Add DNS over HTTPS cmdlets documentation #4061
Conversation
|
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
@microsoft-github-policy-service agree company="Microsoft" |
|
@microsoft-github-policy-service agree company="Microsoft" |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit dca945c:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docset/winserver2025-ps/DnsServer/DnsServer.md | View (WindowsServer2025-ps) | Details | |
| docset/winserver2025-ps/DnsServer/Get-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) | |
| docset/winserver2025-ps/DnsServer/Set-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) |
docset/winserver2025-ps/DnsServer/DnsServer.md
- Line 0, Column 0: [Warning: PSMD2Yaml_InconsistentCmdletsInModule]
Inconsistent cmdlets found in module: DnsServer. 2 cmdlets in the module folder but not listed in the module file: Get-DnsServerEncryptionProtocol, Set-DnsServerEncryptionProtocol.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
|
Learn Build status updates of commit dca945c:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docset/winserver2025-ps/DnsServer/DnsServer.md | View (WindowsServer2025-ps) | Details | |
| docset/winserver2025-ps/DnsServer/Get-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) | |
| docset/winserver2025-ps/DnsServer/Set-DnsServerEncryptionProtocol.md | ✅Succeeded | View (WindowsServer2025-ps) |
docset/winserver2025-ps/DnsServer/DnsServer.md
- Line 0, Column 0: [Warning: PSMD2Yaml_InconsistentCmdletsInModule]
Inconsistent cmdlets found in module: DnsServer. 2 cmdlets in the module folder but not listed in the module file: Get-DnsServerEncryptionProtocol, Set-DnsServerEncryptionProtocol.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 519e375: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 2cab018: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit f48d997: ✅ Validation status: passed
For more details, please refer to the build report. |
robinharwood
left a comment
robinharwood
left a comment
There was a problem hiding this comment.
Looks good, thank you @sruthytv1988 for these great additions. I've made some minor changes and left comments or code suggestions for the rest. Let me know if you have any questions.
docset/winserver2025-ps/DnsServer/Get-DnsServerEncryptionProtocol.md
Outdated
Show resolved
Hide resolved
| # Get-DnsServerEncryptionProtocol | ||
|
|
||
| ## SYNOPSIS | ||
| Retrieves DNS server encryption protocol settings. This cmdlet is available on Windows Server 2025 or later. |
There was a problem hiding this comment.
| Retrieves DNS server encryption protocol settings. This cmdlet is available on Windows Server 2025 or later. | |
| Retrieves DNS server encryption protocol settings for DNS over HTTPS (DoH) on Windows Server 2025 or later. |
docset/winserver2025-ps/DnsServer/Get-DnsServerEncryptionProtocol.md
Outdated
Show resolved
Hide resolved
docset/winserver2025-ps/DnsServer/Set-DnsServerEncryptionProtocol.md
Outdated
Show resolved
Hide resolved
| Specifies one or more URI templates for DNS over HTTPS (DoH) queries. If not specified when **EnableDoh** is set to `$true`, the DNS server uses a default URI template with the `/dns-query` path based on the server's fully qualified domain name (FQDN). | ||
|
|
||
| For a single URI template, specify `"https://dnsserver.example.net/dns-query"`. To provide multiple URI templates for redundancy and load balancing, specify them as **a single string** with templates separated by the pipe character (|): `"https://dnsserver.example.net/dns-query|https://dnsserver2.example.net/dns-query"`. A maximum of three URI templates can be specified. | ||
|
|
||
| URI templates must be valid HTTPS URIs compliant with [RFC 3986, Uniform Resource Identifier (URI): Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986). Ensure that a valid SSL/TLS certificate is configured for the DNS server with the hostname(s) specified in the URI template(s). | ||
|
|
There was a problem hiding this comment.
A suggestion and a couple of questions 😄
- What is the default URI template? Would that just be
https://<LocalServerName.fqdn>/dns-query? - When you say multiple URI templates can used for load balancing, is this round-robin load balancing? Is there any health checking? Is this part of the RFC?
| Specifies one or more URI templates for DNS over HTTPS (DoH) queries. If not specified when **EnableDoh** is set to `$true`, the DNS server uses a default URI template with the `/dns-query` path based on the server's fully qualified domain name (FQDN). | |
| For a single URI template, specify `"https://dnsserver.example.net/dns-query"`. To provide multiple URI templates for redundancy and load balancing, specify them as **a single string** with templates separated by the pipe character (|): `"https://dnsserver.example.net/dns-query|https://dnsserver2.example.net/dns-query"`. A maximum of three URI templates can be specified. | |
| URI templates must be valid HTTPS URIs compliant with [RFC 3986, Uniform Resource Identifier (URI): Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986). Ensure that a valid SSL/TLS certificate is configured for the DNS server with the hostname(s) specified in the URI template(s). | |
| Specifies one or more URI templates for DNS over HTTPS (DoH) queries. If you don't specify a value when | |
| **EnableDoh** is set to `$true`, the DNS server uses a default URI template with the `/dns-query` path | |
| based on the server's fully qualified domain name (FQDN). | |
| For a single URI template, specify `"https://dnsserver.example.net/dns-query"`. To provide multiple URI | |
| templates for redundancy and load balancing, specify them as a single string with templates separated | |
| by the pipe character `|`. For example, | |
| `"https://dnsserver.example.net/dns-query|https://dnsserver2.example.net/dns-query"`. A maximum of three | |
| URI templates can be specified. | |
| URI templates must be valid HTTPS URIs compliant with [RFC 3986, Uniform Resource Identifier (URI): | |
| Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986). Ensure that a valid SSL/TLS certificate is | |
| configured for the DNS server with the hostname(s) specified in the URI template(s). | |
There was a problem hiding this comment.
What is the default URI template? Would that just be https://<LocalServerName.fqdn>/dns-query?
Yes: Default URI template will be always with the local server name in this format. RFC doesnt talk about default
When you say multiple URI templates can used for load balancing, is this round-robin load balancing? Is there any health checking? Is this part of the RFC?
DNS Server typically uses round-robin selection to distribute queries across the configured URIs. This is standard DNS resolver behavior. This is existing behavior. No automatic health checks done.
RFC 8484 defines the DoH protocol and it does NOT specify How clients should handle multiple DoH servers, Load balancing algorithms,Health checking requirements and Failover behavior. There is check in implementation to skip failed URIs.
maybe we can modify load balancing to something like "Multiple URI templates may be provisioned to allow client implementations to choose among multiple DoH endpoints."
docset/winserver2025-ps/DnsServer/Set-DnsServerEncryptionProtocol.md
Outdated
Show resolved
Hide resolved
| ``` | ||
|
|
||
| ### -PassThru | ||
| Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output. |
There was a problem hiding this comment.
Given the cmdlet doesn't generate an output, I've left some comments in the output section for you to review.
| ## INPUTS | ||
|
|
||
| ## OUTPUTS | ||
|
|
||
| ### Microsoft.Management.Infrastructure.CimInstance#DnsServerEncryptionProtocol | ||
|
|
There was a problem hiding this comment.
| ## INPUTS | |
| ## OUTPUTS | |
| ### Microsoft.Management.Infrastructure.CimInstance#DnsServerEncryptionProtocol | |
| ## INPUTS | |
| ### None | |
| You cannot pipe objects to this cmdlet. | |
| ## OUTPUTS | |
| ### None | |
| By default, this cmdlet does not generate any output. | |
| ### Microsoft.Management.Infrastructure.CimInstance#DnsServerEncryptionProtocol | |
| When you specify the **PassThru** parameter, this cmdlet returns a `DnsServerEncryptionProtocol` | |
| object that represents the updated encryption protocol settings on the DNS server. | |
There was a problem hiding this comment.
There is an output to this cmdlet.how should incorporate it?
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 1c9af45: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 5a95721: ✅ Validation status: passed
For more details, please refer to the build report. |
2 participants
PR Summary
This PR adds documentation for DNS over HTTPS (DoH) configuration cmdlets for Windows Server 2025.
These cmdlets enable administrators to configure encrypted DNS communications using the DoH protocol (RFC 8484), providing enhanced security for DNS queries. The documentation includes comprehensive examples, parameter descriptions, and RFC compliance notes.
This change is planned for public preview and GA.
Cmdlets Added/Updated
Get-DnsServerEncryptionProtocol- Retrieves DNS over HTTPS encryption settingsSet-DnsServerEncryptionProtocol- Configures DNS over HTTPS encryption settingsValidation Completed
Testing Details
Get-Help Get-DnsServerEncryptionProtocol -Fulldisplays all sections correctlyGet-Help Set-DnsServerEncryptionProtocol -Examplesshows all examples