When Lockdown mode is enabled, all outbound traffic is blocked by default. However, this also blocks the DNS Client service (svchost.exe with service name Dnscache) from reaching DNS-over-HTTPS resolvers (e.g. 8.8.8.8:443, 1.1.1.1:443). This means that all allow rules for specific applications become effectively useless — those applications can't resolve hostnames, so they can't connect to anything.
The firewall log confirms this: svchost (PID serving Dnscache) connections to 8.8.8.8:443 and 8.8.4.4:443 are dropped, while allowed applications like opencode.exe successfully pass the firewall but fail because DNS resolution is dead.
Steps to reproduce
- Configure Windows to use DNS-over-HTTPS (Settings → Network → DNS → "Use DNS over HTTPS")
- Enable Lockdown mode in Minimal Firewall
- Observe that applications with existing allow rules cannot connect (not because they're blocked, but because DNS resolution fails)
Expected behavior
DNS-over-HTTPS traffic from the Dnscache service should be allowed by default during Lockdown, similar to how core system services are typically exempted. Without DNS, the firewall is too restrictive to be usable for anything beyond LAN access.
Workaround
Manually create an advanced rule:
- Program: C:\WINDOWS\system32\svchost.exe
- Service: Dnscache
- Direction: Outbound
- Action: Allow
- Protocol: Any
- Remote Addresses: *
- Profiles: All
Environment
- Windows 11, DNS-over-HTTPS enabled for Google DNS (8.8.8.8, 8.8.4.4)
- Minimal Firewall version: fill in
- DefaultOutboundAction = Block (Lockdown mode)
When Lockdown mode is enabled, all outbound traffic is blocked by default. However, this also blocks the DNS Client service (svchost.exe with service name Dnscache) from reaching DNS-over-HTTPS resolvers (e.g. 8.8.8.8:443, 1.1.1.1:443). This means that all allow rules for specific applications become effectively useless — those applications can't resolve hostnames, so they can't connect to anything.
The firewall log confirms this: svchost (PID serving Dnscache) connections to 8.8.8.8:443 and 8.8.4.4:443 are dropped, while allowed applications like opencode.exe successfully pass the firewall but fail because DNS resolution is dead.
Steps to reproduce
Expected behavior
DNS-over-HTTPS traffic from the Dnscache service should be allowed by default during Lockdown, similar to how core system services are typically exempted. Without DNS, the firewall is too restrictive to be usable for anything beyond LAN access.
Workaround
Manually create an advanced rule:
Environment