name resolution will fail. In addition to the generic encryption policy, additional policies can be configured at the individual protocol level. For example, in order to force DoT name resolution only, a combination of "Require encryption" and "Block DoH" would be needed (vice versa to force DoH). For the example above, it is the admin's responsibility to ensure that if DoT is forced, there are valid DoT servers configured on the machine (vice versa for DoH). If you disable this policy setting, or if you do not configure this policy setting, the DNS client will use locally configured settings. DDR (Discovery of Designated Resolvers) plaintext traffic will be allowed as it is necessary for auto-discovering encryption settings.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Configure encryption options: ID DNS_Doh_Box | enum | HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DoHPolicy Type REG_DWORD | Options: Require encryption (3), Allow encryption (2), Prohibit encryption (1) |
Configure DoH specific options: ID DNS_Doh_Setting_Box | enum | HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DohPolicySetting Type REG_DWORD | Options: Allow DoH (0), Block DoH (1) |
Configure DoT specific options: ID DNS_Dot_Setting_Box | enum | HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DotPolicySetting Type REG_DWORD | Options: Allow DoT (0), Block DoT (1) |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow DNS suffix appending to unqualified multi-label name queriesAt least Windows Vista
- ComputerAllow NetBT queries for fully qualified domain namesAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure Discovery of Designated Resolvers (DDR) protocolAt least Windows 11 Version 23H2
- ComputerConfigure multicast DNS (mDNS) protocolAt least Windows Server 2016, Windows 10 Version 1703
- ComputerConfigure NetBIOS settingsAt least Windows Vista
- ComputerConnection-specific DNS suffixWindows XP Professional only
- ComputerDNS serversWindows XP Professional only
- ComputerDNS suffix search listAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerDynamic updateAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerIDN mappingAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerPrefer link local responses over DNS when received over a network with higher precedenceAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerPrimary DNS suffixAt least Windows 2000