![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 0%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Exchange | Exchange Server | Management
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Hi Antonella
As far as I know, because Windows Server 2025 is the first server OS to bring DNS over HTTPS (DoH) into the core infrastructure, there isn't a single "legacy" KB for this specific conflict. Therefore, to keep server-wide DoH active on Windows Server 2025 while preventing it from blackholing or intercepting internal Exchange queries, you need to use the Name Resolution Policy Table (NRPT).
Given this, you can try the workarounds below to see if they can help you:
Step 1: Identify your Standard DNS Servers
Determine the IP addresses of your internal Domain Controllers (for internal lookups) and your preferred standard external DNS resolvers (if your Send Connectors use external lookups). Ensure these servers are accessible over standard Port 53.
Step 2: Decouple Exchange from the OS DNS Stack
Open the Exchange Management Shell (EMS) and run the following commands to tell the Transport service to ignore the network adapter's DoH-enabled settings and directly query the specified servers.
$ServerName = "YOUR-EXCHANGE-SERVER"
$InternalIPs = "10.0.0.10", "10.0.0.11"
$ExternalIPs = "8.8.8.8", "1.1.1.1"
//
Set-TransportService -Identity $ServerName -InternalDNSAdapterEnabled $false -InternalDNSServers $InternalIPs
//
Set-TransportService -Identity $ServerName -ExternalDNSAdapterEnabled $false -ExternalDNSServers $ExternalIPs
Note: If you only need this for external MX lookups, you can leave -InternalDNSAdapterEnabled $true if your internal routing is unaffected, but defining both is safer when DoH is forced globally.
Step 3: Restart the Transport Service
For the changes to take effect and clear any cached failed lookups, restart the Exchange Transport service:
Restart-Service MSExchangeTransport
Additionally, you can read here for more information:
Hope my answer will help you and let me know for the further concern
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.