Microsoft has officially marked DNS over HTTPS (DoH) support as generally available for the Windows DNS Server role, starting with the June 2026 Patch Tuesday cumulative updates for Windows Server 2025. The move enables enterprise networks to encrypt internal name resolution traffic directly on their own servers, closing a longstanding gap in the DNS security posture of Microsoft-based environments.

The feature, which has been in preview since Windows Server 2025’s initial release, now allows the Windows DNS Server to act as a DoH server. Instead of unencrypted DNS queries over port 53, clients can resolve internal domain names using an HTTPS connection on port 443. The DNS traffic becomes indistinguishable from other web traffic, thwarting eavesdroppers and man-in-the-middle attacks that have traditionally targeted plaintext DNS. For organizations that already use DoH for external queries, extending that protection to internal lookups eliminates a weak spot that compliance frameworks have increasingly scrutinized.

How DNS over HTTPS Works on Windows Server 2025

Before this update, Windows Server could only serve as a traditional DNS server or forward queries to external DoH resolvers. Now, administrators can configure the DNS server to accept encrypted queries natively. Two key components are required: a valid PKI certificate and the DoH endpoint configuration.

The DNS server must bind a certificate—usually issued by an internal Certificate Authority (CA) or a public trusted CA—to the HTTPS listener. This certificate secures the TLS tunnel between the client and the server. Microsoft’s implementation supports both Internet Information Services (IIS)-style certificate binding and the newer dnscrypt command-line tools for automating certificate management.

Once the certificate is in place, admins can define DoH URL templates. These are standard URI patterns that map DNS zones to specific HTTPS endpoints. For example, a template like https://dns.contoso.com/dns-query{?dns} tells the server to handle queries for contoso.com on that path. The DNS server automatically constructs the appropriate response and sends it back over the encrypted channel.

What about Active Directory-integrated zones? The feature fully supports dynamic updates, scavenging, and replication just like classic DNS. The only difference is that queries must arrive via HTTPS. Clients that don’t support DoH can still fall back to unencrypted DNS, ensuring backward compatibility while the organization rolls out encrypted clients.

The June 2026 Patch Tuesday Update: What’s New

The June 2026 Patch Tuesday delivered the final bits that elevate DoH from a preview feature to a production-ready component. The cumulative update—likely KB5059000 or similar (Microsoft does not always disclose internal KB numbers for feature improvements)—includes performance optimizations, improved event logging, and support for virtualized certificate stores. Significant among the changes is the ability to manage DoH settings through the DNS Manager GUI, reducing reliance on PowerShell for day-to-day operations.

The update also introduces Group Policy support for clients. Administrators can now push DoH server addresses and certificate pinning rules to domain-joined machines, ensuring that endpoints always use the approved internal DoH resolvers. This tackles the common issue of users or applications configuring external DoH servers, which can bypass corporate security policies.

Microsoft’s official documentation notes that the feature works with Windows 11, Windows 10 (version 21H2 and later), and Windows Server 2022 and 2025 clients. Third-party operating systems can also leverage the internal DoH server if they support the standard DNS over HTTPS protocol (RFC 8484). This interoperability is crucial for heterogeneous environments.

Deploying Internal DoH: PKI Certificates Are Key

The biggest hurdle for organizations will be certificate management. Each DoH-enabled DNS server needs a certificate trusted by all clients. For Active Directory domains, the easiest path is to issue certificates from an internal Microsoft CA that is automatically trusted via Group Policy. The server certificate must contain the DNS name that clients will use to connect—usually the fully qualified domain name of the DNS server or a Subject Alternative Name (SAN) listing all names.

If using an internal CA, administrators must ensure the CA’s root certificate is distributed to all client devices. For Windows domain-joined machines, this is handled automatically. However, for non-domain or BYOD devices, manual certificate distribution may be required, which can become cumbersome. That’s why some enterprises may opt for a publicly trusted certificate—though that comes with its own costs and renewal overhead.

Microsoft recommends using a dedicated certificate template with server authentication Enhanced Key Usage (EKU) and, optionally, client authentication for mutual TLS. The DNS server supports both full mutual TLS and simple server-side TLS, where only the server presents a certificate. Mutual TLS adds extra security but is rarely used in internal DNS scenarios because of the certificate burden on each client.

Encrypting Internal Name Resolution: Why It Matters

External DNS queries have long been a target for interception. Malware and adversaries easily exfiltrate data or map internal networks by observing unencrypted DNS traffic. Internal DNS, however, has historically been considered safe because it stays within the corporate perimeter. That assumption no longer holds in a zero-trust architecture, where no network segment is implicitly trusted.

Internal DoH prevents passive monitoring of DNS requests within the data center or between branch offices. It foils techniques like DNS snooping, where an attacker on the same subnet can watch queries to discover critical assets and services. For regulated industries, DoH helps meet data protection requirements by encrypting personally identifiable information (PII) that can appear in DNS logs or queries.

Moreover, encrypted DNS thwarts DNS spoofing or cache poisoning attacks that rely on crafting malicious responses to plaintext queries. By wrapping DNS in TLS, the integrity of each response is cryptographically assured, assuming the certificate chain is properly validated. This raises the bar significantly for man-in-the-middle adversaries.

Performance and Scalability Considerations

Encrypting every DNS query adds overhead. Initial benchmarks show that DoH can increase query latency by 10–20% compared to unencrypted DNS, although the impact varies with hardware and network conditions. Microsoft has optimized the Windows DNS Server to handle thousands of simultaneous TLS connections, leveraging kernel-mode TLS (kTLS) where possible to offload encryption to network adapters that support TLS acceleration.

For high-volume environments, administrators should plan for additional CPU resources on DNS servers. The server can be scaled horizontally by deploying multiple DoH frontends behind a load balancer. Sticky sessions are not required because DNS over HTTPS is stateless by nature. Caching remains as important as ever; by tuning TTLs and cache sizes, the performance hit can be minimized.

Configuration Steps in Brief

For those eager to test the GA functionality, here’s a quick start guide:

  1. Obtain a certificate with the DNS server’s FQDN and ensure the client trusts the issuer.
  2. Enable DoH on the DNS server using the PowerShell cmdlet Set-DnsServerDohSettings:
    Set-DnsServerDohSettings -Enable $true -CertificateThumbprint <thumbprint>
  3. Add DoH URL templates for the desired zones:
    Add-DnsServerDohUriTemplate -ZoneName "contoso.com" -Template "https://dns.contoso.com/dns-query{?dns}"
  4. Restart the DNS service (Restart-Service DNS) or wait for the settings to apply.
  5. Configure clients to use the internal DoH server. On Windows, this can be done via GPO or manually in network settings under “DNS over HTTPS.”

The GUI in DNS Manager simplifies steps 2 and 3 through a new “DNS over HTTPS” tab in the server properties.

Potential Pitfalls and Known Issues

Before rolling out GA to production, admins should be aware of a few caveats. The most significant is that the DNS server only supports DoH on TCP port 443. If any other service (like IIS) already occupies port 443 on the same IP address, conflicts will occur unless the DNS server is bound to a different IP or a non‑standard port. However, using a non‑standard port complicates client configuration and may break compatibility.

Another issue is certificate pinning. While Group Policy allows administrators to specify the expected server certificate thumbprint, misconfiguration can lead to DNS outages. If the certificate is renewed with a new thumbprint and the GPO is not updated, clients will reject the server as untrusted. Therefore, automated certificate renewal processes must be tightly integrated with GPO updates.

Microsoft acknowledged that some third‑party firewalls and network inspection tools may not recognize DoH traffic as DNS and consequently fail to log or inspect it. This can be a compliance hurdle for organizations that rely on DNS logging for security monitoring. As a workaround, Microsoft recommends using the DNS server’s audit logs, which now include enhanced DoH-specific events to track queries.

The Road to Fully Encrypted Internal DNS

With this GA release, Microsoft has laid the groundwork for a future where all internal DNS traffic is encrypted by default. The next logical step would be enabling DoH by default on new Active Directory deployments, although that would require every client to have a trust anchor certificate, which is not yet standard.

In parallel, the industry is moving toward DNS over TLS (DoT) and DNS over QUIC (DoQ). While Windows Server 2025 does not natively support DoT or DoQ for the DNS server role, DoH is currently the most widely adopted encrypted DNS protocol for HTTP-based environments. It also benefits from existing web proxy and CDN infrastructure, making it easier to deploy across large networks.

For now, enterprises can finally treat internal DNS with the same level of encryption that email, file transfer, and web traffic enjoy. The ability to issue a quick PowerShell command and instantly lift the DNS security posture from plaintext to encrypted is a major win for administrators wrestling with modern security demands.

Microsoft’s commitment to building encrypted DNS into the core of Windows Server signals a recognition that DNS is not just a utility—it is a critical security control plane. And as more workloads move to hybrid and public clouds, the line between internal and external DNS blurs further. Encrypting all the things remains a sound principle.

Conclusion

The general availability of DNS over HTTPS in Windows Server 2025 fulfills a long‑requested feature for security‑conscious organizations. By encrypting internal name resolution, Microsoft closes a privacy and integrity gap without sacrificing compatibility or manageability. The June 2026 updates deliver a polished experience with GUI support, Group Policy integration, and performance enhancements.

Administrators should begin planning their PKI strategy for DoH and evaluate the impact on existing network infrastructure. While challenges exist—particularly around certificate lifecycle management and firewall compatibility—the benefits of encrypted DNS clearly outweigh the costs. Expect to see a steady adoption as the enterprise world embraces zero‑trust networking from the internet edge all the way down to the last hop of the DNS query.