Add DNS over HTTPS cmdlets documentation #4061
Conversation
|
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
@microsoft-github-policy-service agree company="Microsoft" |
|
@microsoft-github-policy-service agree company="Microsoft" |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit dca945c:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docset/winserver2025-ps/DnsServer/DnsServer.md | View (WindowsServer2025-ps) | Details | |
| docset/winserver2025-ps/DnsServer/Get-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) | |
| docset/winserver2025-ps/DnsServer/Set-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) |
docset/winserver2025-ps/DnsServer/DnsServer.md
- Line 0, Column 0: [Warning: PSMD2Yaml_InconsistentCmdletsInModule]
Inconsistent cmdlets found in module: DnsServer. 2 cmdlets in the module folder but not listed in the module file: Get-DnsServerEncryptionProtocol, Set-DnsServerEncryptionProtocol.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
|
Learn Build status updates of commit dca945c:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docset/winserver2025-ps/DnsServer/DnsServer.md | View (WindowsServer2025-ps) | Details | |
| docset/winserver2025-ps/DnsServer/Get-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) | |
| docset/winserver2025-ps/DnsServer/Set-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) |
docset/winserver2025-ps/DnsServer/DnsServer.md
- Line 0, Column 0: [Warning: PSMD2Yaml_InconsistentCmdletsInModule]
Inconsistent cmdlets found in module: DnsServer. 2 cmdlets in the module folder but not listed in the module file: Get-DnsServerEncryptionProtocol, Set-DnsServerEncryptionProtocol.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 519e375: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 2cab018: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit f48d997: ✅ Validation status: passed
For more details, please refer to the build report. |
robinharwood
left a comment
robinharwood
left a comment
There was a problem hiding this comment.
Looks good, thank you @sruthytv1988 for these great additions. I've made some minor changes and left comments or code suggestions for the rest. Let me know if you have any questions.
| @@ -0,0 +1,148 @@ | |||
| --- | |||
| description: Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell. | |||
There was a problem hiding this comment.
| description: Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell. | |
| description: Learn how to retrieve DNS over HTTPS (DoH) settings using the Get-DnsServerEncryptionProtocol cmdlet in Windows PowerShell for Windows Server 2025 and later. |
| # Get-DnsServerEncryptionProtocol | ||
|
|
||
| ## SYNOPSIS | ||
| Retrieves DNS server encryption protocol settings. This cmdlet is available on Windows Server 2025 or later. |
There was a problem hiding this comment.
| Retrieves DNS server encryption protocol settings. This cmdlet is available on Windows Server 2025 or later. | |
| Retrieves DNS server encryption protocol settings for DNS over HTTPS (DoH) on Windows Server 2025 or later. |
| ``` | ||
|
|
||
| ## DESCRIPTION | ||
| The **Get-DnsServerEncryptionProtocol** cmdlet retrieves Domain Name System (DNS) server DNS over HTTPS (DoH) settings: **EnableDoh** and **UriTemplate**. |
There was a problem hiding this comment.
| The **Get-DnsServerEncryptionProtocol** cmdlet retrieves Domain Name System (DNS) server DNS over HTTPS (DoH) settings: **EnableDoh** and **UriTemplate**. | |
| The `Get-DnsServerEncryptionProtocol` cmdlet can be used to verify the current DoH configuration | |
| on a DNS server. The cmdlet retrieves the current settings as an object with the properties | |
| **EnableDoh** and **UriTemplate** to indicate whether DoH is enabled and the configured URI | |
| templates for DNS queries over HTTPS. | |
| > [!IMPORTANT] | |
| > The `Get-DnsServerEncryptionProtocol` cmdlet is available on Windows Server 2025 or | |
| > later beginning with 2026-02 Security Update. |
|
|
||
| ## EXAMPLES | ||
|
|
||
| ### Example 1: Retrieve encryption settings from local DNS server |
There was a problem hiding this comment.
I couldn't do a code suggestion for this due to it having inline code so I committed a change to your branch. Please make sure to pull your branch before making any more edits.
|
|
||
| This command retrieves the current encryption settings from the local DNS server. The output shows that DNS over HTTPS (DoH) is enabled with a configured URI template. | ||
|
|
||
| ### Example 2: Retrieve encryption settings from remote DNS server |
There was a problem hiding this comment.
I couldn't do a code suggestion for this due to it having inline code so I committed a change to your branch. Please make sure to pull your branch before making any more edits.
| ``` | ||
|
|
||
| ### -EnableDoh | ||
| Specifies whether to enable or disable DNS over HTTPS (DoH) on the DNS server. Set to `$true` to enable DoH, or `$false` to disable it. When disabled, any configured URI templates are cleared. |
There was a problem hiding this comment.
| Specifies whether to enable or disable DNS over HTTPS (DoH) on the DNS server. Set to `$true` to enable DoH, or `$false` to disable it. When disabled, any configured URI templates are cleared. | |
| Specifies whether to enable or disable DNS over HTTPS (DoH) on the DNS server. Set the value to `$true` to | |
| enable DoH, or `$false` to disable it. When disabled, any configured URI templates are also cleared. |
| Specifies one or more URI templates for DNS over HTTPS (DoH) queries. If not specified when **EnableDoh** is set to `$true`, the DNS server uses a default URI template with the `/dns-query` path based on the server's fully qualified domain name (FQDN). | ||
|
|
||
| For a single URI template, specify `"https://dnsserver.example.net/dns-query"`. To provide multiple URI templates for redundancy and load balancing, specify them as **a single string** with templates separated by the pipe character (|): `"https://dnsserver.example.net/dns-query|https://dnsserver2.example.net/dns-query"`. A maximum of three URI templates can be specified. | ||
|
|
||
| URI templates must be valid HTTPS URIs compliant with [RFC 3986, Uniform Resource Identifier (URI): Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986). Ensure that a valid SSL/TLS certificate is configured for the DNS server with the hostname(s) specified in the URI template(s). | ||
|
|
There was a problem hiding this comment.
A suggestion and a couple of questions 😄
- What is the default URI template? Would that just be
https://<LocalServerName.fqdn>/dns-query? - When you say multiple URI templates can used for load balancing, is this round-robin load balancing? Is there any health checking? Is this part of the RFC?
| Specifies one or more URI templates for DNS over HTTPS (DoH) queries. If not specified when **EnableDoh** is set to `$true`, the DNS server uses a default URI template with the `/dns-query` path based on the server's fully qualified domain name (FQDN). | |
| For a single URI template, specify `"https://dnsserver.example.net/dns-query"`. To provide multiple URI templates for redundancy and load balancing, specify them as **a single string** with templates separated by the pipe character (|): `"https://dnsserver.example.net/dns-query|https://dnsserver2.example.net/dns-query"`. A maximum of three URI templates can be specified. | |
| URI templates must be valid HTTPS URIs compliant with [RFC 3986, Uniform Resource Identifier (URI): Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986). Ensure that a valid SSL/TLS certificate is configured for the DNS server with the hostname(s) specified in the URI template(s). | |
| Specifies one or more URI templates for DNS over HTTPS (DoH) queries. If you don't specify a value when | |
| **EnableDoh** is set to `$true`, the DNS server uses a default URI template with the `/dns-query` path | |
| based on the server's fully qualified domain name (FQDN). | |
| For a single URI template, specify `"https://dnsserver.example.net/dns-query"`. To provide multiple URI | |
| templates for redundancy and load balancing, specify them as a single string with templates separated | |
| by the pipe character `|`. For example, | |
| `"https://dnsserver.example.net/dns-query|https://dnsserver2.example.net/dns-query"`. A maximum of three | |
| URI templates can be specified. | |
| URI templates must be valid HTTPS URIs compliant with [RFC 3986, Uniform Resource Identifier (URI): | |
| Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986). Ensure that a valid SSL/TLS certificate is | |
| configured for the DNS server with the hostname(s) specified in the URI template(s). | |
| Shows what would happen if the cmdlet runs. | ||
| The cmdlet is not run. |
There was a problem hiding this comment.
| Shows what would happen if the cmdlet runs. | |
| The cmdlet is not run. | |
| Shows what would happen if the cmdlet runs. The cmdlet isn't run. |
| ``` | ||
|
|
||
| ### -PassThru | ||
| Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output. |
There was a problem hiding this comment.
Given the cmdlet doesn't generate an output, I've left some comments in the output section for you to review.
| ## INPUTS | ||
|
|
||
| ## OUTPUTS | ||
|
|
||
| ### Microsoft.Management.Infrastructure.CimInstance#DnsServerEncryptionProtocol | ||
|
|
There was a problem hiding this comment.
| ## INPUTS | |
| ## OUTPUTS | |
| ### Microsoft.Management.Infrastructure.CimInstance#DnsServerEncryptionProtocol | |
| ## INPUTS | |
| ### None | |
| You cannot pipe objects to this cmdlet. | |
| ## OUTPUTS | |
| ### None | |
| By default, this cmdlet does not generate any output. | |
| ### Microsoft.Management.Infrastructure.CimInstance#DnsServerEncryptionProtocol | |
| When you specify the **PassThru** parameter, this cmdlet returns a `DnsServerEncryptionProtocol` | |
| object that represents the updated encryption protocol settings on the DNS server. | |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 1c9af45: ✅ Validation status: passed
For more details, please refer to the build report. |
2 participants
PR Summary
This PR adds documentation for DNS over HTTPS (DoH) configuration cmdlets for Windows Server 2025.
These cmdlets enable administrators to configure encrypted DNS communications using the DoH protocol (RFC 8484), providing enhanced security for DNS queries. The documentation includes comprehensive examples, parameter descriptions, and RFC compliance notes.
This change is planned for public preview and GA.
Cmdlets Added/Updated
Get-DnsServerEncryptionProtocol- Retrieves DNS over HTTPS encryption settingsSet-DnsServerEncryptionProtocol- Configures DNS over HTTPS encryption settingsValidation Completed
Testing Details
Get-Help Get-DnsServerEncryptionProtocol -Fulldisplays all sections correctlyGet-Help Set-DnsServerEncryptionProtocol -Examplesshows all examples