How to default to TLS1.3 for all dns traffic to and from Windows 11 box?

Dan

7/29/24, 7:39 PM

I was browsing Wireshark output and noticed that the handshake process for talking to Google DNS servers was asking for TLS1.2 vs the supported default TLS1.3 at 2001:4860:4860::8844.(https://developers.google.com/speed/public-dns/docs/secure-transports)

How do I set the default TLS version to be used on Windows 11 to TLS1.3 and downgrade to TLS1.2 if that is not available.

Internet Options has TLS 1.2 and TLS 1.3 selected but it seems to default to TLS1.2

So the client cipher suite supports: TLS_AES_256_GCM_SHA384

And then the server confirms that it supports the same TLS1.3 cipher suite:

However TLS1.2 is still being used:

1 + 1

security

domain-name-system

windows

ssl

google

Steffen Ullrich

7/29/24, 9:45 PM

This question is off-topic here since not about professional server management. But to give a short answer: You are interpreting the output wrong. Support for TLS 1.3 is announced using the supported_version extension in ClientHello and agreed on by the server in the same way. TLS record layer in TLS 1.3 is always set to TLS 1.2. And Wireshark is also interpreting the captured data in the correct way, showing clearly that TLS 1.3 is used here (column Protocol). See also https://superuser.com/questions/1618418/how-does-the-client-hello-message-choose-the-record-layer-version.

Score:0

Server

Luuk

7/29/24, 7:54 PM

Cipher suites can only be negotiated for TLS versions which support them. The highest supported TLS version is always preferred in the TLS handshake. (source: TLS Cipher Suites in Windows 11 (learn.microsoft.com)

The list of cipher suites, and the supported TLS version is on that link:

+ 1

Dan

7/29/24, 8:13 PM

Thanks for that, I updated the question to show that both the client and the server support the TLS1.3(TLS_AES_256_GCM_SHA384) cipher suite. Have any ideas why this would still allow TLS1.2 to be used?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to default to TLS1.3 for all dns traffic to and from Windows 11 box?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.