# Guide: Enforcing DNS via Windows Name Resolution Policy (NRPT) This guide details how to configure the **Name Resolution Policy Table (NRPT)** in Windows. This is the most effective way to force Windows to send DNS queries strictly to a specific DNS server (like **Pi-hole** or **AdGuard Home**), overriding "Smart Multi-Homed Name Resolution" and preventing DNS leaks. --- ## Method 1: Group Policy Editor (Windows Pro / Enterprise) If you have Windows Pro or Enterprise, using the GUI is the most straightforward method. 1. **Open the Group Policy Editor** * Press `Win + R`. * Type `gpedit.msc` and press **Enter**. 2. **Navigate to the Policy** * Go to: `Computer Configuration` -> `Windows Settings` -> `Name Resolution Policy`. 3. **Create the Rule** * Find the **"Create Rules"** section on the right. * **Namespace:** Select **Suffix** from the dropdown. In the text box, type `.` (a single dot). * *Note: A single dot represents the root, effectively meaning "all traffic."* * **Name Resolution Tab:** Click the **Generic DNS Server** tab. * Check **Enable DNS settings**. * Click **Add** and enter the IP address of your DNS server (e.g., `192.168.1.50`). * Click the **Add** button next to the entry box to list it. 4. **Apply the Rule** * **Crucial:** Click the **Create** button at the bottom of the "Create Rules" section. * Ensure the rule appears in the "Name Resolution Policy Table" at the bottom. * Click **Apply**. --- ## Method 2: PowerShell (Windows Home / Manual) Windows Home lacks the Group Policy Editor, but you can achieve the exact same result using PowerShell. **Prerequisite:** Open PowerShell as **Administrator**. ### 1. View Current Rules Check if any rules currently exist (common with VPNs). ```powershell Get-DnsClientNrptRule ``` ### 2. Add the "Anti-Leak" Rule Run the following command to force all DNS traffic to your target IP. *Replace `192.168.1.50` with your actual DNS server IP.* ```powershell Add-DnsClientNrptRule -Namespace "." -NameServers "192.168.1.50" ``` ### 3. Verify Run `Get-DnsClientNrptRule` again to confirm the rule is active. ### 4. How to Remove the Rule If your DNS server goes offline, you must remove this rule to restore internet access. **To remove only the global rule:** ```powershell Get-DnsClientNrptRule | Where-Object {$_.Namespace -eq "."} | Remove-DnsClientNrptRule ``` **To remove ALL NRPT rules (Reset):** ```powershell Get-DnsClientNrptRule | Remove-DnsClientNrptRule ``` --- ## Verification To ensure the policy is working: 1. **Command Prompt Check:** Run `nslookup google.com`. The "Server" listed should be your Pi-hole/AdGuard IP, not your router or ISP. 2. **Leak Test:** Visit [DNSLeakTest.com](https://www.dnsleaktest.com) and run the **Extended Test**. You should only see the upstream providers used by your Pi-hole (e.g., Cloudflare, Quad9), never your ISP. > **⚠️ Warning:** Because this policy overrides local adapter settings, if your Pi-hole/AdGuard server goes offline, your PC will lose name resolution entirely until the server is fixed or the rule is removed via PowerShell.