Microsoft is testing support for the Discovery of Network Resolvers (DNR) Internet standard, which enables automatic client-side discovery of encrypted DNS servers on local networks. Without DNR support, users must manually enter information about encrypted DNS servers on their local network in network settings.

However, client-side DNR automatically configures devices to access such encrypted DNS resolvers and use encrypted DNS protocols such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ).

When a client-side DNR-enabled device joins a new network, it queries the local DHCP server for an IP address and custom DNR options.

The DNR server-side server responds with encrypted DNS details, including the server’s IP address, supported protocols, port numbers, and authentication details, allowing the client to automatically create an encrypted DNS tunnel using the provided information.

“Until now, Windows Insiders had to find the IP address of their preferred encrypted DNS server and manually enter it to set up client-side encrypted DNS on their computers,” said Microsoft’s Amanda Langowski and Brandon LeBlanc.

“DNR will allow Windows Insiders to use encrypted DNS protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT) on the client side without requiring manual configuration.”

Client-side DNR support is currently available for Windows Evaluators using Windows Evaluator build 25982 or later. This feature is not yet available in non-evaluative versions of Windows.

After installing a compatible Windows Insider build, you and administrators need to create a new EnableDnr registry key in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache to enable DNR on the device by running the following command from a command prompt:

reg add HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters /v EnableDnr /t REG_DWORD /d 1

After changing the registry, you must restart the device for the updated settings to take effect. To see DNR in action, you need to connect to a network where server-side DNR is enabled on a DHCPv4 or DHCPv6 server.

Currently the Microsoft DNR client application only supports the following configuration modes (IPv6 RA Encrypted DNS is not yet supported):

• DHCPv4 does not support ADN only mode.
• DHCPv6 does not support ADN-only mode and only accepts an OPTION_V6_DNR instance.

To disable client-side DNR on your system, you can run the following command at the administrative command prompt and reboot the system for the changes to take effect:

reg add HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters /v EnableDnr /t REG_DWORD /d 0

Starting with today’s Windows 11 Insider build, Microsoft is also allowing administrators to enforce SMB client encryption for all outgoing connections to protect against eavesdropping and interception attacks.

The company has also added support for ReFS file system block cloning to the Windows copy engine to improve the performance of ReFS volumes when copying large files. Source