How to Configure DNS over HTTPS (DoH) on Windows Server 2025

https://ift.tt/nO7xuNM

DNS over port 53 is still plaintext in many setups. Our new guide explains how to enable DNS over HTTPS on Windows Server 2025 using the latest update.

In an era where “zero-trust” is the standard mindset for any architect, it’s remarkable how long we’ve allowed one of the most important parts of the network to remain unprotected, namely DNS.

DNS sends queries in plaintext over port 53 from a client to the DNS server. This means anyone sitting between the client and the server can see exactly which domains we are visiting.

In this article we will walkthrough how to configure DNS over HTTPS on Windows Server 2025, which is now included in new update from February, and by moving DNS queries into an encrypted HTTPS tunnel, we effectively eliminate the opportunity for both snooping and “man-in-the-middle” attacks on our name resolutions.

Technical Prerequisites

Before we dive in, we need to ensure the infrastructure is ready to enable the service, so some prerequisites we need to have in place.

• Windows Server 2025 installed as the DNS servers.
• Update: Minimum 2026-02 Security Update (KB5075899) must be installed.
• Client Support: Windows 11 clients (or newer) that support encrypted DNS.
• Certificate: A valid TLS certificate installed on the server (DoH requires HTTPS, and HTTPS requires trust). This can be a certificate from a third party provider such as Digicert or certificate issued from an internal CA. This also means that the DNS server needs to have an FQDN that resolves to the name or SAN (Subject Alternate Name) of the certificate.
• Network: Firewall rules need to be in place allowing inbound TCP port 443 on the DNS Servers.

How it Works

DoH doesn’t change the fundamental logic of a DNS lookup; it just changes the way it is transported. We can look at it as three logical layers:

1. Transport Layer (TLS): The client establishes a secure TLS connection to the server. Here, the server’s identity is verified via certificates.
2. HTTP Layer (RFC 8484): The DNS packet is encapsulated within an HTTP request (GET or POST). To the firewall, this looks like standard web traffic.
3. Resolution: The DNS service on Windows Server unwraps the request, finds the answer in its zones, or forwards it (unencrypted) to forwarders, then sends the answer back through the encrypted tunnel.

Configuring DoH on DNS Servers

Because DoH on Windows Server 2025 is currently in preview, the setup requires some commands that need to be run via PowerShell. Follow these steps to enable the service.

1. Import the Certificate

Firstly the DNS server needs a certificate to establish the HTTPS session. If you have a .pfx file, import it to the local certificate machine store:

Using PowerShell run the following command

Import-PfxCertificate `

-FilePath "C:\Certs\dns_server.pfx" `

-CertStoreLocation "Cert:\LocalMachine\My" `

-Password (Read-Host -AsSecureString "Enter PFX Password")

2. Bind the Certificate to the Port

The DNS service needs to know which certificate to present when a client hits port 443. We use netsh to create this binding:

PowerShell (Remember the name of the FQDN which should be used in the import)

# Identify your certificate thumbprint

$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -match "dns.contoso.com" }

$guid = New-Guid

# Bind the certificate to port 443 using Netsh

netsh http add sslcert ipport=0.0.0.0:443 certhash=$($cert.Thumbprint) appid="{$guid}"

3. Configure Firewall Rules

Standard DNS uses UDP 53, but DoH relies on TCP 443, therefore an additional firewall rule should be in place.

PowerShell

# Create a firewall rule to allow inbound DoH traffic

New-NetFirewallRule -DisplayName "DNS over HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

4. Enable the Protocol and URI Template

Now, tell the DNS server to actually start processing DoH traffic using a specific URI template. Note that the name here needs to reflect the certificate and the FQDN of the server :

PowerShell

# Enable DoH and set the URI template

Set-DnsServerEncryptionProtocol -EnableDoh $true -UriTemplate "https://dns.contoso.com:443/dns-query"

# Restart the service to apply changes

Restart-Service -Name DNS

To ensure everything is running smoothly, we can use these commands to monitor the service:

• Get-DnsServerEncryptionProtocol should show EnableDoh as True.
• Event Logs: Open Event Viewer and navigate to Applications and Services Logs > DNS Server. Look for Event ID 822, which confirms the DoH service started successfully.

It should also be mentioned that If we decide to retain UDP/TCP port 53 enabled on Windows DNS Server, for client-side traffic, simultaneously as you have DoH enabled, the traffic on port 53 will continue to be handled as-is by the Windows DNS server (ie. unencrypted).

If you want to test from a Windows Client or another Windows Server, DoH has been natively supported since Windows Server 2022 and Windows 11 release as of November 2025.

1. Click on the Start menu and go to Settings.
2. Navigate to Network & Internet.
3. Select Wi-Fi (if connected via Wi-Fi) or Ethernet (if connected via a wired connection).
4. Go to Network & Internet settings in Windows.
5. Right-click your active network connection and select Properties.
6. Click on edit on More adapter options

 

 

Select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.

 

 

Set the Preferred DNS Server to the IP address of the server which is running DoH (DNS over HTTPS).

In the Edit DNS settings window, set DNS settings to Manual. Under Preferred DNS encryption, select Encrypted only (DNS over HTTPS) for the DNS server, such as I have configured here for a public DoH server

 

 

You can also see that DoH is configured by running ipconfig /all command locally on the device as well.

 

 

Rolling Back DoH

Before enabling DoH in production, it is wise to know how to disable it cleanly if something goes wrong, for example, an expired certificate, a misconfigured URI template, or a regression after a patch. The procedure below is non-destructive: clients fall back to standard DNS over UDP/TCP 53, assuming you kept those listeners enabled (which is the default).

1. Disable DoH on the DNS server

# Turn off DoH and clear processing of encrypted queries

Set-DnsServerEncryptionProtocol -EnableDoh $false

Restart-Service -Name DNS

2. Remove the certificate binding from port 443

# Inspect the current binding first to confirm what you are removing

netsh http show sslcert ipport=0.0.0.0:443

# Delete the binding

netsh http delete sslcert ipport=0.0.0.0:443

3. Disable or remove the firewall rule

# Disable the rule but keep it for future re-enable

Disable-NetFirewallRule -DisplayName "DNS over HTTPS"

# Or remove it entirely

Remove-NetFirewallRule -DisplayName "DNS over HTTPS"

4. Switch clients back to unencrypted DNS

On affected Windows 11 clients, open Settings > Network & Internet > [active connection] > DNS server assignment > Edit, then change the preferred DNS encryption back to Unencrypted only. Run ipconfig /flushdns to clear cached entries.

5. Verify the rollback

Get-DnsServerEncryptionProtocol # EnableDoh should report False

netsh http show sslcert # The 0.0.0.0:443 binding should be gone

If you only need to pause DoH temporarily, for instance, while replacing an expiring certificate, steps 1 and 2 are usually enough. Steps 3 and 4 are required only when you intend to remove DoH from the environment entirely.

Known limitations

Although this implementation secures the connection between the client and the server, certain constraints remain. Notably, the path from the DNS server to its forwarder remains unencrypted unless DoH is specifically configured on that forwarder. This can be mitigated by utilizing supported public services like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1.

Zone transfers similarly remain unencrypted. However, Active Directory-integrated zones provide default encryption, even though this is not a native DoH feature. Another consideration is performance. Because Windows and Active Directory environments rely heavily on DNS, with clients making thousands of daily queries to domain controllers, users should anticipate some latency. This overhead stems from the TLS handshake process and the increased compute requirements placed on DNS servers, particularly in large-scale environments.

Conclusion

Transitioning to DNS over HTTPS (DoH) on Windows Server 2025 can significantly enhance network security by encrypting traditionally plaintext DNS queries, thereby protecting against snooping and man-in-the-middle attacks. While the setup requires both server and client-side configuration, it is important to remain aware of current recognized limitations.

Frequently Asked Questions

Does enabling DoH break standard DNS on UDP/TCP 53?

No. Windows Server 2025 keeps the legacy DNS listener active in parallel, so existing clients (Linux hosts, network equipment, older Windows versions) continue to resolve over port 53 as before. DoH is additive, not a replacement, unless you explicitly choose to disable port 53.

Can I use a self-signed certificate?

Technically yes, but every Windows 11 client would have to trust that certificate explicitly. In production, use a certificate from your internal CA (already trusted by domain-joined machines) or a public CA. The certificate Subject or SAN must match the FQDN clients send queries to.

Does DoH encrypt traffic between my DNS server and its forwarders?

No. DoH only protects the segment between the client and the Windows DNS server. If the server forwards unresolved queries to an upstream resolver over plain port 53, that segment remains unencrypted. To close the gap, point your forwarder at a DoH-capable upstream such as 1.1.1.1 or 8.8.8.8 and enable DoH on the forwarder side.

How much latency does DoH add?

Expect a small per-query overhead from the TLS handshake on the first connection. Once the TLS session is established and reused, additional cost is typically in the low single-digit milliseconds. In high-volume environments, domain controllers serving thousands of queries per second, plan to monitor CPU on the DNS servers, since TLS termination is more compute-intensive than UDP/53.

Are zone transfers encrypted by DoH?

No. DoH covers query/response traffic only. AXFR and IXFR zone transfers are out of scope. Active Directory-integrated zones are replicated through the AD replication channel, which is encrypted, but standard secondary-zone transfers between DNS servers remain unencrypted unless you place them inside an IPsec tunnel or VPN.

What is the difference between DoH and DoT?

DoT (DNS over TLS, RFC 7858) runs DNS over a dedicated TLS port (853). DoH (RFC 8484) runs DNS over HTTPS on port 443. Functionally they offer similar privacy guarantees, but DoH is harder to selectively block because it is indistinguishable from regular HTTPS traffic. This article focuses on DoH support introduced for the Windows Server 2025 DNS Server role; check current Microsoft documentation for the latest DoT status on the server side.

How do I confirm the DoH service started successfully?

Open Event Viewer and navigate to Applications and Services Logs > DNS Server. Event ID 822 indicates DoH started and is listening. PowerShell’s Get-DnsServerEncryptionProtocol should also report EnableDoh as True.

storage

via StarWind Blog https://ift.tt/5j9iXYz

May 6, 2026 at 04:25PM
Marius Sandbu