Microsoft has stamped general availability on DNS over HTTPS (DoH) support in Windows Server 2025, moving the encrypted DNS feature from a limited preview into full production use. Organizations running the latest server operating system can now deploy DNS servers that accept incoming DoH queries from clients and forward requests to upstream resolvers over HTTPS. The milestone, part of build 26100, closes a long-standing security gap in Windows-centric networks and gives enterprises a native path to encrypted name resolution without third-party tools.

The decision to make DoH generally available arrives as enterprises face mounting pressure to encrypt all traffic, including the Domain Name System, which has historically traveled in cleartext. DNS queries reveal which websites and services internal users and devices attempt to reach. In unencrypted form, that metadata becomes an intelligence goldmine for eavesdroppers, from malicious actors on local networks to upstream internet providers. With Windows Server 2025, IT teams can finally lock down that layer using the same DNS infrastructure they already know.

The Encryption Gap in DNS

Traditional DNS operates like a postcard. Every query—whether from a user typing a URL or a background service calling home—crosses the network in plaintext. Anyone with access to a switch, router, or Wi-Fi hotspot can read those requests. While DNS over HTTPS has been available on the client side for years, server-side support lagged. Windows DNS Server, the backbone of Active Directory and countless enterprise networks, had no built-in mechanism to serve queries over encrypted channels before build 26010 brought the first preview.

Microsoft first tested DoH in the Windows Insider Program, enabling the DNS Server service to listen on a dedicated HTTPS port and respond to RFC 8484‑compliant queries. Early adopters flagged several limitations: the feature required manual certificate binding, lack of GUI integration, and no support for DNS over TLS (DoT). The GA release addresses many of these pain points. Administrators can now configure DoH endpoints directly through the DNS Manager console or PowerShell cmdlets, bind TLS certificates without complex script workarounds, and optionally deploy DoT alongside DoH for mixed environments.

How DNS over HTTPS Works in Windows Server 2025

At its core, the feature allows Windows DNS Server to act as a DoH server for clients and a DoH client for forwarders. When configured as a server, it listens on TCP port 443 (or a custom port) and serves DNS queries inside HTTP/2 frames. The transport is encrypted with TLS, and the HTTP layer adds request-response headers that align with modern web standards. This design lets DoH traffic blend with regular HTTPS flows, making it harder for firewalls and censors to block DNS without disrupting legitimate web browsing.

For outbound query forwarding, the DNS Server service can send requests to upstream DoH resolvers such as Quad9, Cloudflare, or Google Public DNS. Each forwarder requires a public DoH template URL, and the server handles the HTTP communication transparently. Conditional forwarding also works: an organization might send internal domain queries to an on-premises DoH server while forwarding internet lookups to an external DoH provider.

A critical improvement over the preview is certificate management. The DNS Server can now use certificates stored in the local machine’s certificate store, selected by thumbprint or subject name. Administrators no longer need to manually export and convert certificate files. PowerShell’s Set-DnsServerDohBinding cmdlet offers parameters -CertificateThumbprint or -CertificateSubjectName to bind a TLS certificate to the DoH listener. The same certificate can be used for both DoH and DoT if both protocols share the same port, though Microsoft recommends separate listeners on distinct ports for clarity.

Configuration and Management

Setting up DoH on Windows Server 2025 follows a logical workflow. First, ensure the DNS Server role is installed and that the server has a valid DNS forwarder or root hints configured. Next, enable DoH support with a PowerShell command:

Set-DnsServerDohServer -Enable $true

This tells the DNS Server to start accepting DoH queries. Without a certificate binding, however, no clients will be able to complete a TLS handshake. The next step binds a certificate to the HTTPS endpoint:

Set-DnsServerDohBinding -CertificateThumbprint \"1a2b3c4d5e6f...\" -ListenAddress 0.0.0.0 -Port 443

Alternatively, if the certificate’s subject name matches the server’s fully qualified domain name, use:

$cert = Get-ChildItem -Path Cert:\\LocalMachine\\My | Where-Object { $_.Subject -like \"*dns.contoso.com*\" }
Set-DnsServerDohBinding -CertificateObject $cert -Port 443

Once bound, the server responds to DoH queries at https://dns.contoso.com/dns-query. Clients configured with that template URL will route encrypted DNS queries through the server. Windows 11, Windows 10, and other operating systems that support DoH can use the server directly.

For forwarder configuration, administrators modify the existing DNS forwarders list. In PowerShell:

Add-DnsServerForwarder -IPAddress 9.9.9.9 -DoHHostname dns.quad9.net -DoHPath \"/dns-query\"

This tells Windows DNS Server to forward queries to Quad9 using DoH instead of plain UDP or TCP. Conditional forwarders work similarly, allowing DoH to be applied only to specific domains.

The GUI experience has also matured. In DNS Manager, a new “DNS over HTTPS” tab appears in the server properties. Table of active DoH listeners shows port, certificate status, and binding state. Forwarder properties include a drop-down for protocol selection, offering choices between UDP, TCP, and DoH. This visual layer reduces the learning curve for teams less comfortable with scripting.

Enterprise Benefits and Zero Trust Alignment

Encrypting DNS server‑to‑server and client‑to‑server traffic delivers immediate security gains. Internal attackers who compromise a switch or a misconfigured VLAN can no longer trivially sniff DNS queries. Man‑in‑the‑middle DNS spoofing attacks become significantly harder because the TLS handshake verifies the server’s identity before any query is exchanged. For regulated industries, DoH helps meet compliance mandates that require encryption of all data in transit, including metadata.

The feature also aligns with Microsoft’s Zero Trust DNS strategy. Zero Trust principles demand that every access request be authenticated and authorized, regardless of source. Traditional DNS provides no authentication; a client simply trusts whatever DNS server it contacts. With DoH, the server presents a certificate that can be validated against an enterprise PKI, creating a trust anchor. This paves the way for more advanced scenarios, such as requiring DANE (DNS‑based Authentication of Named Entities) or mutual TLS where the client also presents a certificate, though those are not yet built into the current release.

For hybrid environments, Windows Server 2025 DoH enables secure branch office DNS. Sites with limited connectivity can forward queries over the internet to a central DoH server without exposing traffic in plaintext. This eliminates the need for expensive site-to-site VPNs solely for DNS. Similarly, Azure‑connected networks can extend DNS policies into the cloud while maintaining encryption end‑to‑end.

Challenges and Considerations

General availability does not mean universal suitability. Several hurdles remain for mainstream enterprise adoption.

Performance overhead: Encrypting and decrypting DNS queries adds latency compared to plain UDP. In lab tests, a DoH query round‑trip adds between 5 and 20 milliseconds when the server is local. For internet‑bound queries, the overhead is negligible compared to network latency, but for Active Directory environments where thousands of queries per second hammer domain controllers, the CPU cost of TLS can become noticeable. Microsoft recommends sizing DNS servers with additional compute headroom if DoH will handle high query volumes.

Firewall and proxy complications: Many organizations block or inspect HTTPS traffic on port 443. DNS over HTTPS shares that port, making it indistinguishable from web browsing at the packet level. Security products that rely on DNS logging to detect malware C2 communication lose that visibility unless they support DoH inspection. Windows Server 2025 does not include native DoH‑aware logging beyond standard DNS debug logs, so third‑party solutions may be needed to retain full audit trails.

Client compatibility: While major operating systems support DoH, not all IoT devices, legacy servers, or line‑of‑business applications can use encrypted DNS. During migration, DNS servers will likely need to serve both plaintext and DoH clients simultaneously, which can complicate certificate requirements and access control lists. Microsoft has not announced plans to drop plain DNS support, giving administrators time to transition gradually.

Certificate lifecycle: Every DoH server needs a publicly or privately trusted certificate. Certificates expire, and renewal processes must ensure zero downtime for DNS—a service critical enough that its failure can take down entire networks. Automation via ACME (Automatic Certificate Management Environment) is not built into Windows DNS Server, so teams must integrate with external tools like certbot or internal certificate authorities with automated enrollment.

Despite these challenges, the GA release marks a significant milestone. Many limitations identified during the preview phase have been resolved, and Microsoft’s documentation now covers advanced scenarios, including load‑balancing DoH listeners across multiple servers and integrating with Active Directory DNS zones.

What’s Next for Windows DNS Encryption

Microsoft’s DoH rollout is part of a broader push to modernize Windows DNS. Feedback from early adopters has shaped the final feature set, and the product group has hinted at upcoming enhancements. DNS over TLS (DoT) support, which also reached GA in Windows Server 2025, offers an alternative encrypted transport that uses a separate port (853) and may be easier for some network appliances to handle. DoT lacks the HTTP framing of DoH, which some consider more firewall‑friendly, though it cannot camouflage traffic inside HTTPS flows.

Future iterations could bring mutual TLS authentication, allowing administrators to enforce client certificate checks before accepting queries. This would turn DNS into a fully authenticated service, a cornerstone of Zero Trust architectures. Deeper integration with Azure Policy and Windows Defender Firewall might also emerge, enabling dynamic firewall rules that detect and block unencrypted DNS traffic.

Outside the Microsoft ecosystem, the IETF continues refining DNS encryption standards. RFC 9460 introduced SVCB/HTTPS resource records, which can deliver DoH configuration to clients automatically. Windows Server already supports these records for clients, but future DNS Server updates could use them to advertise DoH endpoints, simplifying client setup.

Conclusion

Windows Server 2025’s general availability of DNS over HTTPS transforms the default DNS role from a security liability into a privacy‑preserving asset. Enterprises can now encrypt query traffic without abandoning their existing DNS infrastructure or resorting to third‑party proxies. The feature’s tight integration with PowerShell and DNS Manager, combined with its support for both server and forwarder modes, gives IT teams the flexibility to adopt encryption at their own pace.

Administrators evaluating the upgrade should audit their current DNS architecture, measure query volumes, and plan certificate management before switching on DoH. For most, the security benefits will outweigh the modest performance cost, especially as privacy regulations tighten and attackers increasingly target DNS as a weak link. With DoH now production‑ready, Microsoft has given Windows shops a long‑awaited tool to lock down one of the network stack’s oldest plaintext protocols.