Windows 10: DNS queries are being routed through IPv4 instead of DoH

Hello,I recently configured DNS over HTTPS DoH on my Windows 11 24H2. However, I noticed that all DNS queries are still being routed through IPv4 instead of DoH.Here’s the setup I’ve configuredNS IPv4: Set to 1.1.1.1 Cloudflare.DNS over HTTPS: On manualDNS over HTTPS template: https://doh.opendns.com/dns-queryFall back to plaintext: offAfter making these changes, I ran a DNS Leak Test to verify the configuration. Surprisingly, the results show that my DNS queries are being routed through Cloudflare 1.1.1.1 instead of OpenDNS, despite having DoH enabled and enforced.

:)

 

Sysmon DNS Query Support

Hello，

Welcome to Microsoft Community.

The behavior you're encountering with the Sysmon Event ID 22 for DNS Query logs is related to how Sysmon formats its output for these events, particularly the QueryResults field. In Sysmon Event ID 22, the QueryResults field typically lists the results of the DNS query, such as IP addresses for A records, CNAME records, etc.



Your observation concerns the absence of type: 1 in the QueryResults field, where you expect it to precede the IP addresses, indicating A records (IPv4 addresses). This formatting expectation might stem from documentation or examples that specify DNS record types explicitly in the logs.



However, Sysmon's actual logging behavior for the QueryResults might not always include the explicit mention of type: 1 for A records. Instead, Sysmon directly lists the resolved IP addresses. The inclusion of DNS record types (like A, CNAME, MX, etc.) in the QueryResults is not a standard feature of Sysmon logging as of the versions up to my last update. The logs focus on the results of the DNS query (i.e., the IP addresses or other records resolved) without necessarily specifying the record type in a structured format like type: X.



If you need to distinguish between different types of DNS records (A, CNAME, etc.) in your monitoring or analysis, you might have to look into additional logging solutions or DNS monitoring tools that provide more detailed information about DNS queries and responses, including explicit record types.



Sysmon is highly customizable through its configuration, but its output format for certain types of logs, like DNS queries, is determined by the tool's internal logic and may not provide all the details you're looking for directly in the log entries. For more specific behavior or output formatting, consider supplementing Sysmon with other DNS analysis or logging tools that offer more granular insights into DNS queries and responses.

Thank you for your patience and understanding!

Regards，

Manson |Microsoft Community Support Specialist

 

DNS-over-HTTPS (or DoH) Question

DoH is mainly for companies and ISPs, who block DNS requests made by users, but they can not block https.
It is preferable to use DNS over TCP. I prefer dnscrypt, because UDP can not be as easily abused as TCP.
To sum it up: dnscrypt > DoT > DoH > DNS. Then again DoH is definitely better than classic DNS.
When you use VPN, DNS can leak your real IP and your DNS requests, just like IPv6.

 

Intermittent DNS Request Timed Out

Hi, Try to use this software to assess if you have a problem with routing of dns queries trough your router GRC's | DNS Nameserver Performance Benchmark If your router is OK it will suggest the best DNS servers to use in Performance order.