Introduction to DNS over HTTPS on Windows Server 2019
DNS over HTTPS (DoH) encrypts DNS queries inside standard HTTPS traffic on port 443. Traditional DNS queries travel in plaintext over UDP or TCP port 53, exposing every hostname lookup to anyone monitoring the network — ISPs, attackers on public Wi-Fi, or enterprise security appliances. DoH tunnels DNS inside TLS-encrypted HTTP/2, preventing passive eavesdropping and making DNS traffic indistinguishable from regular web browsing. Windows Server 2019 can act as a DoH forwarder or resolver, and Windows 10/11 and Windows Server 2022 clients can use DoH natively, though the full server-side DoH listener requires Windows Server 2022. This guide covers what is achievable on Windows Server 2019 and how to bridge the gap using proxy solutions.
Understanding the Windows Server 2019 DoH Landscape
Native DoH server-side binding (listening for inbound DoH requests from clients) was introduced fully in Windows Server 2022. However, Windows Server 2019 can:
1. Forward outbound recursive queries to upstream DoH resolvers (like Cloudflare 1.1.1.1 or Google 8.8.8.8) using encrypted DoH, protecting the upstream hop from the DNS server to the internet.
2. Host a DoH proxy using IIS or a third-party tool (such as dnsproxy or nginx) that accepts HTTPS from clients and forwards to the local DNS service.
This guide covers both scenarios in detail.
Scenario 1: Configure Windows Server 2019 DNS to Forward via DoH to Upstream Resolvers
The built-in DNS Server role in Windows Server 2019 does not natively support sending forwarder queries over DoH. The standard forwarder mechanism uses plain UDP/TCP. To achieve DoH on the outbound side, you need a local DoH proxy that the DNS service forwards to over localhost, while that proxy communicates upstream over HTTPS.
Install dnsproxy (open source, available at github.com/AdguardTeam/dnsproxy) as a Windows service:
# Download dnsproxy binary (perform this on the server)
# Place the binary in C:Toolsdnsproxy
# Create a wrapper to run it as a service using NSSM
# Example dnsproxy command to listen on localhost:5053
# and forward upstream over DoH to Cloudflare
C:Toolsdnsproxydnsproxy.exe `
-l 127.0.0.1 `
-p 5053 `
-u https://1.1.1.1/dns-query `
-u https://1.0.0.1/dns-query `
-fallback 8.8.8.8:53# Install as Windows service using NSSM
# Download NSSM from nssm.cc and place in C:Toolsnssm
C:Toolsnssmnssm.exe install dnsproxy "C:Toolsdnsproxydnsproxy.exe"
C:Toolsnssmnssm.exe set dnsproxy AppParameters "-l 127.0.0.1 -p 5053 -u https://1.1.1.1/dns-query -u https://1.0.0.1/dns-query"
C:Toolsnssmnssm.exe set dnsproxy Start SERVICE_AUTO_START
Start-Service dnsproxyNow configure the Windows DNS Server to use the local DoH proxy as its forwarder:
# Remove existing forwarders
Set-DnsServerForwarder -IPAddress @() -PassThru
# Add localhost:5053 as forwarder
# Note: Windows DNS forwarder settings use IP only; port customisation requires registry edit
# Set forwarder to 127.0.0.1 (dnsproxy listens on non-standard port 5053)
# To forward to port 5053, use dnsproxy's local listener on standard port 53 instead:
# Reconfigure dnsproxy to listen on 127.0.0.1:53 (requires DNS service to not bind 127.0.0.1)
# First restrict DNS service from binding loopback:
dnscmd /ResetListenAddresses 0.0.0.0
# Then point Windows DNS forwarder at 127.0.0.2 (alias) where dnsproxy listens
netsh interface ipv4 add address "Loopback Pseudo-Interface 1" 127.0.0.2 255.0.0.0
Set-DnsServerForwarder -IPAddress "127.0.0.2"Scenario 2: Deploy a DoH Listener Proxy with IIS and ARR
You can configure IIS with the Application Request Routing (ARR) module to accept HTTPS DNS-over-HTTPS requests from clients and proxy them to the local Windows DNS service. This enables Windows Server 2019 clients and browsers to point at your server for DoH resolution.
# Install IIS with HTTPS support
Install-WindowsFeature -Name Web-Server, Web-WebSockets -IncludeManagementTools
# Install ARR 3.0 module (download from Microsoft)
# https://www.iis.net/downloads/microsoft/application-request-routing
# Run installer silently
msiexec /i "ARRv3_setup_x64.EXE" /quiet
# Confirm ARR installation
Get-WebConfiguration -PSPath "IIS:" -Filter "system.webServer/proxy" | Select-Object *Create an IIS site to handle DoH requests on port 443. The DoH wire format uses HTTP POST to /dns-query with Content-Type application/dns-message:
# Create a new IIS site for DoH
New-WebSite -Name "DoHProxy" -Port 443 -PhysicalPath "C:inetpubdohproxy" -Ssl
# Bind SSL certificate (must have a valid cert for your hostname)
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object Subject -match "dns.corp.example.com"
New-WebBinding -Name "DoHProxy" -Protocol "https" -Port 443 -HostHeader "dns.corp.example.com"
netsh http add sslcert hostnameport=dns.corp.example.com:443 certhash=$cert.Thumbprint appid="{00000000-0000-0000-0000-000000000001}"# Enable ARR proxy in web.config for the DoH site
# Create C:inetpubdohproxyweb.config with reverse proxy rules
$webConfig = @"
"@
Set-Content -Path "C:inetpubdohproxyweb.config" -Value $webConfigConfigure DNS Clients to Use DoH
Windows 10 2004+ and Windows Server 2022 support native DoH in the network stack. For Windows Server 2019 acting as a DNS server, configure downstream Windows clients via Group Policy or registry to use your DoH endpoint:
# On a Windows 10/11 client - configure DoH via registry
# Note: Native client DoH requires Windows 10 build 19628+
$regPath = "HKLM:SYSTEMCurrentControlSetServicesDnscacheParameters"
Set-ItemProperty -Path $regPath -Name "EnableAutoDoh" -Value 2 -Type DWord
# Add a DoH template for your custom server
# Template format: https://server/dns-query
$dohPath = "HKLM:SYSTEMCurrentControlSetServicesDnscacheParametersDohWellknownServers"
New-Item -Path $dohPath -Force
New-Item -Path "$dohPath192.168.1.10" -Force
New-ItemProperty -Path "$dohPath192.168.1.10" -Name "DohFlags" -Value 1 -Type DWord
New-ItemProperty -Path "$dohPath192.168.1.10" -Name "DohTemplate" -Value "https://dns.corp.example.com/dns-query" -Type StringValidate DoH Functionality
Use curl or PowerShell to test DoH resolution directly against your endpoint:
# Test DoH using curl (available in Windows 10/Server 2019)
# Send a base64url-encoded DNS query for example.com type A
# The DNS wire format query must be pre-encoded; use a tool to generate it
# Simple test with Invoke-WebRequest
$headers = @{
"Content-Type" = "application/dns-message"
"Accept" = "application/dns-message"
}
# A pre-encoded DNS query for "example.com" type A in base64url
$dnsQuery = "AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE"
$response = Invoke-WebRequest -Uri "https://dns.corp.example.com/dns-query?dns=$dnsQuery" `
-Headers $headers -Method Get -SkipCertificateCheck
Write-Host "Response status: $($response.StatusCode)"
Write-Host "Response length: $($response.Content.Length) bytes"Verify TLS Certificate Configuration
DoH requires a valid TLS certificate trusted by the clients. For an internal deployment, use a certificate issued by your internal Certificate Authority:
# Request a certificate from internal CA for the DoH hostname
$certReq = @{
DnsName = "dns.corp.example.com"
CertStoreLocation = "Cert:LocalMachineMy"
KeyAlgorithm = "RSA"
KeyLength = 2048
NotAfter = (Get-Date).AddYears(2)
}
$cert = New-SelfSignedCertificate @certReq
# For a proper CA-issued cert, use certreq or ADCS enrollment
# certreq -enroll -machine dns.corp.example.comSummary
While Windows Server 2019 does not natively accept inbound DoH connections from clients in its DNS role, it can be extended using IIS with ARR as a DoH proxy and third-party utilities to forward outbound queries upstream over HTTPS. The full server-side DoH listener is available in Windows Server 2022. For environments running Server 2019, the proxy approach provides functional DoH support with manageable complexity. Combining DoH with DNSSEC provides both confidentiality and integrity for DNS operations across your infrastructure.
