Windows Server 2025 Enables DNS Over HTTPS to Secure Enterprise DNS Traffic

Microsoft has officially introduced DNS over HTTPS (DoH) support for Windows DNS Server in Windows Server 2025. The new feature enables organizations to secure DNS communications with encryption and server authentication, allowing encrypted client-to-resolver traffic to be deployed directly within existing on-premises DNS environments.

Microsoft mentioned that traditional DNS communication is unprotected, which makes it vulnerable to interception, monitoring, and manipulation by attackers and unauthorized parties. This lack of security exposes sensitive information about user activity and system behaviour, increasing the risk of cyberattacks such as spoofing or man-in-the-middle interception.

DNS over HTTPS (DoH) is a security protocol that improves how internet devices resolve website addresses by sending DNS requests over encrypted HTTPS connections. This means that when the device asks a DNS server to translate a domain name into an IP address, the request is protected with encryption. This makes it much harder for attackers, internet providers, or other third parties to view, track, or change that information.

How does DNS over HTTPS protect enterprise networks?

DNS over HTTPS (DoH) in Windows DNS Server provides several capabilities focused on improving security and compatibility. First, it encrypts DNS queries and responses using HTTPS, which ensures that sensitive information cannot be easily intercepted or altered during transmission. It also uses digital certificates to authenticate the DNS server, which allows clients to confirm they are communicating with a trusted source and reduces the chances of spoofing or impersonation attacks.

Additionally, DoH is built on widely accepted Internet standards, which means it works smoothly with modern clients that support encrypted DNS. It is designed to integrate directly into existing Windows DNS Server setups. This feature supports both encrypted and traditional DNS together, which enables a gradual transition without disrupting existing operations.

“The goal is to help improve privacy, reduce spoofing risk, and advance Zero Trust DNS without requiring a new resolver architecture. This release helps organizations secure one of the most critical, and traditionally exposed components of modern networks while preserving compatibility with existing enterprise DNS deployments,” Microsoft explained.

What’s next for Microsoft’s Zero Trust DNS strategy?

This release supports Microsoft’s broader Zero Trust DNS strategy, which enables encrypted communication between clients and on-premises DNS servers. It also helps organizations align with modern security frameworks and regulatory expectations.

According to Microsoft, DoH support for Windows DNS Server is available on Windows Server 2025 running the June 9, 2026 update (or newer). To deploy this feature, administrators will need to configure a trusted TLS certificate, enable DoH in the DNS Server service, and configure supported clients to use the secure endpoint.

Microsoft notes that encryption currently supports client-to-resolver communication. The company plans to extend support for encrypted communication between the Windows DNS Server and upstream DNS resolvers.