Enhancing Network Security with Encrypted DNS
In a landscape where the Domain Name System (DNS) remains a cornerstone of modern networking yet is often criticized for its lack of security, Microsoft is stepping up to redefine the status quo. The tech giant has recently unveiled the availability of DNS over HTTPS (DoH) on Windows Server 2025, marking a significant advancement in the realm of encrypted DNS traffic for client-to-server communications.
This feature, which has been a staple in Windows client editions for several years, is now being extended to server-oriented versions of the operating system. Microsoft emphasizes that integrating encryption into DNS traffic can lead to substantial enhancements in both network security and reliability. Previously accessible only as a public preview, DoH is now a key component of Microsoft’s broader Zero Trust architecture, a security framework that operates under the premise that no user or device should be inherently trusted.
By routing DNS traffic through HTTPS secured with TLS certificates, DoH introduces an additional layer of security designed to thwart eavesdropping attempts by malicious entities. Given that nearly every application, service, and workload relies on DNS—a system that has been in place since 1985 and traditionally operates using unencrypted traffic—this development is particularly timely. The encryption of traffic between clients and servers not only helps prevent unauthorized access but also safeguards DNS data from tampering while verifying the identity of the DNS server.
Microsoft’s implementation of DoH adheres to the IETF DNS over HTTPS standard (RFC 8484), ensuring compatibility with modern clients that comply with this specification. Furthermore, DoH can seamlessly integrate with existing infrastructure, such as the Windows DNS Server service. For organizations that still require unencrypted DNS traffic, this can continue to function alongside the new DoH feature.
After introducing DoH in its preview phase, Microsoft engaged with external organizations to assess the practical implications of real-world implementations. The feedback received has bolstered the company’s confidence that this feature will provide meaningful security enhancements without imposing a significant burden on system administrators. As a result, organizations can adopt DoH at their own pace while maintaining their existing unencrypted DNS infrastructure.
For those looking to leverage this new capability, DNS over HTTPS is available for Windows Server 2025 systems that have been updated to the latest Patch Tuesday release. Microsoft has also provided a comprehensive guide on how to enable and validate this feature within the Windows Server DNS service. However, it is important to note that DNS traffic exchanged between two DNS servers will not be encrypted by DoH.
