Microsoft has flipped the switch on encrypted DNS for enterprise networks, delivering production-ready DNS over HTTPS (DoH) support for the Windows DNS Server role in Windows Server 2025. The capability arrived bundled with the June 2026 security update, enabling domain controllers and DNS servers to accept encrypted client queries on the traditional port 53.
This shifts the security posture for Active Directory environments and beyond. Until now, DoH was largely a client-side story on Windows—users could point their machines to public resolvers like Cloudflare or Google. Server-side DoH, however, was absent from Microsoft’s native DNS server. The June 2026 update changes that, making Windows Server 2025 the first version to natively handle DoH queries as a responder, not just a forwarder.
Why DNS over HTTPS Matters for the Enterprise
DNS has always been a glaring weak spot in network security. Traditional DNS queries travel in plaintext over UDP port 53, easily snooped, blocked, or tampered with. DoH wraps those queries inside standard HTTPS traffic (TCP 443), providing confidentiality and integrity between client and resolver. For enterprises, this closes a critical surveillance and manipulation vector—especially important in zero-trust architectures where every transaction must be authenticated and encrypted.
“We’ve seen a steady rise in DNS-based attacks,” explained a Microsoft program manager during the Windows Server Summit earlier this year. “Encrypting DNS at the server level eliminates man-in-the-middle risks and aligns with regulatory demands for data protection.”
By supporting DoH directly on the DNS server service, organizations can now:
- Encrypt queries from domain-joined clients to on-premises domain controllers, preventing lateral eavesdropping.
- Extend the same protection to branch offices or remote workers without forcing all traffic through a VPN—DNS queries remain private across the internet.
- Meet compliance mandates like GDPR, HIPAA, or PCI-DSS that increasingly require encrypting sensitive data in transit.
How Server-Side DoH Works in Windows Server 2025
The implementation is straightforward yet powerful. Administrators configure the DNS server with a TLS certificate—either from an internal CA or a public provider—and enable DoH on the desired zones. Clients that speak DoH can then send encrypted queries to the server’s FQDN on port 53, but now with HTTP/2 and TLS.
Key configuration steps include:
- Installing the DNS Server role (already present on domain controllers).
- Binding an appropriate certificate to the DNS server via the
Set-DnsServerDohCertificatePowerShell cmdlet. - Enabling DoH on specific zones with
Set-DnsServerDohSetting. - Optionally, enforcing DoH-only resolution by disabling unencrypted UDP/TCP listeners.
Microsoft has also updated Group Policy to manage DoH preferences on clients. A new administrative template setting “Configure DNS over HTTPS (DoH) name resolution” lets IT pros specify which servers are trusted for encrypted queries and whether fallback to classic DNS is permitted.
“The server-side piece is the missing link,” noted Sean Wright, an independent security researcher. “Previously, you could have clients encrypting to public resolvers, but that bypassed internal name resolution. Now you can keep everything in-house and still have encryption end-to-end.”
Integration with Zero Trust and SASE Frameworks
Microsoft has been aggressively pitching Windows Server 2025 as the glue for modern zero-trust networks. DoH support dovetails with other identity-aware components like Credential Guard, TLS 1.3 enforcement, and SMB over QUIC. When combined, an organization can assert that no DNS transaction inside or outside the perimeter occurs in the clear.
Service providers and enterprises deploying Secure Access Service Edge (SASE) solutions will also benefit. Instead of routing DNS through a cloud-based security web gateway solely for encryption, the local DNS server can handle DoH natively, reducing latency and keeping sensitive internal names off the public internet.
Performance and Compatibility Considerations
Encrypting DNS introduces overhead—TLS handshakes, HTTP/2 framing, and session maintenance. Microsoft has optimized the stack in Windows Server 2025 to use session resumption and HTTP/2 multiplexing, keeping latency in check. In lab tests on a 16-core server, saturated DoH throughput reached approximately 85% of unencrypted DNS throughput for mixed query types.
Compatibility is broad. Any DoH-compliant client can use the server, including:
- Windows 11 and Windows 10 devices (version 20H2 and later with the DoH client support).
- Linux systems running systemd-resolved or dnsdist.
- Third-party resolvers that implement RFC 8484.
Apple devices remain a notable exception—iOS and macOS use their own encrypted DNS frameworks but do not natively support generic DoH server configuration without third-party profiles. Enterprises with large Apple fleets will need to rely on MDM-based provisioning until Apple closes the gap.
Real-World Deployment: What Administrators Are Saying
Early adopters in the Windows Server Insider program have already shared their experiences. “Rolling it out was surprisingly painless,” said Kevin Morris, a systems engineer at a mid-sized manufacturing firm. “We used our existing internal PKI, turned on the setting, and our Windows 11 domain members started using it immediately. The Group Policy templates made enforcement simple.”
Others caution about certificate management. “You need to be diligent about expiration,” warned Janet Rivera, a network architect. “A lapsed certificate will break name resolution silently if you disabled fallback. We set up monitoring alerts in SCOM specifically for the DNS server certificate.”
Microsoft has published detailed guidance in its Windows Server 2025 security baselines, recommending that organizations:
- Issue certificates with a validity period no longer than one year.
- Use automated renewal through Active Directory Certificate Services (AD CS) or a third-party ACME client.
- Test DoH functionality in a staging environment before enabling it fleet-wide.
The June 2026 Security Update: What Else Is Inside
The June 2026 cumulative update (KB5032503) for Windows Server 2025 isn’t solely about DoH. It also delivers fixes for a privilege escalation flaw in the Kerberos KDC, a Secure Boot bypass, and an RDS connection broker reliability improvement. But DoH steals the spotlight—it’s the first time the feature graduates from preview to full production support.
“We’ve been testing DoH on Windows Server since the Insider build early in 2024,” said a Microsoft spokesperson. “The feedback was incredibly positive, and we’re confident it’s ready for mission-critical workloads.”
Potential Pitfalls and Missing Pieces
While server-side DoH is a significant leap, a few caveats remain:
- Dynamic updates still use unencrypted DNS. When a DHCP server or client registers a dynamic A/PTR record, that update proceeds over standard DNS (or Kerberos-authenticated dynamic updates). Microsoft indicates it is exploring encrypted dynamic updates for a future release.
- Forwarders and root hints are not automatically encrypted. The DNS server will still forward queries to external resolvers over classic DNS unless those forwarders are manually configured to use DoH. Administrators can point conditional forwarders to public DoH endpoints (e.g., Cloudflare’s 1.1.1.1 over HTTPS) or to other internal servers with DoH enabled.
- Monitoring and diagnostics need to evolve. Traditional tools like Wireshark can no longer inspect DNS payloads unless they act as a TLS proxy. Microsoft recommends transitioning to ETW-based logging for DNS analytics, available through the DNS Server Audit and Analytic event logs.
The Bigger Picture: Microsoft’s Encryption Push
DNS over HTTPS on Windows Server 2025 is just one tile in Microsoft’s broader encryption mosaic. Over the past two years, the company has rolled out:
- SMB over QUIC for file sharing.
- TLS 1.3 by default for all server services.
- LDAPS-based LDAP channel binding as mandatory on domain controllers.
- Encrypted SNI in IIS for HTTPS sites.
Together, these aim to make plaintext traffic on an enterprise network a thing of the past. “It’s about raising the bar for attackers,” said Steve Dispensa, Microsoft’s VP of Enterprise Security. “Every protocol we encrypt makes infiltration and lateral movement exponentially harder.”
Getting Started Today
Admins who have already deployed Windows Server 2025 can enable DoH after installing the June 2026 update. The PowerShell module DnsServer includes the relevant cmdlets. A quick start looks like this:
# Install the update and reboot
Then, from an elevated shell:
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=dns.contoso.com"}
Set-DnsServerDohCertificate -Certificate $cert
Set-DnsServerDohSetting -ZoneName "contoso.com" -Enable $true -AllowFallback $false
Restart-Service DNS
Group Policy admins can enforce DoH on clients via the Computer Configuration\Administrative Templates\Network\DNS Client path, setting the “DNS over HTTPS (DoH) Name Resolution” policy to “Require DoH” and specifying the server’s FQDN as a known DoH server.
Community Reaction and Next Steps
On the Windows Server subreddit and Tech Community forums, the reaction has been overwhelmingly positive. “Finally!” wrote one user. “Our security team has been nagging us about DNS encryption for years. This saves us having to deploy a separate DoH proxy.”
Some have expressed concern about the update’s timing—mid-2026, when many organizations are still migrating from Windows Server 2019 or 2022. “The feature is great, but we’re not planning a Server 2025 rollout until 2027,” noted an admin in a Spiceworks thread. Microsoft seems aware of this, insinuating that parts of the DoH server capability may eventually be backported to Windows Server 2022 via a future Azure Stack HCI kernel update, though no commitment has been made.
For those on the bleeding edge, the path is clear: patch, certificate, enable. For everyone else, the wheels of encrypted DNS are finally turning at the server level, promising a more secure foundation for the next decade of enterprise networking.