Windows 11 DNS Privacy Has a Hidden Fallback Problem
Key Takeaways
- Windows 11's DNS-over-HTTPS feature can silently fall back to unencrypted plaintext requests
- The OS doesn't warn you when encrypted DNS fails, leaving your browsing exposed
- A quick settings change can enforce encrypted DNS and block plaintext fallback
If you've enabled DNS-over-HTTPS on Windows 11, you probably assume your DNS requests are encrypted. That assumption may be wrong. Windows 11 has a quiet habit of falling back to plaintext DNS when encrypted connections fail, and it never tells you when this happens.
This means your ISP, network administrators, or anyone snooping on your connection can see exactly which websites you're visiting. All while you think you're protected.
What DNS-over-HTTPS Actually Does
When you type a URL into your browser, your computer needs to translate that domain name into an IP address. That translation request goes to a DNS server. By default, these requests travel in plaintext. Anyone on your network can read them.
DNS-over-HTTPS (DoH) wraps those requests in encryption. Your DNS queries become invisible to eavesdroppers. It's one of the simplest privacy upgrades you can make, and Windows 11 supports it natively.
The problem is how Windows 11 handles failure. When DoH encounters a timeout, misconfiguration, or incompatible network, the OS doesn't show an error. It doesn't block the connection. It just quietly switches to plaintext DNS and completes your request anyway.
Why Silent Fallback Is a Privacy Problem
From your perspective, everything works normally. Pages load. Connections complete. You have no indication that your DNS traffic is now exposed. The fallback behavior prioritizes connectivity over privacy, and it does so without asking.
This matters because your DNS traffic reveals a lot. Every website you visit, every service you connect to, every app that phones home. Your ISP logs this data. On public WiFi, anyone with the right tools can capture it.
How to Check Your Current DNS Settings
Open Settings, then Network & Internet. Select your active connection (WiFi or Ethernet). Look for DNS server assignment. If it shows "Automatic" or lists your router's IP, you're using whatever DNS your network provides, probably unencrypted.
If you've manually configured a DNS server like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9), check the encryption setting. Windows 11 offers three options: Unencrypted only, Encrypted only (DNS-over-HTTPS), and Encrypted preferred, unencrypted allowed.
That third option is the culprit. It sounds reasonable but enables the silent fallback behavior.
The Fix Takes Two Minutes
Change your DNS encryption setting to "Encrypted only (DNS-over-HTTPS)." This forces Windows to use encrypted DNS or fail completely. No silent fallback. If encryption doesn't work, you'll know immediately because your connection won't complete.
- Open Settings > Network & Internet
- Click your active connection (WiFi or Ethernet)
- Click Edit next to DNS server assignment
- Switch from Automatic to Manual
- Enter a DoH-compatible DNS server (1.1.1.1 for Cloudflare, 9.9.9.9 for Quad9)
- Set DNS over HTTPS to "Encrypted only"
- Save and test your connection
Which DNS Servers Support Encryption
Not every DNS server supports DoH. Windows 11 has a built-in list of compatible servers. The most common options:
- Cloudflare: 1.1.1.1 (primary), 1.0.0.1 (secondary)
- Google: 8.8.8.8 (primary), 8.8.4.4 (secondary)
- Quad9: 9.9.9.9 (primary), 149.112.112.112 (secondary)
Cloudflare emphasizes speed. Quad9 focuses on security and blocks known malicious domains. Google is ubiquitous but raises data collection concerns for some users. Pick based on your priorities.
Alternative: Use Cloudflare WARP
If you want a set-and-forget solution, Cloudflare's WARP app handles encrypted DNS at the system level. It's free, works across all your applications, and doesn't rely on Windows 11's native implementation. The tradeoff is running another background service.
Logicity's Take
Frequently Asked Questions
Does DNS-over-HTTPS slow down my internet?
The encryption adds minimal overhead. With fast DNS providers like Cloudflare, you may actually see faster lookups than your ISP's default servers.
Will encrypted-only mode break my connection?
Only if the DNS server is unreachable or your network blocks DoH traffic. Most home and office networks work fine. Some corporate networks or captive portals (hotel WiFi) may have issues.
Can my ISP still see which websites I visit?
They can't see your DNS requests, but they can still see the IP addresses you connect to. For full privacy, you'd need a VPN in addition to encrypted DNS.
Does this setting apply to all apps on my computer?
Yes. System-level DNS settings affect all applications unless they override with their own DNS configuration, which some browsers do.
More hidden settings that improve your daily tools
Need Help Implementing This?
Source: MakeUseOf
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
How to Jailbreak Your Kindle: Escape Amazon's Control Before They Brick Your E-Reader
Amazon is cutting off support for older Kindles starting May 2026, but you don't have to buy a new device. Jailbreaking your Kindle lets you install custom software like KOReader, read ePub files natively, and keep your e-reader alive for years to come.
X-Sense Smoke and CO Detectors at Home Depot: UL-Certified Alarms You Can Actually Trust
X-Sense just made their UL-certified smoke and carbon monoxide detectors available at Home Depot stores nationwide. The lineup includes wireless interconnected models that can link up to 24 units, 10-year sealed batteries, and smart features designed to cut down on those annoying false alarms that make people disable their detectors entirely.
How to Change Your Browser's DNS Settings for Faster, Private Browsing in 2026
Your browser's default DNS settings are probably slowing you down and leaking your browsing history to your ISP. Here's why changing this one setting should be the first thing you do on any new device, and how to pick the right DNS provider for your needs.
Raspberry Pi at 15: Why the King of Single-Board Computers Is Losing Its Crown
After 15 years of dominating the hobbyist computing scene, the Raspberry Pi faces serious competition from cheaper alternatives, supply chain headaches, and a market that's evolved past its original mission. Here's what's happening and what it means for your next project.
Also Read
Pentagon Releases 161 Declassified UFO Files With 30 Videos
The Pentagon published its first batch of declassified UAP files on May 8, responding to President Trump's February directive. The release includes 161 files with nearly 30 videos showing unidentified objects captured by military sensors, plus eyewitness accounts from Apollo astronauts.
How to Clear Old Windows Drivers Wasting Your SSD Space
Windows stores every driver you've ever installed but never cleans up old versions. This hidden folder can grow to 30GB on gaming PCs. Here's how to safely reclaim that space.
Diablo 4 Gold Bug Gives Players 900% Boost
A Horadric seal item in Diablo 4: Lord of Hatred is giving players a 900% gold bonus. This appears to be a decimal point error. Players are exploiting it to earn billions of gold per hour before Blizzard patches it.