Windows 11 will not resolve .onion domains

On my home dns server I have these dns records:
To associate real IP for tor and i2p sites and then transparently proxyfy them
If I’ll try to resolve them with nslookup - both will work
nslookup 123.i2p will return
nslookup 123.onion will return
And if I’tt trr to resolve them with powershell’s Resolve-DnsName(or simply ping them)
Resolve-DnsName 123.i2p will work and return
Resolve-DnsName 123.onion will not work
Even if I manually add these record to etc/hosts and look into dns cache - I will see this:


`Entry                     RecordName                Record Status    Section TimeTo Data L Data`

`                                                    ` `Type                     Live   ength`

`-----                     ----------                ------ ------    ------- ------ ------ ----`

`123.onion                                           AAAA   NotExist`

`123.onion                                           A      NotExist`

`123.i2p                                             AAAA   NoRecords`

`123.i2p                   123.i2p                   A      Success   Answer  584505      4`

I’ve also dumped traffic with wireshark and when I try to

Resolve-DnsName 123.i2p - there is DNS request

And when I do
Resolve-DnsName 123.i2p - there is not.
Problem exists only in Windows 11, Windows 10 and earlier, Android, Linux distros are all OK
Seems that Microsoft hardcoded some kind of filter in windows dns clent which stops .onion domains from resolving
Seems that Microsoft hardcoded some kind

Your instinct about Microsoft is correct, they have taken a page out of Apples book with how they are tying down their eco system. A lot of changes introduced with windows 11 have made 3rd party software buggy at best, and completely faulty at worst. Since your not on an education version or something, you may be able to enable to dev mode in system settings, and disable the windows firewall and see if that helps. But I doubt it’ll help much.

But since this is a DNS issue more so than not, its possible to enable tors DNS listening service to tunnel DNS requests over tor. This might help with you issue.

Source: Tor manual

DNSPort [address:]port|auto [isolation flags]
If non-zero, open this port to listen for UDP DNS requests, and
resolve them anonymously. This port only handles A, AAAA, and PTR
requests—it doesn’t handle arbitrary DNS request types. Set the
port to “auto” to have Tor pick a port for you. This directive can be
specified multiple times to bind to multiple addresses/ports. See
SocksPort for an explanation of isolation flags. (Default: 0)

and this may be helpful also,
Source: Tor Man pages

ServerDNSResolvConfFile filename
Overrides the default DNS configuration with the configuration in
filename. The file format is the same as the standard Unix
“resolv.conf” file (7). This option, like all other ServerDNS
options, only affects name lookups that your server does on behalf of
clients. (Defaults to use the system DNS configuration or a localhost
DNS service in case no nameservers are found in a given

Might be worth trying to see if you can hard code your own DNS servers so windows can’t say no on it.

Please let me know if helpful.

Windows Firewall and Defender are turned off - no luck
There is no dns requests for .onion domain even when dns server is on (tested with wireshark and Arcylic DNS)
Also yo can see, .onion dns record is marked as non existant even when this records are in windows host file.
I also tried to play with dns group policies but no luck at all.
I’ve created a feedback for Microsoft

but it’s very doubtfull that they will fix something.

My first though would be that, because .onion is a special-use TLD, windows decides to handle it like that. Which is probably a good way to handle it normally, but not for your use-case.

Yeah that tracks, I honestly didn’t think it would help but was worth a shot anyway.

Windows 11 is basically Malware and spaiware, not long ago I was called to a colleagues home to repair her computer (ram wasn’t seated properly, which caused the machine to fail POST), which I did. But one issue in particular stood out to me, her machine was running a copy of windows 10 with recent updates, and she hasn’t onboard TPM chip too. I wanted to double check the RAM was in fact functional, as it was new and untested, and so a mem86 test was my first go to. DD if= of= ubuntu onto a USB stick with extra hardware diagnostic utilities just in case. Better to have it and not need it and all that.

Well, windows disabled the BIOS option to disable secure boot. It also disabled grub2 from being recognized as a bootable option, after finding and erasing the secure bootkeys, and disabling fast boot (don’t know why I had to, but I had to) before it would event notice there was a USB stick in the machine.
Then when it was actually booted, memtest86 utility wouldn’t run, and it took ubuntu desktop 22.04 LTS 15 minutes to fully load for some reason. Mind you, this isn’t a shitty 200 dollar desktop with cum stains. This was a $6000 US built monster, built for research and scientific calculations.

Had a very similar issue with my wife’s laptop, which is an ASUS with windows 10 recently forced to windows 11, also TPM chip. It flatly REFUSES to even recognize a bootable ISO stick, regardless of what’s on it. There have also been a number of changes introduced to the newest version of windows 10 and 11 that prevent any and all ‘Unapproved’ applications from even being allowed to run. Period.
There was a gentlemen yesterday with an education version of windows 11 that wouldn’t even finish a handshake with the Guard node, and was also throwing some weird JS and JSON errors.

Microsoft is on the warpath, and very soon the windows eco system will be worse than the Apple Ecosystem.
You dont own, nor have control over your new computer.
You dont own your hardware.
You dont own your software.
If Micro-cock, I mean Microsoft doesn’t want it running on windows, it won’t run on the computer period.

I apologize for not being able to help more, and I’m sorry that I am the bearer of bad news here.

@Mephistopheles Windows responsibility ends after computer goes into reboot.
In this case you need to blame computer manufacturer, not Microsoft.

Software developers needs time to learn how modern hardware works.
In case of Linux, lots of time.

I wonder why people did not developed easy method for patching Windows.
In case described in this topic it should be as easy as searching for “onion” in binaries and replacing it with some garbage.
No one needs it? No one cares? No programmers who can make this?

I’ve tried to search string “onion” with notepad++ through all files with names like dns(case insensitive) in Windows catalog.
No luck at all.

Trying to find logic in system file names is useless.
For example, can you guess what dxgmms1.sys file is doing?
Everything needs to be checked.
Also not only binaries, but every file type.
Maybe string will be found in file without protection and it will be possible to easily change it.

I’m not sure if Notepad++ have feature for mass search.
Total Commander have it for example.
Also you need to search in both 8 bit and 16 bit encoding (ANSI and UTF-16).
Strings can be encoded by any of them.

I’ve tried to replace these two “onion” strings with string “msdos”
And it worked persfectly, “.onion” domains started te be resolved and “.msdos” domains are not working now(but there is no .msdos domains). I don’t know how it works for sure. Do you know any instruments to create pathes for binaries? I know how I can do it with dd but it’s linux utility.

1 Like

Yeah, you was right about UTF16
found this in windows/system32/dnsapi.dll
Looks very suspicious :slight_smile:

1 Like

Last time I made patches more than 10 years ago.
Sadly, I don’t remember program name I used.
I tried to google similar program and found diablo2oo2’s Universal Patcher.
I tested it in virtual machine and it works, but I can’t be sure that it is safe to use.

Actually, this topic contains all information needed for readers to make patch.
Since hitting your problem requires special knowledge, I think that anyone who will need to do the same, will be able also to replace several bytes.

I expect that most difficult problem will be not making such change, but keeping it intact.
Easiest part: file may be updated in future by OS, so offsets will most likely change.
Hardest part: OS may not like that someone change its files and may try to restore original versions. If I remember correctly, Windows directory contains several copies of system files and OS can replace patched copy with non-patched. I don’t know however if it is enough to patch all copies - theoretically, OS can download original versions from somewhere.

You can protect system file by taking ownership from all system users
I do this to disable automatic system updates
takeown /f “%WINDIR%\System32\UsoClient.exe” /a
icacls “%WINDIR%\System32\UsoClient.exe” /inheritance:r /remove “Administrators” “Authenticated Users” “Users” “System”
UsoClient.exe is windows update orchestrator, withought rights to run it windows can’t automatically download updates(but you can still do it manually)
So, we can also revome access rights from dnsapi.dll from system users and file should stay untouched by updates(should be tested)
PS. Posted this solution to microsoft forums and was immediatelly banned. Very microsoft style.

1 Like