When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Windows Server gets DNS over HTTPS (DoH) support

Microsoft has finally flipped the switch on a long-awaited Windows Server security upgrade, bringing encrypted DNS to enterprise networks.

Neowin · with 3 comments

The Windows 11 logo with the stock wallpaper on the background

For the past few months, Microsoft has been previewing DNS over HTTPS (DoH) for Windows DNS Server, touting it as a foundational upgrade for zero-trust enterprise networks. It essentially introduces encrypted, authenticated DNS for the networks rather than transmitting DNS traffic in clear. Now, the company has introduced the general availability (GA) of this feature.

The GA of DoH encourages organizations to deploy the solution in production environments without implementing a new client-to-resolver architecture. DoH helps improve the overall security of the network and reduces the risk of spoofing due to its zero-trust design. This is a significant change because pretty much every interaction with the network requires interfacing with DNS.

DoH offers several advantages over standard DNS traffic, such as encryption using HTTPS, preventing unauthorized inspection, man-in-the-middle attacks, and traffic analysis. Since it leverages TLS certificates so that clients can verify the identity of the DNS server, it prevents spoofing through this authentication mechanism. Additionally, it's built on the DoH standard defined by the Internet Engineering Task Force (IETF), which means that it should work with modern RFC 8484-compliant clients. Finally, it integrates into the existing network architecture seamlessly and can even run in parallel with standard DNS, so that customers can migrate to the new technology at their own pace.

Microsoft says that in the past few months of preview, DoH has become more stable, and customers can confidently deploy it in production environments with proper guidance. Microsoft has emphasized that migrating to DoH is necessary for organizations that are moving toward zero-trust DNS solutions.

Windows clients already support DoH, but the latest availability on Windows Server provides encrypted DNS to all endpoints. The company has also mentioned that "while this release focuses on encrypting client-to-resolver communication, support for encrypted communication between Windows DNS Server and upstream DNS resolvers is planned for a future update." You can follow Microsoft's guidance to deploy DoH here, but keep in mind that you need a Windows Server 2025 installation with the latest Patch Tuesday updates installed.

Microsoft Edge logo
Next Article

Microsoft about to radically change how often your Edge browser updates

Media Creation Tool downloading Windows 11
Previous Article

Microsoft releases new Windows 11 Media Creation Tool with the latest updates

3 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here