Credit and thanks to Arif Hussain, Jay Ladhad, Kranthi Hasnabad, Sruthy TV, Manish Chaudhari and Rahul Bhadana for implementation work.
Your DNS just got a Zero Trust upgrade.
Today we’re opening the public preview of DNS over HTTPS (DoH) for Windows DNS Server, bringing encrypted, authenticated DNS to the heart of your on‑premises network. Turn it on, and the signals your business runs-on stop traveling in the clear. This is how you harden the backbone without disrupting what already works.
The Importance of Securing DNS
In today’s digital world, information is king and securing it is non-negotiable. With most data stored digitally and accessed remotely, network security is critical. At the heart of every network lies DNS, because everything depends on it.
However, the challenge is that DNS traditionally operates in the clear: queries and responses are exposed to anyone watching, giving attackers visibility into network details and user behavior, thereby creating opportunities for attacks.
How can we secure it?
IETF introduced two standards for encrypting DNS:
Each of these standards has pros and cons, but today we are excited to announce that we’ve introduced support for DNS over HTTPS (DoH), for client-side traffic, in Windows DNS Server, starting with the February 10th 2026 monthly update of Windows Server 2025.
In a nutshell, DoH encapsulates DNS queries and responses inside HTTPS messages, which are encrypted via the TLS layer. This delivers two key benefits:
- Authentication: Clients can verify the DNS server, preventing impersonation attacks. This is done through the server’s certificate validation process inherent to TLS clients.
- Privacy: Queries and responses are encrypted in transit, shielding them from prying eyes.
DoH support in Windows DNS Server is complementary to the broader Zero Trust DNS efforts already introduced on Windows clients. Together, these capabilities enable organizations to adopt encrypted, authenticated DNS across both endpoints and on-premises infrastructure, creating a consistent security foundation aligned with modern Zero Trust principles. For U.S. Federal agencies, this end-to-end encryption model directly supports requirements in OMB Memo M-22-09, which mandates the use of encrypted DNS protocols, such as DoH, across both resolvers and endpoints to strengthen cybersecurity posture.
For more information on Zero Trust DNS, read the blog at: Zero Trust DNS is Here: Elevating Enterprise Security on Windows 11 | Microsoft Community Hub.
What behavior can I expect with DoH?
Enabling DoH on Windows DNS Server will encrypt all queries received and all responses sent on the port used for DoH (by default: 443). However, any queries sent out by the Windows DNS Server towards an upstream DNS server (e.g. conditional forwarder, authoritative server) will not be encrypted and will remain on port 53. Support for encrypting queries towards an upstream forwarder or resolver will be in preview at a later date, while encrypted queries towards an authoritative server is to be determined pending standardization by IETF.
If you decide to retain UDP/TCP port 53 enabled on Windows DNS Server, for client-side traffic, simultaneously as you have DoH enabled, the traffic on port 53 will continue to be handled as-is by the Windows DNS server (ie. unencrypted).
All the functions and capabilities administrators rely on for day-to-day management of the DNS server are retained. So, functions such as name resolution behavior, zone management, forwarding logic, etc. are intended to continue to operate exactly as they always have. The DoH feature does not change or disrupt existing Windows DNS Server functionality, but it does introduce new PowerShell commandlets, new events and new performance counters to enable management of the DoH feature.
Getting Started
Note: DNS over HTTPS (DoH) on Windows DNS Server is currently available in Public Preview and is intended for evaluation and feedback only. It is not supported for production use as bugs may be present. Functionality may also change, including potential breaking changes, before General Availability (GA).
The public preview of DNS over HTTPS (DoH) is included in the February 10th 2026 update of Windows Server 2025 and is disabled by default.
To enable the feature during this preview period request access here.
Your journey into encrypted DNS starts now!
Reporting feedback
We value your feedback! Your feedback is crucial for us as we get to work towards our General Availability release.
If you have questions or general feedback on this preview we’d love to hear from you! Feel free to comment in the section below this blog. Or see below for reporting bugs and feature suggestions.
Reporting bugs or Feature suggestions
From your Windows Server 2025 machine:
- Search for Feedback Hub in Start Menu and launch the app.
- From the ‘Home’ section of the app, click the “Report a problem” or “Suggest a feature” button.
- In the section ‘1. Enter your feedback’, find the ‘Summarize your feedback’ textbox and start your feedback by prepending the text ‘[DoH]’ to it to help our team triage feedback. Enter any additional comments and details in the ‘Explain in more detail’. Click Next.
- In the left drop box of section ‘2. Choose a category’, choose Windows Server and on the right dropdown box, choose DNS Server. Click Next.
Note: If you are advised that no similar feedback could be found, Click Next again.
- Fill out Section 4 and click Submit.
Microsoft