Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Traditional DNS uses unencrypted UDP or TCP messages on port 53, which exposes DNS traffic to passive monitoring, traffic analysis, and active manipulation by attackers. DNS encryption protects DNS query and response traffic from being observed, modified, or tampered with while in transit over a network.
DNS over HTTPS (DoH) is a standards‑based mechanism that encrypts DNS traffic by encapsulating DNS messages within HTTPS, providing confidentiality and integrity using Transport Layer Security (TLS). By encrypting DNS traffic, DoH helps prevent eavesdropping, man‑in‑the‑middle attacks, and unauthorized inspection of DNS queries and responses.
How DNS over HTTPS works
DNS over HTTPS doesn't change the fundamental DNS query and response model. Instead, it changes how DNS messages are transported across the network. When you enable DoH on a DNS Server, DoH becomes an additional encrypted communication option, and the DNS Server continues to answer traditional DNS queries unless you explicitly disable that capability.
When you enable DoH:
The DNS server listens to HTTPS traffic.
You configure a DoH-capable client (such as a Windows 11 client) to use encrypted queries to a DNS server.
The DoH client establishes a TLS connection to the DNS server.
The client sends DNS queries inside an HTTPS request.
The DNS server processes the query as usual.
The DNS response is returned inside the HTTPS response.
DNS over HTTPS for DNS Server (preview)
Important
DNS over HTTPS (DoH) for DNS Server on Windows Server is currently in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Beginning with the 2026-02 Security Update (KB5075899) for Windows Server 2025, you can enable DNS over HTTPS (DoH) on the DNS Server service to encrypt DNS traffic between DoH-capable clients and your DNS server.
An example of the DoH communication flow is as shown in the following diagram.
When configuring DNS over HTTPS for DNS Server, consider the following during the preview:
Upstream DNS communication (forwarders, conditional forwarders, authoritative servers) remains unencrypted.
DNS zone transfers remain unencrypted.
DNS dynamic updates remain unencrypted by default.
You can't create a DNS query filter that only matches DoH queries.
Policies with a Transport Protocol query filter don't match DoH queries. For example, a policy with Transport Protocol filter set to
EQ, TCPdoesn't match DoH.
Security benefits of DNS over HTTPS
DNS over HTTPS provides the following security and privacy benefits:
Confidentiality. DNS queries and responses are encrypted, preventing passive monitoring.
Integrity. TLS protects DNS messages from modification during transit.
Authentication. DNS clients can validate the identity of the DNS server using standard HTTPS certificate validation.
Resistance to traffic analysis. DNS traffic blends with other HTTPS traffic, reducing exposure to DNS‑specific filtering or manipulation. This approach improves privacy and resistance to interception.
DNS over HTTPS protocols and standards
The IETF defines DNS over HTTPS in RFC 8484 – DNS Queries over HTTPS (DoH).
RFC 8484 specifies how to send and receive DNS messages using HTTP over TLS. The DoH standard supports both GET and POST methods and defines media types for DNS messages. This approach allows DNS traffic to benefit from modern HTTPS features such as encryption, authentication, and connection reuse.
Additionally, the DoH standard allows server implementations the freedom to configure the server’s listening URI and port, enabling flexible deployment across different network environments.
DNS encryption and DNSSEC
DNS encryption, such as DoH, and DNSSEC address different threat models and are complementary technologies. DNS encryption protects DNS traffic on the wire, while DNSSEC ensures that DNS data is cryptographically verified for integrity and comes from an authoritative source.
By using DoH together with DNSSEC, you get defense in depth by combining encrypted transport with authenticated DNS data. For more information about DNSSEC, see What is DNSSEC?