Blog Post

Networking Blog
5 MIN READ

Announcing Public Preview of Zero Trust DNS

AditiPatange's avatar
AditiPatange
Icon for Microsoft rankMicrosoft
Apr 24, 2025

Deployment instructions for testing Public Preview of Zero Trust DNS (ZTDNS) on Windows 11 Insider builds.

  In today's evolving cybersecurity landscape, traditional perimeter defenses are no longer sufficient . As organizations embrace the Zero Trust security model, ensuring that devices only communica...
Updated Apr 24, 2025
Version 3.0
DNS
DoH
DoT
EncryptedDNS
networking
ZTDNS
raghu_niranjan's avatar
raghu_niranjan
Copper Contributor
Apr 24, 2025

I'm exploring the new Zero Trust DNS solution and have a couple of specific configuration questions:

  1. Domain Bypass Configuration: Is there a way to configure bypass domains within ZTDNS? Specifically, I'd like certain domains to be resolved by my local ISP resolver rather than by the ZTDNS-configured DoH resolver. What's the proper way to implement this exception?
  2. VPN Integration Scenario: How does ZTDNS handle private VPN domains that can only be resolved by VPN-specific resolvers? In a VPN deployment scenario, what's the recommended configuration to ensure these private domains continue to be properly resolved without interference from the ZTDNS DoH resolver?

Thanks in advance for your guidance!

AditiPatange's avatar
AditiPatange
Icon for Microsoft rankMicrosoft
May 07, 2025

These are great questions raghu_niranjan​!

  1. ZTDNS does not allow domain bypass, but it does allow setting multiple servers as your trust server. If your ISP resolver supports DoH or DoT, you can add it as a trusted server along with other DoH servers. In most situations, ZTDNS will try getting a response from the trusted server that was set first and if it doesn't get a response, it will contact the second server.
  2. We have covered interop with VPN in https://techcommunity.microsoft.com/blog/networkingblog/deployment-considerations-for-windows-ztdns-client/4113372. Please check it out.