DNS over https (DoH) is a protocol that permit to encrypt DNS queries and sending them over Https.
This protocol has been developed to override security concerns of DNS traffic.
Windows has supported DoH on the client side since Windows 11. While Windows 10 includes the underlying client support in later builds
The encryption operates at the Application Layer (Layer 7) of the OSI model and integrates directly into applications such as web browsers. This approach differs from traditional DNS, which transmits queries over UDP or TCP on port 53 without encryption, leaving them visible to ISPs, network operators, and potential attackers.
be aware about DNS over HTTPS (DoH) (better privacy) (operate at 443 port more difficult to be detected vs DNS over TLS ( DoT) ( operates at the Transport Layer, using a dedicated port 853 and it is easily to be identified.
DoH verifies DNS server's identity and prevents impersonation attacks. The other advantage is DNS queries and not interceptable.
Microsoft introduced DoH resolver support for Windows DNS Server in the February 10, 2026, cumulative update for Windows Server 2025.
When you enable DoH resolver functionality on a Windows DNS Server, all queries received from clients and responses sent on port 443 are encrypted. However, this implementation has a significant limitation: queries sent by the Windows DNS Server to upstream DNS servers, such as conditional forwarders or authoritative servers, remain unencrypted on port 53.
The traditional DNS service on port 53 continues to operate alongside DoH, ensuring backward compatibility with clients that do not support the encrypted protocol.
So, on Windows 2025 you must install this cumulative update, and doH can be enabled through powershell
I would suggest to read fullo/original article about more interesting and useful details.
[Original/other articles
Enable DoH (DNS over HTTPS) in Windows Server 2025 DNS server, configure Windows 11 DNS clients
