Windows Server 2025 Introduces DNS over HTTPS to Enhance Network Security
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Windows Server 2025 Introduces DNS over HTTPS to Enhance Network Security
Microsoft has officially marked DNS over HTTPS (DoH) as generally available for the Windows Server 2025 DNS role, delivered through the June 2026 Patch Tuesday update — bringing enterprise-grade encrypted DNS resolution to on-premises server environments for the first time.
DNS over HTTPS (DoH), a security protocol that encrypts DNS queries by tunneling them through an HTTPS connection protected by TLS, is now officially available in Windows Server 2025 with the release of the June 9, 2026 Patch Tuesday cumulative update (KB5094125). The move extends encrypted DNS from Windows client devices — where DoH has been supported for years — to the server-side DNS resolver role, closing a gap that has persisted in enterprise environments for over six years.
DoH general availability for Windows DNS Server requires the June 9, 2026 Patch Tuesday update (KB5094125) for Windows Server 2025. The feature was previously in public preview, introduced in the February 2026 cumulative update.
Why Encrypted DNS Matters
DNS is a foundational dependency for virtually every application, service, and network workload. Yet the protocol — in continuous use since 1985 — has historically transmitted domain name resolution requests in plaintext. This exposes DNS traffic to interception, eavesdropping, spoofing, and man-in-the-middle attacks by unauthorized third parties anywhere along the network path.
By encrypting DNS queries between clients and the Windows DNS Server, DoH significantly reduces these attack surfaces. The HTTPS/TLS layer not only prevents data from being read in transit but also authenticates the DNS server through certificate validation, allowing clients to verify they are communicating with a legitimate resolver rather than a spoofed one.
Zero Trust Alignment
Microsoft has positioned DoH as a key component of its Zero Trust security strategy. Zero Trust operates on the principle that no user, device, or network path should be inherently trusted — every communication must be verified and authenticated. Traditional DNS, which provides no authentication and sends all queries in plaintext, is fundamentally at odds with this model.
With DoH, Windows DNS Server can now present a TLS certificate validated against an enterprise Public Key Infrastructure (PKI), creating a cryptographic trust anchor for DNS communication. This also enables compliance with mandates such as the U.S. federal government’s OMB M-22-09 directive on encrypted DNS.
What the Feature Delivers
- Encrypted client-to-resolver DNS queries over HTTPS on Windows Server 2025, preventing network eavesdropping and tampering.
- Compatibility with the IETF DNS over HTTPS standard (RFC 8484), ensuring interoperability with modern DoH-capable clients such as Windows 11.
- Integration with existing Windows DNS Server infrastructure — traditional plaintext DNS traffic can run concurrently with DoH, allowing gradual adoption without forcing a hard migration.
- Group Policy support for managing client DoH settings, and GUI management through DNS Manager for simplified administration.
- Support for TLS certificates from internal Certificate Authorities, with automatic trust for domain-joined Windows devices.
- The ability to forward DNS queries to external DoH resolvers such as Cloudflare or Quad9, with conditional forwarding options.
DoH in its current release encrypts client-to-resolver traffic only. DNS queries sent by the Windows DNS Server to upstream resolvers (such as conditional forwarders or authoritative servers) remain unencrypted on port 53. Microsoft has stated plans to extend encryption to this upstream communication path in a future update.
Deployment Requirements
To enable DoH on Windows Server 2025, administrators must install the June 9, 2026 cumulative update (KB5094125), configure a valid TLS certificate on the DNS server (from either a public CA or an internal CA), and ensure firewall rules allow inbound TCP port 443. Windows 11 clients natively support DoH and can be configured to use the secured endpoint through DNS settings or Group Policy.
Microsoft provides detailed guidance in its official documentation for enabling and verifying the DoH feature within the Windows Server DNS role. Organizations are encouraged to begin planning their PKI certificate strategy and evaluating the impact on existing network infrastructure ahead of deployment.
Path to General Availability
The journey to GA began with the February 10, 2026 cumulative update, which introduced DoH resolver support for Windows DNS Server as a public preview. During that period, access required enrollment through an online registration form, and the feature was not supported in production environments. Microsoft collaborated with external organizations to evaluate real-world deployment behavior before declaring general availability, and reports confidence that the feature delivers substantial security improvements without placing undue burden on system administrators.
Organizations can now adopt DoH at their own pace, retaining unencrypted DNS infrastructure alongside the new encrypted path to reduce migration risk and operational disruption.
