Announcing Public Preview of Zero Trust DNS
In today's evolving cybersecurity landscape, traditional perimeter defenses are no longer sufficient . As organizations embrace the Zero Trust security model, ensuring that devices only communicate with trusted network destinations becomes paramount. We are excited to announce the public preview of Zero Trust DNS (ZTDNS), a new feature in Windows 11 Insider builds designed to enforce domain-name-based network access controls, enhancing your organization's security posture. ZTDNS empowers enterprise IT administrators to natively apply outbound domain-name-based network access controls on Windows 11 endpoints. This helps prevent access to untrusted destinations, reducing the risk of a slew of network attacks from malware communication to data exfiltration. What is Zero Trust DNS? ZTDNS integrates the Windows DNS client with trusted Protective DNS (PDNS) servers to control outbound IP traffic based on domain names. When ZTDNS is configured on a Windows 11 device to use PDNS servers that support DNS over HTTPS (DoH) or DNS over TLS (DoT), ZTDNS ensures that: The Windows DNS client forces the use of encrypted DNS and queries are only sent to the configured PDNS servers. Outbound traffic is permitted only to IP addresses resolved by these trusted PDNS servers or to IP ranges with a manual exception plumbed by the IT administrator. All other IPv4 and IPv6 outbound traffic is blocked by default, adhering to the "deny by default" principle of Zero Trust. A log of attempted outbound connections is maintained on the device. This approach reduces the need for deep packet inspection or reliance on insecure signals like plain-text DNS or Server Name Indication (SNI) when attempting to determine the domain name associated with outbound traffic. This makes ZTDNS an important tool in the Zero Trust toolbelt since DNS traffic and SNI are increasingly being encrypted. It also aligns with Zero Trust principles by assuming all destinations are untrusted by default, only allowing connections to destinations explicitly permitted through DNS resolutions provided by trusted PDNS servers. For more information, visit our previous blog post on design of ZTDNS. Threats Zero Trust DNS Helps Mitigate Implementing ZTDNS can bolster your defenses against various network-based threats, including: DNS Hijacking: By ensuring that only DNS resolutions from trusted PDNS servers are used, ZTDNS helps prevent attackers from redirecting traffic to malicious sites. Malicious Communications: Blocking outbound connections to IP addresses not resolved through trusted DNS queries helps disrupt phishing and even non-administrative malware stagers and beacons. Data Exfiltration: Restricting outbound traffic to approved domains reduces the risk of sensitive data being transmitted to unauthorized destinations without conducting analysis of domain name resolution patterns. Getting Started with Zero Trust DNS NOTE: Public Preview of ZTDNS has officially ended. The instructions below are no longer supported. We appreciate you taking the time to test out ZTDNS in Public Preview. Your valuable feedback has helped us improve ZTDNS. For further assistance, please reach out to ztdnspreview@microsoft.com. To enable ZTDNS in your environment: Get a supported Windows 11 build Enroll your device in the Windows Insider Program (Canary channel) and update to build 27766+. Unlock ZTDNS In an administrator command prompt, run: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v Experiment4712 /d 0xbe8261eb /t REG_DWORD Reboot the device. Ensure all applications and services are configured to use the Windows DNS client Configure applications like Edge and Chrome to use the Windows DNS client instead of their custom client (disable BuiltInDnsClientEnabled policy). Add manual allow exceptions Teleconferencing applications like Teams use WebRTC which negotiates IP addresses for peers within a TLS tunnel and has no DNS visibility. These IP subnets are also publicly documented and need manual allow exceptions for the application to work with ZTDNS. Add manual allow exceptions for IP addresses that are necessary for your productivity applications/services but are not discovered through DNS. Here is a sample command, for manual allow exception, which needs to run in administrator command prompt: netsh ztdns add exception name=AppName description="Description of AppName" subnets=192.0.2.128/25,198.51.100.0/24,3fff::/48, 3fff:123::/38 Here is a link Microsoft 365 services that may need manual allow exceptions. Set your trusted Protective DNS server (needs to be DoH/ DoT capable) In an administrator command prompt, replace example data in following sample commands with information about your desired DNS server before running: netsh ztdns add server type=doh address=203.0.113.0 template=https://doh.resolver.example/dns-query netsh ztdns add server type=dot address=2001:db8::1 hostname=dot.resolver.example Enable ZTDNS ZTDNS can be enabled using Audit mode or Enforcement mode. Audit mode logs all expected ZTDNS behavior without the actual enforcement. Check out the next blog post for finding and comprehending ZTDNS logs. Enabling ZTDNS in audit mode is recommended before moving on to Enforcement mode. In an administrator command prompt, run: netsh ztdns set state enable=yes audit=yes Enforcement mode blocks untrusted traffic. In an administrator command prompt, run: netsh ztdns set state enable=yes audit=no Now you should have ZTDNS running! In a rare situation where you experience unexpected connectivity issues for some application, please restart the application. If the issue persists, please reboot the device. Disable ZTDNS ZTDNS is a powerful lockdown feature. In case you lose network connectivity due to misconfiguration, you can disable ZTDNS to restore your network connectivity. In an administrator command prompt, run: netsh ztdns set state enable=no audit=no Note: ZTDNS is currently in Public Preview and is intended for evaluation and feedback only. Do not deploy in production environments. Breaking changes may occur before General Availability (GA). Check out the next blog post Troubleshooting Zero Trust DNS for information on ZTDNS logs, sharing feedback and bug reports with the team. Join Me at RSAC 2025 I am excited to share that I will be attending the RSA Conference 2025! If you are planning to be there, stop by Microsoft booth N-5744 or Microsoft Security Hub and ask for Aditi Patange to discuss how ZTDNS can enhance your organization's security posture. Securing the Present, Innovating for the Future Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience. The updated Windows Security book is available to help you understand how to stay secure with Windows. Learn more about Windows 11 and Copilot+ PCs. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
