Blog Post

Networking Blog
3 MIN READ

Announcing Zero Trust DNS Private Preview

tojens's avatar
tojens
Icon for Microsoft rankMicrosoft
May 02, 2024
In the modern world, useful network destinations are far more likely to be defined by long-lived domain names than long-lived IP addresses. However, enforcement of domain name boundaries (such as blo...
tojens_0-1714407804248.png
Updated Nov 20, 2024
Version 4.0
DNS
DoH
DoT
EncryptedDNS
networking
ZTDNS
tojens's avatar
Icon for Microsoft rankMicrosoft
Technical PM for the Windows native HTTP stacks, IPv6 transition tech, and various IETF engagements
View Profile
Networking Blog
The Official Blog Site of the Windows Core Networking Team at Microsoft
tojens's avatar
tojens
Icon for Microsoft rankMicrosoft
May 06, 2024

ChristianSchindler Today, DoH and DoT are not supported by the Windows DNS server which means ZTDNS during preview relies on third-party DNS servers. However, I know the owners of the Windows DNS server and they've said that they plan to support DoH in a future version of Windows Server.

 

To your other point, yes, and calling it a hassle is putting it lightly. It is expected that getting ZTDNS fully deployed in enforcement mode will be a long-term journey that starts with testing it out in audit mode (logging, but no enforcement) to discover the real-world name dependencies your network has, and slowly building up allowlists and attempting to reduce the unknown lists (not explicitly allowed but not blocked either). It isn't a feature for everyone, but for enterprises with high compliance expectations, it will be a unique tool in their Zero Trust toolkit that will be worth the ROI.