cheat sheet
nslookup
Query DNS servers for A, AAAA, MX, TXT, NS, PTR, and other resource records from the Windows command prompt — the built-in tool for diagnosing name resolution issues.
nslookup — DNS Query Tool
What it is
nslookup (Name Server Lookup) is a built-in Windows command that sends DNS queries and displays the responses. It operates in two modes: non-interactive (a single query from the command line) and interactive (a REPL where you can issue multiple queries, change server, and set query options). Use it to diagnose name resolution failures, verify DNS records, test alternate DNS servers, and inspect MX/TXT records for mail or domain verification purposes. For scripting, the non-interactive form is preferred; for exploration, interactive mode lets you adjust query type and server on the fly.
Availability
nslookup ships as C:\Windows\System32\nslookup.exe on every Windows version. PowerShell equivalent: Resolve-DnsName.
nslookup /?
Output:
Usage:
nslookup [-opt ...] # interactive mode using default server
nslookup [-opt ...] - server # interactive mode using 'server'
nslookup [-opt ...] host # just look up 'host' using default server
nslookup [-opt ...] host server # just look up 'host' using 'server'
Syntax
Non-interactive form: optionally specify the DNS server after the hostname.
nslookup [hostname] [server]
nslookup -type=<TYPE> hostname [server]
Output: (DNS response)
Essential options
| Option | Meaning |
|---|---|
hostname | Name to look up |
server | Optional DNS server to query instead of the default |
-type=A | IPv4 address record (default) |
-type=AAAA | IPv6 address record |
-type=MX | Mail exchange record |
-type=NS | Name server record |
-type=TXT | Text record (SPF, DKIM, domain verification) |
-type=PTR | Pointer record (reverse lookup) |
-type=SOA | Start of Authority record |
-type=CNAME | Canonical name (alias) record |
-type=ANY | All available records |
-debug | Show full query/response packets |
-timeout=N | Set query timeout in seconds |
Forward lookup (A record)
A forward lookup resolves a hostname to its IPv4 address. The default query type is A.
nslookup example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
rem Query a specific DNS server (Cloudflare) instead of the system default
nslookup example.com 1.1.1.1
Output:
Server: one.one.one.one
Address: 1.1.1.1
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
IPv6 lookup (AAAA record)
-type=AAAA queries for IPv6 addresses.
nslookup -type=AAAA example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: example.com
Address: 2606:2800:220:1:248:1893:25c8:1946
Reverse lookup (PTR record)
Supplying an IP address instead of a hostname causes nslookup to perform a reverse DNS lookup (PTR record) and return the associated hostname.
nslookup 8.8.8.8
Output:
Server: dns.google
Address: 8.8.8.8
Name: dns.google
Address: 8.8.8.8
nslookup 93.184.216.34
Output:
Server: dns.google
Address: 8.8.8.8
Name: 93.184.216.34.in-addr.arpa
Mail exchange lookup (MX record)
-type=MX retrieves the mail server priority and hostname for a domain — useful when diagnosing email delivery failures.
nslookup -type=MX example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
example.com MX preference = 10, mail exchanger = mail.example.com
TXT records (SPF, DKIM, verification)
-type=TXT fetches text records — used for SPF email policy, DKIM keys, and domain ownership verification tokens.
nslookup -type=TXT example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
example.com text =
"v=spf1 include:_spf.example.com ~all"
NS and SOA records
-type=NS lists the authoritative name servers for a domain. -type=SOA shows the primary name server, responsible email contact, serial number, and refresh intervals.
nslookup -type=NS example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
example.com nameserver = a.iana-servers.net
example.com nameserver = b.iana-servers.net
nslookup -type=SOA example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
example.com
primary name server = ns1.example.com
responsible mail addr = hostmaster.example.com
serial = 2026042801
refresh = 3600 (1 hour)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
Interactive mode
Entering nslookup without arguments opens an interactive REPL. Type set type=MX, server 1.1.1.1, or a hostname at the > prompt.
nslookup
Output:
Default Server: dns.google
Address: 8.8.8.8
> set type=MX
> example.com
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
example.com MX preference = 10, mail exchanger = mail.example.com
> server 1.1.1.1
Default Server: one.one.one.one
Address: 1.1.1.1
> example.com
...
> exit
Output: (interactive session — type exit to quit)
Checking against an authoritative server
Query a zone's own name server directly (bypassing caches) to confirm what DNS really publishes.
nslookup -type=NS example.com
Output:
...
example.com nameserver = a.iana-servers.net
nslookup example.com a.iana-servers.net
Output:
Server: a.iana-servers.net
Address: 199.43.135.53
Name: example.com
Address: 93.184.216.34
SRV records (services)
SRV records publish the hostname and port of a service for a domain — used by Active Directory (_ldap._tcp), SIP, XMPP, Matrix federation, Minecraft, and many other protocols. They include priority and weight fields for load balancing.
nslookup -type=SRV _ldap._tcp.example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
_ldap._tcp.example.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc1.example.com
_ldap._tcp.example.com SRV service location:
priority = 10
weight = 100
port = 389
svr hostname = dc2.example.com
Lower priority is preferred. Within the same priority, weight controls proportional load — a client picks each server with probability weight / sum(weights).
rem Common AD SRV records to know
nslookup -type=SRV _ldap._tcp.dc._msdcs.example.com
nslookup -type=SRV _kerberos._tcp.example.com
nslookup -type=SRV _gc._tcp.example.com
Output: (similar SRV-format records, one per service)
CAA records (certificate authority authorization)
CAA records tell certificate authorities which CAs are permitted to issue certificates for a domain. Critical for security audits: a missing or wrong CAA record can allow unauthorized cert issuance.
nslookup -type=CAA example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
example.com CAA = 0 issue "letsencrypt.org"
example.com CAA = 0 iodef "mailto:security@example.com"
issue controls who can issue certs; iodef is the email address for incident reporting. 0 is the flag (critical bit cleared).
DNSSEC records
DNSSEC records (DNSKEY, DS, RRSIG, NSEC, NSEC3) form the chain of trust that validates DNS responses. nslookup can query them but does not perform validation — that requires a DNSSEC-aware resolver.
nslookup -type=DNSKEY example.com
Output:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
example.com
primary name server = ...
Key Flags = 257 (Zone Signing Key, Secure Entry Point)
Protocol = 3
Algorithm = 8 (RSASHA256)
...
nslookup -type=DS example.com
Output: (DS record with key tag, algorithm, digest type, and hex digest)
The DS (Delegation Signer) record is published in the parent zone (.com in this case) and forms the link in the DNSSEC chain. If a domain is signed but the DS record is missing or stale at the parent, validation fails and resolvers report SERVFAIL.
Server selection (-port, -timeout, -retry)
By default nslookup queries port 53 with a 2-second timeout and a single retry. Adjust them for slow servers or non-standard ports (DNS-over-TCP, custom resolver ports).
rem Use a custom port (some private resolvers listen on 5353)
nslookup -port=5353 example.com 127.0.0.1
Output:
Server: 127.0.0.1
Address: 127.0.0.1#5353
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
rem Increase timeout and retries on a slow link
nslookup -timeout=10 -retry=3 example.com slow.dns.example.com
Output:
Server: slow.dns.example.com
Address: 198.51.100.53
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
Debug mode in depth
-debug shows the full query/response packet structure, including flags, opcode, response code (RCODE), and timing. -d2 is even more verbose and shows the request being sent.
nslookup -debug example.com
Output:
Server: dns.google
Address: 8.8.8.8
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
example.com, type = A, class = IN
ANSWERS:
-> example.com
internet address = 93.184.216.34
ttl = 86400 (1 day)
------------
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
RCODE values worth recognising:
| RCODE | Name | Meaning |
|---|---|---|
| 0 | NOERROR | Query succeeded |
| 1 | FORMERR | Malformed query |
| 2 | SERVFAIL | Server failed (often DNSSEC validation failure) |
| 3 | NXDOMAIN | Domain does not exist |
| 5 | REFUSED | Server refuses to answer (e.g. recursion disabled) |
Trace a DNSSEC failure by inspecting RCODE — SERVFAIL from a validating resolver but NOERROR from a non-validating one is the signature.
PowerShell equivalent: Resolve-DnsName
Resolve-DnsName is the modern PowerShell DNS query cmdlet, with first-class structured output, type-specific record fields, and DNSSEC validation flags. It is significantly more script-friendly than nslookup.
# Basic A record lookup
Resolve-DnsName example.com
# Specific record type
Resolve-DnsName example.com -Type MX
# Use a specific DNS server
Resolve-DnsName example.com -Server 1.1.1.1
# Force a fresh query (bypass local resolver cache)
Resolve-DnsName example.com -NoHostsFile -DnsOnly
# Validate DNSSEC and return signature records
Resolve-DnsName example.com -DnssecOk
# Return only the IP addresses
(Resolve-DnsName example.com -Type A).IPAddress
Output:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
example.com A 300 Answer 93.184.216.34
# All MX records, sorted by preference
Resolve-DnsName example.com -Type MX |
Sort-Object Preference |
Select-Object Preference, NameExchange
Output:
Preference NameExchange
---------- ------------
10 mail1.example.com
20 mail2.example.com
Unlike nslookup, Resolve-DnsName properly returns negative results as PowerShell errors that can be caught:
try {
Resolve-DnsName nonexistent.example -ErrorAction Stop
} catch {
"Lookup failed: $($_.Exception.Message)"
}
Output:
Lookup failed: nonexistent.example : DNS name does not exist
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)
nslookup only speaks plaintext DNS on port 53; it does not support DoH (RFC 8484, port 443) or DoT (RFC 7858, port 853). Windows 11 added system-level DoH support, configurable via netsh dns add encryption. As of the February 2026 Windows Server 2025 update, DoH is also available in public preview on the Windows DNS Server side for client-facing traffic. Reports from May 2026 confirm the Windows 11 DNS client may still fall back to plaintext DNS under some conditions unless administrators explicitly require encrypted resolution (autoupgrade=yes udpfallback=no):
rem Configure system to prefer DoH for 1.1.1.1
netsh dns add encryption server=1.1.1.1 dohtemplate=https://cloudflare-dns.com/dns-query autoupgrade=yes udpfallback=no
netsh dns show encryption
Output:
Server: 1.1.1.1
DohTemplate : https://cloudflare-dns.com/dns-query
AutoUpgrade : yes
UdpFallback : no
For testing DoH queries directly, use PowerShell's Invoke-RestMethod against the JSON DoH endpoint:
$response = Invoke-RestMethod `
-Uri 'https://cloudflare-dns.com/dns-query?name=example.com&type=A' `
-Headers @{Accept='application/dns-json'}
$response.Answer
Output:
name type TTL data
---- ---- --- ----
example.com 1 300 93.184.216.34
Bypassing the local DNS cache
Windows caches DNS responses in the DNS Client service (svchost). nslookup always queries the server directly and bypasses the cache, so it shows the resolver's view rather than the local view. To inspect or clear the cache:
ipconfig /flushdns
ipconfig /displaydns | findstr Record
Output: (lists each cached Record Name line, e.g. Record Name . . . . . : example.com)
Clear-DnsClientCache
Get-DnsClientCache | Where-Object Data -ne $null
Output:
Entry RecordName RecordType Status Section TimeTo Data
Live Length
----- ---------- ---------- ------ ------- ------ ------
example.com example.com A Success Answer 62 4
Negative cache entries (NXDOMAIN, SERVFAIL) are cached too; if a lookup persistently fails after the upstream is fixed, flush the cache.
Reading PTR responses correctly
Reverse lookups return PTR records that themselves point to a forward name. Verify the pair matches (forward-confirmed reverse DNS, or FCrDNS) — many mail servers reject mail from senders without matching FCrDNS.
nslookup 93.184.216.34
nslookup the-resulting-name
Output: (first command returns PTR; second command should return the same IP for a valid pair)
If the second lookup returns 93.184.216.34, the FCrDNS is valid; otherwise the reverse delegation is misconfigured.
function Test-FCrDNS {
param([string]$IP)
$reverse = (Resolve-DnsName $IP -Type PTR -ErrorAction SilentlyContinue).NameHost
if (-not $reverse) { return "$IP -> no PTR" }
$forward = (Resolve-DnsName $reverse -Type A -ErrorAction SilentlyContinue).IPAddress
if ($forward -contains $IP) { return "$IP <-> $reverse [VALID]" }
return "$IP -> $reverse -> $forward [MISMATCH]"
}
Test-FCrDNS 8.8.8.8
Output:
8.8.8.8 <-> dns.google [VALID]
Interactive mode advanced commands
Interactive mode supports many set commands beyond type. Useful ones:
> set d2 # very verbose debug
> set retry=5 # retry count per query
> set timeout=10 # per-query timeout in seconds
> set port=5353 # query non-standard port
> set norecurse # send a non-recursive query (talk to an auth server)
> set vc # use TCP (virtual circuit) instead of UDP
> ls -d example.com # zone transfer (almost universally refused now)
> view file.txt # display a file in the pager
> root # set server to the root hint
> server 8.8.8.8 # change server
> finger user@host # invoke finger (deprecated, rarely works)
> help # show all commands
DNS query types reference
A full reference of the most useful types nslookup recognises with -type= or set type=:
| Type | Purpose |
|---|---|
A | IPv4 address |
AAAA | IPv6 address |
CNAME | Canonical name (alias) |
MX | Mail exchanger |
NS | Authoritative name server |
SOA | Start of authority |
TXT | Free-form text (SPF, DKIM, verification) |
PTR | Reverse pointer |
SRV | Service location |
CAA | Certificate authority authorization |
DNSKEY | DNSSEC public key |
DS | DNSSEC delegation signer |
RRSIG | DNSSEC signature |
NSEC / NSEC3 | DNSSEC denial of existence |
SPF | Deprecated SPF record (use TXT) |
NAPTR | Naming authority pointer (ENUM, SIP) |
LOC | Geographic location |
HINFO | Host info (rarely used; deprecated by RFC 8482) |
Common pitfalls
- "Non-authoritative answer" — most results come from a caching resolver, not the zone's primary server; query the authoritative NS directly for the source-of-truth value.
- "Server failed" ≠ "host doesn't exist" — the queried DNS server may be unreachable or refusing RTYPE queries; try a different server with
nslookup hostname 8.8.8.8. - Default server shown in output is your resolver — the
Server:line is your configured DNS, not the authoritative server for the domain. -type=ANYis increasingly blocked — DNSSEC and resolver policies often refuseANYqueries (RFC 8482); query specific types instead.- No
--flag separator — options must come before the hostname;nslookup example.com -type=MXdoes not work. Usenslookup -type=MX example.com. - Interactive mode exit — type
exitor press Ctrl+C; Ctrl+Z followed by Enter also works. - TXT records may be truncated in output — long DKIM keys span multiple quoted strings;
Resolve-DnsName -Type TXTjoins them transparently. nslookupis deprecated in Windows roadmap — Microsoft has signalled thatResolve-DnsNameis the preferred tool;nslookupis still shipped but no longer enhanced.- CNAME chain depth —
nslookupfollows CNAMEs but only displays the final A/AAAA; use-debugto see intermediate CNAMEs. ls(zone transfer) returns "Query refused" — almost no public server allows AXFR; use it only on authorized internal name servers.- Cached negative responses — a failed lookup may stay in
Get-DnsClientCachefor the TTL of the SOA; flush withipconfig /flushdnsbefore retrying. - Hosts file overrides DNS —
C:\Windows\System32\drivers\etc\hostsentries take precedence over DNS; check there ifnslookupreturns one value andpingreturns another. - DNS server in
Server:line is empty — happens when system has no DNS configured or all servers are unreachable; checkipconfig /all. Default Server: UnKnown— printed when the resolver IP has no PTR; harmless, the queries still work.- IPv6-only DNS servers require
-6— oldernslookupbuilds may not handle IPv6 resolvers correctly.
Real-world recipes
Verify SPF record is published
nslookup -type=TXT example.com 8.8.8.8
Output:
...
"v=spf1 include:_spf.example.com ~all"
Check DNS propagation against multiple resolvers
@echo off
for %%s in (8.8.8.8 1.1.1.1 9.9.9.9) do (
echo --- %%s ---
nslookup example.com %%s | findstr "Address"
)
Output:
--- 8.8.8.8 ---
Address: 93.184.216.34
--- 1.1.1.1 ---
Address: 93.184.216.34
--- 9.9.9.9 ---
Address: 93.184.216.34
Find the mail server for a domain
nslookup -type=MX corp.example.com 8.8.8.8
Output:
corp.example.com MX preference = 10, mail exchanger = mail.corp.example.com
Debug a resolution failure with full packet detail
nslookup -debug broken.example.com
Output:
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NXDOMAIN
...
------------
*** dns.google can't find broken.example.com: Non-existent domain
Find every Active Directory domain controller
AD publishes domain controllers via SRV records. A single query returns the full list.
nslookup -type=SRV _ldap._tcp.dc._msdcs.example.com
Output:
_ldap._tcp.dc._msdcs.example.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc1.example.com
_ldap._tcp.dc._msdcs.example.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc2.example.com
Resolve-DnsName "_ldap._tcp.dc._msdcs.example.com" -Type SRV |
Sort-Object Priority | Select-Object NameTarget, Port, Priority, Weight
Bulk-verify SPF, DKIM, and DMARC records
A pre-deployment checklist for any mail-sending domain.
$domain = 'example.com'
@(
@{Label='SPF'; Q="$domain"; Type='TXT'; Filter={$_.Strings -like '*v=spf1*'}},
@{Label='DMARC'; Q="_dmarc.$domain"; Type='TXT'; Filter={$_.Strings -like '*v=DMARC1*'}},
@{Label='DKIM'; Q="default._domainkey.$domain"; Type='TXT'; Filter={$_.Strings -like '*v=DKIM1*' -or $_.Strings -like '*k=rsa*'}},
@{Label='MX'; Q="$domain"; Type='MX'; Filter={$true}}
) | ForEach-Object {
$records = Resolve-DnsName $_.Q -Type $_.Type -ErrorAction SilentlyContinue |
Where-Object $_.Filter
if ($records) {
"$($_.Label): OK"
} else {
"$($_.Label): MISSING"
}
}
Output:
SPF: OK
DMARC: OK
DKIM: OK
MX: OK
Get all A and AAAA records for a load-balanced hostname
For a hostname behind GSLB or anycast, the resolver may return different IPs each query. Sample multiple resolvers to see the full set.
$servers = '8.8.8.8','1.1.1.1','9.9.9.9','8.8.4.4','149.112.112.112'
$all = $servers | ForEach-Object {
Resolve-DnsName www.example.com -Type A -Server $_ -ErrorAction SilentlyContinue
} | Select-Object -ExpandProperty IPAddress -Unique
$all
Output:
93.184.216.34
93.184.216.35
93.184.216.36
Time DNS query latency to multiple resolvers
A benchmark of resolver speed helps pick the right DNS server for ipconfig configuration.
$resolvers = @{
'Cloudflare' = '1.1.1.1'
'Google' = '8.8.8.8'
'Quad9' = '9.9.9.9'
'OpenDNS' = '208.67.222.222'
'ControlD' = '76.76.2.0'
}
$resolvers.GetEnumerator() | ForEach-Object {
$sw = [Diagnostics.Stopwatch]::StartNew()
Resolve-DnsName example.com -Server $_.Value -Type A -ErrorAction SilentlyContinue | Out-Null
$sw.Stop()
[PSCustomObject]@{Resolver=$_.Key; IP=$_.Value; LatencyMs=$sw.ElapsedMilliseconds}
} | Sort-Object LatencyMs
Output:
Resolver IP LatencyMs
-------- -- ---------
Cloudflare 1.1.1.1 12
Google 8.8.8.8 14
Quad9 9.9.9.9 18
OpenDNS 208.67.222.222 22
ControlD 76.76.2.0 35
Audit DNS resolver configuration
A diagnostic snapshot covering local resolver settings, cache stats, and current DoH state.
Get-DnsClient | Format-Table InterfaceAlias, ConnectionSpecificSuffix
Get-DnsClientServerAddress -AddressFamily IPv4 | Format-Table InterfaceAlias, ServerAddresses
Get-DnsClientCache | Measure-Object | Select-Object @{n='CachedEntries';e={$_.Count}}
netsh dns show encryption
Output:
InterfaceAlias ConnectionSpecificSuffix
-------------- ------------------------
Ethernet lan.example.com
InterfaceAlias ServerAddresses
-------------- ---------------
Ethernet {1.1.1.1, 1.0.0.1}
CachedEntries
-------------
247
Detect DNS hijacking on a network
A quick test: query a known-good DNS server through multiple paths and compare answers. If a network operator is rewriting responses, the answers will differ.
$expected = (Resolve-DnsName example.com -Server 1.1.1.1).IPAddress | Sort-Object
$local = (Resolve-DnsName example.com).IPAddress | Sort-Object
if (Compare-Object $expected $local) {
Write-Warning "DNS hijack suspected: local=$local expected=$expected"
} else {
"DNS responses match across resolvers"
}
Output:
DNS responses match across resolvers
Force a fresh authoritative lookup
Sometimes the local cache or upstream resolver has a stale value. Go all the way to the authoritative server.
$ns = (Resolve-DnsName example.com -Type NS).NameHost | Select-Object -First 1
Resolve-DnsName example.com -Server $ns -Type A
Output:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
example.com A 3600 Answer 93.184.216.34
This is the equivalent of dig +norecurse @authoritative-server example.com on Linux.
CSV inventory of all DNS records for multiple domains
Bulk export A/AAAA/MX/NS/TXT for a list of domains — useful for migration planning.
$domains = 'example.com','example.org','example.net'
$types = 'A','AAAA','MX','NS','TXT'
$rows = foreach ($d in $domains) {
foreach ($t in $types) {
Resolve-DnsName $d -Type $t -ErrorAction SilentlyContinue |
Where-Object Type -eq $t |
ForEach-Object {
[PSCustomObject]@{
Domain = $d
Type = $t
TTL = $_.TTL
Data = ($_.IPAddress, $_.NameExchange, $_.NameHost, ($_.Strings -join ' ')) -ne $null | Select-Object -First 1
}
}
}
}
$rows | Export-Csv -NoTypeInformation C:\Audit\dns_inventory.csv
Output:
(none — writes CSV)
See also
- ipconfig —
/flushdns,/displaydns,/registerdnsfor the local resolver - ping — uses DNS to resolve hostnames before sending ICMP
- tracert — relies on PTR records for reverse-DNS hop labels
- route — affects which DNS server is reachable when multi-homed
- netsh —
netsh dnsfor configuration including DoH encryption - Linux dig — cross-platform comparison; richer query options and output
Sources
- Secure DNS with DoH: Public Preview for Windows DNS Server — Microsoft Community Hub, Feb 2026
- Does Windows 11 Fall Back to Plain DNS? DoH Privacy Settings — Windows Forum, May 2026
- Enable DNS over HTTPS in Windows 11 — Windows Forum, 2026
- How to Change DNS in Windows 11: DoH Setup, GUI and PowerShell Guide — Windows Forum