Something to look forward to: Despite being one of the most important elements in modern networking applications, the Domain Name System is still one of the internet's least secure technologies. Microsoft is looking to change the state of play by expanding the adoption of encrypted DNS traffic.
Microsoft recently announced that DNS over HTTPS (DoH) is now available on Windows Server 2025, providing encrypted DNS traffic for client-to-server communications. The feature has been available in Windows client editions for years and is now being extended to server-oriented versions of the operating system.
Microsoft notes that adding encryption support to DNS traffic can provide clear improvements in both network security and reliability. Previously available only as a public preview, the DoH feature is part of the Zero Trust architecture Microsoft is gradually implementing across its computing ecosystem. Zero Trust assumes that users and devices are not inherently trustworthy, which is why DoH adds an additional security layer by routing DNS traffic through HTTPS secured with TLS certificates.
Nearly every application, service, and workload still relies on DNS, a system that has been in use since 1985 yet continues to operate using unencrypted traffic for domain name resolution. By encrypting traffic between clients and servers, DoH can help prevent eavesdropping by malicious third parties.
Furthermore, encrypted traffic can help protect DNS data from tampering and verify the identity of the DNS server via HTTPS/TLS. Microsoft's DoH implementation is based on the IETF DNS over HTTPS standard (RFC 8484), so it should work reliably with modern clients that comply with the specification. DoH can also integrate with existing infrastructure, such as the Windows DNS Server service. When needed, unencrypted DNS traffic can continue to operate alongside DoH.
After introducing DoH in preview form, Microsoft worked with external organizations to evaluate how real-world implementations would behave. The company is now confident that the feature will deliver meaningful security improvements without placing significant additional burden on system administrators. Organizations can therefore adopt DoH at their own pace while maintaining their existing unencrypted DNS infrastructure.
DNS over HTTPS is available for Windows Server 2025 systems updated to the latest Patch Tuesday release. Microsoft provides a detailed guide on enabling and validating the feature within the Windows Server DNS service. The company also notes that DNS traffic exchanged between two DNS servers is not encrypted by DoH.
Windows Server is getting new network safety capabilities with DNS over HTTPS
