Microsoft Makes DNS over HTTPS Generally Available for Windows DNS Server

Microsoft has announced the general availability of DNS over HTTPS (DoH) for Windows DNS Server, marking a major step forward for organizations adopting zero-trust security models.

The feature had been available in preview for several months and is now considered ready for production deployments. Microsoft describes DoH as a foundational upgrade that helps organizations secure one of the most critical parts of network communication: DNS.

Stronger DNS Security for Enterprise Networks

DNS, often referred to as the Internet’s phonebook, translates domain names into IP addresses. Traditionally, DNS queries are sent in plain text, making them vulnerable to interception, monitoring, and manipulation by attackers.

With DNS over HTTPS, DNS traffic is encrypted using HTTPS and authenticated through TLS certificates. This prevents unauthorized parties from inspecting DNS requests and helps protect organizations from man-in-the-middle attacks, traffic analysis, and DNS spoofing attempts.

A key benefit of DoH is server authentication. Clients can verify the identity of the DNS server before exchanging data, reducing the risk of attackers redirecting traffic through malicious DNS infrastructure.

Microsoft’s implementation follows the Internet Engineering Task Force (IETF) DNS over HTTPS standard defined in RFC 8484. As a result, it is designed to work with modern clients that support the standard.

The company says organizations can deploy DoH without redesigning their existing client-to-resolver architecture. Instead, encrypted DNS can integrate into current environments while continuing to support traditional DNS where needed.

This flexibility allows administrators to migrate gradually rather than requiring a complete infrastructure overhaul.

Available for Production Deployments

With general availability, Microsoft says organizations can now deploy DoH confidently in production environments using established guidance and best practices.

The release is particularly significant because Windows clients already support DNS over HTTPS. With support now available in Windows Server, administrators can provide encrypted DNS services across their entire organization.

Microsoft notes that this release focuses on securing communication between clients and the Windows DNS resolver. Encryption between Windows DNS Server and upstream DNS resolvers is planned for a future update.

To deploy DNS over HTTPS, organizations must run Windows Server 2025 and install the latest Patch Tuesday updates.

In other Microsoft news, the company recently fixed Windows Server 2025 systems that could enter BitLocker recovery after installing certain updates. Microsoft has also released a new Exchange Server security update that addresses an Outlook Web Access vulnerability.