Windows Server 2025 Adds DNS Over HTTPS for Secure DNS Traffic

Microsoft has officially rolled out support for DNS over HTTPS (DoH) in Windows DNS Server as part of its Windows Server 2025 update. This innovative feature empowers organizations to enhance the security of their DNS communications through encryption and server authentication, facilitating encrypted client-to-resolver traffic within existing on-premises DNS environments.

In a landscape where traditional DNS communication remains unprotected, the risks of interception and manipulation by malicious actors loom large. Microsoft highlights that this vulnerability can expose sensitive user activity and system behavior, thereby increasing the likelihood of cyberattacks, including spoofing and man-in-the-middle threats.

DNS over HTTPS (DoH) represents a significant advancement in how internet devices resolve website addresses. By routing DNS requests through encrypted HTTPS connections, DoH ensures that when a device queries a DNS server for a domain name translation, that request is shielded from prying eyes. This encryption makes it considerably more challenging for attackers, internet service providers, or other third parties to access, track, or alter the information being transmitted.

How does DNS over HTTPS protect enterprise networks?

The introduction of DoH in Windows DNS Server brings a suite of capabilities aimed at bolstering security and compatibility. Primarily, it encrypts DNS queries and responses using HTTPS, effectively safeguarding sensitive information from interception or alteration during transmission. Furthermore, the use of digital certificates for DNS server authentication allows clients to verify they are communicating with a legitimate source, thereby mitigating the risks of spoofing and impersonation attacks.

Built on widely accepted Internet standards, DoH integrates seamlessly with modern clients that support encrypted DNS. The feature is designed to work alongside existing Windows DNS Server configurations, accommodating both encrypted and traditional DNS. This dual support facilitates a gradual transition, ensuring that ongoing operations remain uninterrupted.

Microsoft articulates its vision: “The goal is to help improve privacy, reduce spoofing risk, and advance Zero Trust DNS without requiring a new resolver architecture. This release helps organizations secure one of the most critical, and traditionally exposed components of modern networks while preserving compatibility with existing enterprise DNS deployments.”

What’s next for Microsoft’s Zero Trust DNS strategy?

This latest release is a key component of Microsoft’s broader Zero Trust DNS strategy, which aims to enable encrypted communication between clients and on-premises DNS servers. It aligns organizations with contemporary security frameworks and regulatory standards.

According to Microsoft, DoH support for Windows DNS Server is available on Windows Server 2025, provided the June 9, 2026 update (or newer) is installed. Administrators looking to deploy this feature will need to configure a trusted TLS certificate, enable DoH in the DNS Server service, and set up supported clients to utilize the secure endpoint.

Currently, the encryption supports client-to-resolver communication, but Microsoft has plans to extend this capability to encompass encrypted communication between the Windows DNS Server and upstream DNS resolvers in the future.

Winsage
Windows Server 2025 Adds DNS Over HTTPS for Secure DNS Traffic