{"id":16497062,"url":"https://github.com/hotcakex/winsecurednsmgr","last_synced_at":"2025-03-16T18:32:14.637Z","repository":{"id":65252924,"uuid":"585638175","full_name":"HotCakeX/WinSecureDNSMgr","owner":"HotCakeX","description":"WinSecureDNSMgr module | Quick, proper and automatic way to configure Secure DNS in Windows with multiple available operation modes","archived":false,"fork":false,"pushed_at":"2024-07-08T22:06:28.000Z","size":19849,"stargazers_count":35,"open_issues_count":1,"forks_count":2,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-02-27T12:17:08.049Z","etag":null,"topics":["dns","dns-over-https","doh","dynamicip","https","powershell","securedns","security","serverless-dns","windows","windows11"],"latest_commit_sha":null,"homepage":"https://github.com/HotCakeX/WinSecureDNSMgr","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HotCakeX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-05T17:24:35.000Z","updated_at":"2025-02-21T10:27:53.000Z","dependencies_parsed_at":"2024-10-27T11:20:45.236Z","dependency_job_id":null,"html_url":"https://github.com/HotCakeX/WinSecureDNSMgr","commit_stats":null,"previous_names":["hotcakex/winsecurednsmgr"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FWinSecureDNSMgr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FWinSecureDNSMgr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FWinSecureDNSMgr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FWinSecureDNSMgr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HotCakeX","download_url":"https://codeload.github.com/HotCakeX/WinSecureDNSMgr/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243826783,"owners_count":20354220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dns-over-https","doh","dynamicip","https","powershell","securedns","security","serverless-dns","windows","windows11"],"created_at":"2024-10-11T14:38:07.767Z","updated_at":"2025-03-16T18:32:09.613Z","avatar_url":"https://github.com/HotCakeX.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\u003ca href=\"https://github.com/HotCakeX/WinSecureDNSMgr\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/WinSecureDNSMgr/main/GitHubIcon.png\" alt=\"Avatar\" width=\"300\" name=\"readme-top\"\u003e\u003c/a\u003e\n\n# WinSecureDNSMgr module\n\nQuick, proper and automatic way to configure Secure DNS in Windows with multiple available operation modes\n\n\u003ca href=\"https://www.powershellgallery.com/packages/WinSecureDNSMgr/\"\u003e\u003cstrong\u003ePowerShell Gallery\u003c/strong\u003e\u003c/a\u003e\n\n\u003ca href=\"https://github.com/HotCakeX/WinSecureDNSMgr/discussions\"\u003eDiscussion\u003c/a\u003e\n·\n\u003ca href=\"https://github.com/HotCakeX/WinSecureDNSMgr/issues\"\u003eReport Issue\u003c/a\u003e\n\n![PowerShell Gallery Version (including pre-releases)](https://img.shields.io/powershellgallery/v/WinSecureDNSMgr?style=plastic\u0026logo=powershell\u0026labelColor=rgb(255%2C29%2C206)\u0026color=rgb(201%2C255%2C229))\n\n![PowerShell Gallery](https://img.shields.io/powershellgallery/dt/WinSecureDNSMgr?style=plastic\u0026labelColor=rgb(255%2C29%2C206)\u0026color=rgb(201%2C255%2C229))\n\n\u003c/div\u003e\n\n\u003cdetails open\u003e\n  \u003csummary\u003eTable of Contents\u003c/summary\u003e\n\n1. \u003ca href=\"#about-the-module\"\u003eAbout The Module\u003c/a\u003e\n2. \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e\n3. \u003ca href=\"#recommended-setup\"\u003eRecommended setup\u003c/a\u003e\n4. \u003ca href=\"#prerequisites\"\u003ePrerequisites\u003c/a\u003e\n5. \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e\n6. \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e\n   - \u003ca href=\"#built-in-doh-examples\"\u003eBuilt-in DoH examples\u003c/a\u003e\n   - \u003ca href=\"#custom-doh-examples\"\u003eCustom DoH examples\u003c/a\u003e\n   - \u003ca href=\"#dynamic-doh-examples\"\u003eDynamic DoH examples\u003c/a\u003e\n7. \u003ca href=\"#operation-modes\"\u003eOperation modes\u003c/a\u003e\n\n\u003c/details\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## About The Module\n\nThis is a PowerShell module that can simplify setting up DNS over HTTPS in Windows for various scenarios mentioned in the Operation modes section.\n\nIt can automatically identify the correct and active network adapter/interface and set Secure DNS settings for it based on parameters supplied by user.\nThat means it will detect the correct network adapter/interface even if you are using:\n\n- Windows built-in VPN connections (PPTP, L2TP, SSTP, IKEv2)\n- OpenVPN\n- TUN/TAP virtual adapters (a lot of programs use them, including WireGuard)\n- Hyper-V virtual switches (Internal, Private, External, all at the same time)\n- Cloudflare WARP client\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡(back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Features\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"30\"\u003e  Strongest possible End-to-End encrypted workflow\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"30\"\u003e Created, targeted and tested on the latest version of Windows, on physical hardware and Virtual Machines\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"30\"\u003e To make sure the module will always be able to acquire the IP address(s) of the DoH server, specially in case of dynamic DoH server when the currently set system IPv4s and IPv6s might be outdated, the module performs DNS queries in this exact order:\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"20\"\u003e First tries using [Cloudflare's main encrypted API](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/) to get the IP address(s) of the DoH server's domain.\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"20\"\u003e If 1st one fails, tries using the Cloudflare's secondary encrypted API to get the IP address(s) of the DoH server's domain.\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"20\"\u003e If 2nd one fails, tries using [Google's main encrypted API](https://developers.google.com/speed/public-dns/docs/doh/) to get the IP address(s) of the DoH server's domain.\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"20\"\u003e If 3rd one fails, tries using Google's secondary encrypted API to get the IP address(s) of the DoH server's domain.\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"20\"\u003e if 4th one fails, tries using any system DNS that is available to get the IP address(s) of the DoH server's domain.\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp\" width=\"30\"\u003e All of the connections to Cloudflare and Google servers use direct IP, are set to use [TLS 1.3](https://curl.se/docs/manpage.html#--tls13-ciphers) with `HTTP/3`, with the exception of the last try which uses system DNS as the last resort before giving up.\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡(back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Recommended setup\n\n* Use Cloudflare DNS over HTTPS which is a built-in DoH provider in Windows, it's the safest, fastest and most reliable.\n\n* If you can't use publicly known DNS over HTTPS providers for any reason, you can create your own DoH server and domain for free using a [serverless Secure DNS](https://github.com/serverless-dns/serverless-dns) and [freenom](https://www.freenom.com/). They are more stealthy, hard or costly for ISPs, governments etc. to detect or block.\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡(back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Prerequisites\n\n* The latest stable version of PowerShell\n  * [Install it from GitHub](https://github.com/PowerShell/PowerShell/releases/latest)\n  * Using Winget `Winget install Microsoft.PowerShell`\n  * Store installed version of PowerShell is not supported for the Dynamic DoH (DDOH) operation mode.\n\n* Latest version of Windows\n\nIf planning to use the module in dynamic DoH mode and it's the first time installing PowerShell on your machine, restart your computer after installation so task scheduler will recognize `pwsh.exe` required for running this module.\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡(back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Installation\n\n### Install from [PowerShell Gallery](https://www.powershellgallery.com/packages/WinSecureDNSMgr/)\n\n```powershell\nInstall-Module -Name WinSecureDNSMgr -force\n```\n\n\u003cbr\u003e\n\nif you already have the module installed, make sure [it's up-to-date](https://learn.microsoft.com/en-us/powershell/module/powershellget/update-module)\n\n```powershell\nUpdate-Module -Name WinSecureDNSMgr -force\n```\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡(back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Usage\n\n\u003cbr\u003e\n\n![Animated APNG demonstrating how the Harden Windows Security PowerShell script works](https://github.com/HotCakeX/WinSecureDNSMgr/raw/main/Module%20Operation%20Demo.apng)\n\n\u003cbr\u003e\n\n### Built-in DoH examples\n\n```powershell\nSet-BuiltInWinSecureDNS -DoHProvider Cloudflare\n```\n\n```powershell\nSet-DOH -DoHProvider Cloudflare\n```\n\n\u003cbr\u003e\n\n### Custom DoH examples\n\n```powershell\nSet-CustomWinSecureDNS -DoHTemplate https://example.com/\n```\n\n```powershell\nSet-CDOH -DoHTemplate https://example.com/\n```\n\n```powershell\nSet-CDOH -DoHTemplate https://example.com -IPV4s 1.2.3.4 -IPV6s 2001:db8::8a2e:370:7334\n```\n\n\u003cbr\u003e\n\n### Dynamic DoH examples\n\n```powershell\nSet-DynamicIPDoHServer -DoHTemplate https://example.com/\n```\n\n```powershell\nSet-DDOH -DoHTemplate https://example.com/\n```\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡(back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n## Operation modes\n\n### \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/PinkDash.webp\" width=\"30\"\u003e  DNS over HTTPS in Windows using the default built-in OS DoH providers\n\n* This is the default mode of operation for this module. It will set up DNS over HTTPS in Windows using the default built-in OS DoH providers, which are Cloudflare, Quad9 and Google.\n\n* In this mode of operation, the active network adapter/interface will be detected automatically but you will have the option to review it and choose a different one if you like.\n\n### \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/PinkDash.webp\" width=\"30\"\u003e  DNS over HTTPS in Windows using a custom DoH provider that has **static** IP address(s)\n\n* This mode of operation is useful when you want to use a custom DoH provider that has static IP address(s). You can supply the module with a DoH template and then you have 2 options\n\n  * Let the module automatically detect the IP address(s) of the DoH server and set them in Windows\n  * Supply the module with the IP address(s) of the DoH server and let it set them in Windows\n\n* In this mode of operation, the active network adapter/interface will be detected automatically but you will have the option to review it and choose a different one if you like.\n\n### \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/PinkDash.webp\" width=\"30\"\u003e  DNS over HTTPS in Windows using a custom DoH provider that has **dynamic** IP address(s)\n\n* This mode of operation is useful when you want to use a custom DoH provider that has dynamic IP address(s).\n\n* Once you run the module in this mode for the first time and supply it with your DoH template, it will create a scheduled task that will run the module automatically based on 2 distinct criteria:\n\n  - As soon as Windows detects the current DNS servers are unreachable\n  - Every 6 hours in order to check for new IP changes for the dynamic DoH server\n\n    - You can fine-tune the interval in Task Scheduler GUI if you like. I haven't had any downtimes in my tests because the module runs milliseconds after Windows detects DNS servers are unreachable, and even then, Windows still maintains the current active connections using the DNS cache. if your experience is different, please let me know [on GitHub](https://github.com/HotCakeX/WinSecureDNSMgr/issues).\n\n* The module and the scheduled task will use both IPv4s and IPv6s of the dynamic DoH server. The task will run whether or not any user is logged on.\n\n* In this mode of operation, the active network adapter/interface will be detected automatically.\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡(back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Upcoming features\n\n* DNS over TLS (DoT) support\n  * It's currently [only available in Windows insider builds](https://techcommunity.microsoft.com/t5/networking-blog/dns-over-tls-available-to-windows-insiders/bc-p/3714816), Dev and Canary channels.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhotcakex%2Fwinsecurednsmgr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhotcakex%2Fwinsecurednsmgr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhotcakex%2Fwinsecurednsmgr/lists"}