In this guest blog post, Anant Vadlamani, Vice President of Product Management at Infoblox, discusses the importance of Zero Trust for preemptive security and how enterprises can proactively block threats and enforce secure connectivity across all devices and cloud workloads by adopting Protective DNS and Zero Trust DNS, available in the Microsoft Marketplace.
The cybersecurity world is steadily shifting toward Zero Trust. What once seemed like an ambitious framework is becoming the baseline expectation for enterprises. According to Gartner, 63 percent of organizations worldwide have implemented Zero Trust in full or in part. The rationale is simple: The traditional perimeter is gone, cyberattacks are more sophisticated and AI-driven, and breaches are common, despite organizations putting in several “detect and respond” solutions.
While organizations are busy securing identities, devices, applications, and networks, many continue to implicitly trust Domain Name System (DNS) — the very foundation of internet connectivity. This oversight undermines the promise of Zero Trust, leaving enterprises vulnerable to attacks and breaches.
In this post, we’ll explore why DNS must become the bedrock of Zero Trust. Whether it is Protective DNS (PDNS) used as a security control to preemptively protect the enterprise against attacks, encrypted DNS used for privacy and anti-snooping or asset inventory data across hybrid, multi-cloud environments to make informed decisions about access, DNS, DHCP, and IP address management are foundational for Modern Zero Trust.
Why Zero Trust matters more than ever
The principles of Zero Trust are rooted in realism. Assume breach. Never trust, always verify. Enforce least privilege. Monitor constantly. Segment aggressively. These guidelines are no longer optional; they are survival tactics.
The drivers of adoption are clear:
- Infrastructure complexity: Hybrid and multi-cloud deployments mean applications and data are everywhere. The “castle-and-moat” model no longer applies.
- Device explosion: IoT and operation technology devices multiply entry points. Every sensor, printer, or connected system is a potential compromise.
- Remote work: Permanent work from anywhere has dissolved network perimeters. Employees log in from homes, airports, and coffee shops.
- AI-driven threats: Just as AI accelerates business, it accelerates attackers. These malicious agents generate single-use malware at a rapid pace, find vulnerabilities faster, hide through cloaking techniques, and launder malicious traffic with increasing sophistication.
Against this backdrop, Zero Trust’s value is undeniable: Even if attackers penetrate the network, lateral movement is restricted and blast radius minimized. But this vision collapses if DNS — the starting point of every network connection — is implicitly trusted.
DNS for preemptive security
Every connection begins with a DNS query. If your Zero Trust strategy implicitly trusts that process, your fortress is built on sand.
DNS is the earliest point of prevention for all cyberattacks because it sees all traffic from every part of the network. When users click a phishing, smishing (SMS-based), or quishing (QR code-based) link, a DNS query is generated to a malicious domain. When an attacker exploits a vulnerability to compromise a system, there is a DNS query to a command and control (C2) server to download malware or ransomware. When there is an attempt to exfiltrate data (using SCP, FTP, HTTP/HTTPS or any other protocol), there will be a DNS query to a malicious server where the attacker is trying to upload the data.
In addition, attackers can exploit DNS in multiple ways:
- Domain generation algorithms and Zero-Day DNS attacks exploit DNS.
- Lookalike domains impersonate well-known brands and an organization's internet properties, fooling customers, suppliers, and employees into giving up their credentials.
- Dangling domains take over orphaned DNS records, creating serious security vulnerabilities and leading to subdomain takeover by threat actors.
In a real-world case, attackers stole sensitive data from a financial organization using DNS queries, evading existing security measures. Without DNS visibility and control, Zero Trust is reduced to partial trust.
PDNS: A preemptive cybersecurity approach
Protective DNS transforms your DNS server into a powerful security control point. The four building blocks of PDNS are:
- Enterprise DNS resolver: Handles all recursive queries within the organization.
- Threat intelligence feeds: Continuously updated with indicators of malicious and high-risk domains.
- Machine learning and behavioral detection: Identifies new threats based on query patterns.
- Policy enforcement (Response Policy Zones): Applies organizational rules to block, allow, or monitor traffic to malicious or high-risk domains.
This approach brings several advantages:
- Preemptive defense: Blocks DNS lookups to malicious domains before connections occur, before impact of the breach is felt.
- Containment: Prevents malware already present on devices from “phoning home.”
- Exfiltration protection: Detects and stops DNS tunneling attempts.
- Device coverage: Extends protection to IoT, BYOD, cloud workloads and unmanaged endpoints, in addition to standard end-user devices.
With PDNS, every DNS query becomes an opportunity to enforce Zero Trust principles.
Encryption: Sealing the envelope
Traditional DNS operates like a postcard — visible to anyone along the route. Encrypted DNS transforms it into a sealed envelope, safeguarding privacy and integrity. Two standards dominate:
- DNS over TLS (DoT): Uses a dedicated port (853) for encrypted queries, easy to identify and manage.
- DNS over HTTPS (DoH): Encapsulates DNS within HTTPS traffic, making it indistinguishable from normal web traffic.
Both align with modern security guidance, including NIST SP 800-81 recommendations that mandate the most secure communication methods available.
Device visibility
To make access decisions about devices, always use up-to-date asset data across the entire hybrid, multi-cloud environment as input to Zero Trust systems is critical. This asset data can be obtained from IP address management systems that go hand in hand with DNS, including granular device history and network activity. Using this device context, you can set access policies for devices, including IoT/OT devices.
Extending Zero Trust to the endpoint: Microsoft ZTDNS
While PDNS secures DNS at the server level, Zero Trust DNS (ZTDNS) from Microsoft extends enforcement to the client. Available in Windows 11, ZTDNS ensures devices only connect to approved destinations, either defined by IT admins or validated by a trusted PDNS server.
Key features include:
- Block everything by default: Outbound connections are denied unless explicitly approved.
- Encrypted-only queries: Supports DoH and DoT exclusively, eliminating plaintext DNS.
- Visibility and logging: Provides device-level insight into allowed and blocked connections, stored locally for administrators.
ZTDNS complements PDNS by closing bypass attempts at the endpoint. Even if applications try to use custom DNS resolvers or direct IP connections, enforcement at the OS level ensures Zero Trust integrity.
The Infoblox + Microsoft advantage
Infoblox and Microsoft together provide a holistic solution, creating a defense-in-depth model:
- PDNS provides centralized intelligence, filtering, and monitoring across the enterprise.
- ZTDNS enforces client-side policies, ensuring devices cannot sidestep protections.
In joint testing, the combination successfully:
- Blocked connections to malicious domains
- Prevented data exfiltration attempts
- Enforced encrypted DNS across devices
- Denied direct IP connections to untrusted endpoints
This synergy turns DNS into the first and most important Zero Trust control point.
Practical considerations
For enterprises considering this approach, a few realities must be acknowledged:
- PDNS is additive: It works alongside existing infrastructure rather than replacing it.
- ZTDNS is not a silver bullet: It’s a powerful piece of the puzzle but must be combined with identity, application, and network controls.
- Change management is key: Organizations should test in monitor mode before enforcing strict allow lists, to avoid disrupting business-critical applications.
The journey to Zero Trust is iterative, but Protective DNS is a foundational step that can no longer be postponed.
