How to Configure DNS Server Role on Windows Server 2025
The Domain Name System (DNS) is one of the most foundational services in any Windows Server environment. Whether you are deploying Active Directory, hosting internal applications, or managing name resolution for your organization, a properly configured DNS server is essential. Windows Server 2025 ships with a mature, full-featured DNS Server role that integrates tightly with Active Directory and can be managed entirely through PowerShell using the DnsServer module. This guide walks you through installing the DNS role, creating zones and forwarders, configuring security hardening, understanding DNS over HTTPS, and monitoring your server using built-in tools.
Prerequisites
- A running Windows Server 2025 instance (Standard or Datacenter edition)
- Administrator or Domain Admin privileges
- A static IP address assigned to the server
- PowerShell 5.1 or later (included by default)
- If deploying as an AD-integrated DNS server, Active Directory Domain Services must already be installed or planned for simultaneous installation
Step 1: Install the DNS Server Role
You can install the DNS Server role using either Server Manager or PowerShell. PowerShell is preferred in production environments because it is scriptable and repeatable. The -IncludeManagementTools flag installs DNS Manager (dnsmgmt.msc) and the DnsServer PowerShell module alongside the server binaries.
# Install DNS Server role with management tools
Install-WindowsFeature -Name DNS -IncludeManagementTools -Restart:$false
# Verify the feature installed successfully
Get-WindowsFeature -Name DNS
After installation completes, verify the DNS Server service is running:
Get-Service -Name DNS
# Start the service if it is not already running
Start-Service -Name DNS
# Set it to start automatically on boot
Set-Service -Name DNS -StartupType Automatic
Step 2: DNS Manager vs. PowerShell — Choosing Your Interface
Windows Server 2025 provides two primary management interfaces for DNS. DNS Manager (dnsmgmt.msc) is a graphical MMC snap-in suitable for interactive administration and troubleshooting. The DnsServer PowerShell module provides over 130 cmdlets and is the correct choice for automation, scripting, and managing multiple servers. You can open DNS Manager from the Run dialog or from Server Manager’s Tools menu.
# List all available DnsServer module cmdlets
Get-Command -Module DnsServer | Select-Object Name | Sort-Object Name
# Check the module version
Get-Module -Name DnsServer -ListAvailable | Select-Object Name, Version
For the remainder of this guide, all configuration steps will use PowerShell. Each command can also be performed through DNS Manager if you prefer a graphical workflow.
Step 3: Create a Primary Zone
A primary zone is the authoritative source for a DNS domain. On a standalone DNS server (not AD-integrated), the zone data is stored in a text file. The Add-DnsServerPrimaryZone cmdlet creates a new primary zone and specifies the zone file name and dynamic update behavior.
# Create a primary forward lookup zone (file-backed)
Add-DnsServerPrimaryZone `
-Name "corp.example.com" `
-ZoneFile "corp.example.com.dns" `
-DynamicUpdate "Secure" `
-PassThru
# Create the corresponding reverse lookup zone for 192.168.10.0/24
Add-DnsServerPrimaryZone `
-NetworkID "192.168.10.0/24" `
-ZoneFile "10.168.192.in-addr.arpa.dns" `
-DynamicUpdate "Secure" `
-PassThru
# Verify zones were created
Get-DnsServerZone | Select-Object ZoneName, ZoneType, DynamicUpdate, IsAutoCreated
If the DNS server is also a domain controller, use the -ReplicationScope parameter instead of -ZoneFile to create an AD-integrated zone (covered in Step 7).
Step 4: Configure DNS Forwarders
Forwarders tell your DNS server where to send queries it cannot resolve locally. Most organizations configure forwarders pointing to upstream resolvers such as their ISP’s DNS, public resolvers (8.8.8.8, 1.1.1.1), or an internal resolver tier. Conditional forwarders allow you to route queries for specific domains to specific servers — essential in split-DNS or multi-forest environments.
# Add global forwarders
Add-DnsServerForwarder -IPAddress "8.8.8.8", "8.8.4.4" -PassThru
# Verify forwarders
Get-DnsServerForwarder
# Add a conditional forwarder for a partner domain
Add-DnsServerConditionalForwarderZone `
-Name "partner.example.com" `
-MasterServers "10.50.1.10", "10.50.1.11" `
-ReplicationScope "Forest" `
-PassThru
# Remove a forwarder if needed
Remove-DnsServerForwarder -IPAddress "8.8.8.8" -Force
Step 5: Configure Root Hints
Root hints are used when no forwarder is configured or when forwarder queries fail. They provide the IP addresses of the Internet root name servers. Windows Server 2025 ships with a default set of root hints that should be current, but you can refresh or customize them.
# View current root hints
Get-DnsServerRootHint | Format-Table NameHost, IPAddress -AutoSize
# Import root hints from the Internet (requires outbound connectivity)
Import-DnsServerRootHint
# Add a custom root hint (useful for private root zones in air-gapped environments)
Add-DnsServerRootHint -NameServer "rootns.internal.lab" -IPAddress "10.0.0.1"
Step 6: Configure DNS Aging and Scavenging
In dynamic DNS environments, stale resource records accumulate over time as clients are decommissioned or change IP addresses without properly deregistering. DNS aging and scavenging automatically removes records that have not been refreshed within a configurable interval, keeping your zone data clean and accurate.
# Enable scavenging on the DNS server itself
Set-DnsServerScavenging `
-ScavengingState $true `
-ScavengingInterval "7.00:00:00" `
-ApplyOnAllZones
# Enable aging on a specific zone
Set-DnsServerZoneAging `
-Name "corp.example.com" `
-Aging $true `
-NoRefreshInterval "4.00:00:00" `
-RefreshInterval "4.00:00:00"
# View current aging settings
Get-DnsServerZoneAging -Name "corp.example.com"
# Trigger immediate scavenging (run as a one-time operation)
Start-DnsServerScavenging -Force
Step 7: Active Directory-Integrated Zones on a Domain Controller
When DNS is deployed on a domain controller, zone data can be stored in the Active Directory database instead of flat files. This provides multi-master replication, secure dynamic updates scoped to domain members, and eliminates single points of failure. Use -ReplicationScope to control where the zone replicates: Forest, Domain, or Legacy.
# Create an AD-integrated primary zone (run on a DC)
Add-DnsServerPrimaryZone `
-Name "corp.example.com" `
-ReplicationScope "Forest" `
-DynamicUpdate "Secure" `
-PassThru
# Convert an existing file-backed zone to AD-integrated
ConvertTo-DnsServerPrimaryZone `
-Name "corp.example.com" `
-ReplicationScope "Domain" `
-Force
# List all AD-integrated zones
Get-DnsServerZone | Where-Object { $_.IsADIntegrated -eq $true } |
Select-Object ZoneName, ReplicationScope, DynamicUpdate
Step 8: View DNS Server Statistics
The Get-DnsServerStatistics cmdlet returns detailed counters covering queries received, responses sent, recursive lookups, cache hits, and zone transfer activity. These statistics are invaluable for capacity planning and detecting anomalies such as DNS amplification attacks or misconfigured clients generating excessive queries.
# Get all DNS server statistics
Get-DnsServerStatistics | Select-Object -ExpandProperty Query
# Get a specific statistics section
Get-DnsServerStatistics -ComputerName "DC01" |
Select-Object -ExpandProperty Cache
# Reset statistics counters (use carefully in production)
Clear-DnsServerStatistics -Force
Step 9: Security Hardening — Disabling Recursion on Authoritative Servers
An authoritative DNS server that also performs recursion is vulnerable to DNS amplification attacks, where attackers spoof source IPs and use your server as a reflector to overwhelm victims with large responses. Best practice is to disable recursion on public-facing or authoritative-only DNS servers, and enable it only on dedicated recursive resolvers that serve internal clients.
# Disable recursion on an authoritative-only server
Set-DnsServerRecursion -Enable $false -PassThru
# Alternatively, restrict recursion to specific client subnets
# First, view current recursion settings
Get-DnsServerRecursion
# On a resolver that serves internal clients only, configure recursion scope
Add-DnsServerRecursionScope `
-Name "InternalClients" `
-EnableRecursion $true
Add-DnsServerClientSubnet `
-Name "CorpSubnets" `
-IPv4Subnet "192.168.0.0/16", "10.0.0.0/8"
Add-DnsServerQueryResolutionPolicy `
-Name "RecursionPolicy" `
-Action ALLOW `
-ClientSubnet "eq,CorpSubnets" `
-RecursionScope "InternalClients" `
-PassThru
Step 10: DNS over HTTPS and DNS over TLS Overview
Windows Server 2025 includes foundational support for encrypted DNS transport. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries between clients and resolvers, preventing eavesdropping and man-in-the-middle attacks. While full server-side DoH hosting requires a reverse proxy (such as IIS or nginx) in front of the DNS service, Windows Server 2025 clients and the resolver can be configured to use DoH upstream forwarders.
# Configure a DoH-capable forwarder (Windows Server 2025 resolver)
# Use Set-DnsClientServerAddress on clients to point to a DoH-capable resolver
# The following example sets a DNS client to use Cloudflare's DoH endpoint
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "1.1.1.1", "1.0.0.1"
# Check DNS client settings
Get-DnsClientServerAddress -InterfaceAlias "Ethernet"
# View DNS server settings for transport encryption (preview feature)
Get-DnsServerSetting -All | Select-Object *Doh*, *Tls*
# Enable DNS-over-HTTPS on the Windows DNS Server (Windows Server 2025)
Set-DnsServerSetting -DohEnabled $true
Conclusion
Configuring the DNS Server role on Windows Server 2025 is a multi-faceted task that goes well beyond simply installing the feature and creating a zone. A production-ready DNS deployment requires careful attention to forwarder configuration, aging and scavenging policies, Active Directory integration for high availability, security hardening against recursion abuse, and monitoring through statistics collection. The DnsServer PowerShell module gives you complete control over every aspect of the service, making it straightforward to script repeatable configurations and maintain consistency across your server estate. With the foundations covered in this guide, you are well positioned to build a reliable, secure, and scalable DNS infrastructure on Windows Server 2025.
