Announcing Public Preview of Zero Trust DNS
In today's evolving cybersecurity landscape, traditional perimeter defenses are no longer sufficient . As organizations embrace the Zero Trust security model, ensuring that devices only communicate with trusted network destinations becomes paramount. We are excited to announce the public preview of Zero Trust DNS (ZTDNS), a new feature in Windows 11 Insider builds designed to enforce domain-name-based network access controls, enhancing your organization's security posture. ZTDNS empowers enterprise IT administrators to natively apply outbound domain-name-based network access controls on Windows 11 endpoints. This helps prevent access to untrusted destinations, reducing the risk of a slew of network attacks from malware communication to data exfiltration. What is Zero Trust DNS? ZTDNS integrates the Windows DNS client with trusted Protective DNS (PDNS) servers to control outbound IP traffic based on domain names. When ZTDNS is configured on a Windows 11 device to use PDNS servers that support DNS over HTTPS (DoH) or DNS over TLS (DoT), ZTDNS ensures that: The Windows DNS client forces the use of encrypted DNS and queries are only sent to the configured PDNS servers. Outbound traffic is permitted only to IP addresses resolved by these trusted PDNS servers or to IP ranges with a manual exception plumbed by the IT administrator. All other IPv4 and IPv6 outbound traffic is blocked by default, adhering to the "deny by default" principle of Zero Trust. A log of attempted outbound connections is maintained on the device. This approach reduces the need for deep packet inspection or reliance on insecure signals like plain-text DNS or Server Name Indication (SNI) when attempting to determine the domain name associated with outbound traffic. This makes ZTDNS an important tool in the Zero Trust toolbelt since DNS traffic and SNI are increasingly being encrypted. It also aligns with Zero Trust principles by assuming all destinations are untrusted by default, only allowing connections to destinations explicitly permitted through DNS resolutions provided by trusted PDNS servers. For more information, visit our previous blog post on design of ZTDNS. Threats Zero Trust DNS Helps Mitigate Implementing ZTDNS can bolster your defenses against various network-based threats, including: DNS Hijacking: By ensuring that only DNS resolutions from trusted PDNS servers are used, ZTDNS helps prevent attackers from redirecting traffic to malicious sites. Malicious Communications: Blocking outbound connections to IP addresses not resolved through trusted DNS queries helps disrupt phishing and even non-administrative malware stagers and beacons. Data Exfiltration: Restricting outbound traffic to approved domains reduces the risk of sensitive data being transmitted to unauthorized destinations without conducting analysis of domain name resolution patterns. Getting Started with Zero Trust DNS To enable ZTDNS in your environment: Get a supported Windows 11 build Enroll your device in the Windows Insider Program (Canary channel) and update to build 27766+. Unlock ZTDNS In an administrator command prompt, run: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v Experiment4712 /d 0xbe8261eb /t REG_DWORD Reboot the device. Ensure all applications and services are configured to use the Windows DNS client Configure applications like Edge and Chrome to use the Windows DNS client instead of their custom client (disable BuiltInDnsClientEnabled policy). Add manual allow exceptions Teleconferencing applications like Teams use WebRTC which negotiates IP addresses for peers within a TLS tunnel and has no DNS visibility. These IP subnets are also publicly documented and need manual allow exceptions for the application to work with ZTDNS. Add manual allow exceptions for IP addresses that are necessary for your productivity applications/services but are not discovered through DNS. Here is a sample command, for manual allow exception, which needs to run in administrator command prompt: netsh ztdns add exception name=AppName description="Description of AppName" subnets=192.0.2.128/25,198.51.100.0/24,3fff::/48, 3fff:123::/38 Here is a link Microsoft 365 services that may need manual allow exceptions. Set your trusted Protective DNS server (needs to be DoH/ DoT capable) In an administrator command prompt, replace example data in following sample commands with information about your desired DNS server before running: netsh ztdns add server type=doh address=203.0.113.0 template=https://doh.resolver.example/dns-query netsh ztdns add server type=dot address=2001:db8::1 hostname=dot.resolver.example Enable ZTDNS ZTDNS can be enabled using Audit mode or Enforcement mode. Audit mode logs all expected ZTDNS behavior without the actual enforcement. Check out the next blog post for finding and comprehending ZTDNS logs. Enabling ZTDNS in audit mode is recommended before moving on to Enforcement mode. In an administrator command prompt, run: netsh ztdns set state enable=yes audit=yes Enforcement mode blocks untrusted traffic. In an administrator command prompt, run: netsh ztdns set state enable=yes audit=no Now you should have ZTDNS running! In a rare situation where you experience unexpected connectivity issues for some application, please restart the application. If the issue persists, please reboot the device. Disable ZTDNS ZTDNS is a powerful lockdown feature. In case you lose network connectivity due to misconfiguration, you can disable ZTDNS to restore your network connectivity. In an administrator command prompt, run: netsh ztdns set state enable=no audit=no Note: ZTDNS is currently in Public Preview and is intended for evaluation and feedback only. Do not deploy in production environments. Breaking changes may occur before General Availability (GA). Check out the next blog post Troubleshooting Zero Trust DNS for information on ZTDNS logs, sharing feedback and bug reports with the team. Join Me at RSAC 2025 I am excited to share that I will be attending the RSA Conference 2025! If you are planning to be there, stop by Microsoft booth N-5744 or Microsoft Security Hub and ask for Aditi Patange to discuss how ZTDNS can enhance your organization's security posture. Securing the Present, Innovating for the Future Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience. The updated Windows Security book is available to help you understand how to stay secure with Windows. Learn more about Windows 11 and Copilot+ PCs. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.Learning Azure with Ofek ☁️ Episode 1 What Is WAF and Why Should You Care?
Welcome to Learning Azure with Ofek—a series where we explore the essential tools, services, and best practices in Microsoft Azure, in a simple and practical way. In this first episode, we’re diving into WAF. Ever heard of the term WAF? Let’s break it down together and understand why it’s such a powerful security layer for your apps and websites. When it comes to protecting your web assets, WAF (Web Application Firewall) provides centralized protection. Beyond individual resource security, a WAF adds a smart, scalable layer that detects and blocks common vulnerabilities like SQL Injection and XSS (cross-site scripting) across your entire app. Another key role of a WAF is protecting against crawlers—automated bots that roam the internet gathering information. • A “good” crawler (like Google) indexes your site for search results, respects your site rules, and ignores areas you’ve marked as private. • A “malicious crawler”, however, scans the web looking for sensitive data, security loopholes, and organizational vulnerabilities. From my experience, Azure makes deploying WAF even easier. You can integrate it with services like Azure Application Gateway, Azure Front Door, and Azure CDN—each tailored for different use cases. In the image below, you can see how WAF works with Application Gateway at Layer 7 (L7), protecting the environment from web-based threats and securely routing requests to server pools like Site1 and Site2. So instead of stressing over every little threat—give WAF a serious look. It might just save your environment.Troubleshooting Zero Trust DNS
By adopting Zero Trust DNS (ZTDNS), organizations can strengthen their Zero Trust deployments, ensuring that Windows 11 devices only communicate with trusted network destinations. This blog post will help ZTDNS Public Preview selfhosters retrieve and update ZTDNS configuration, find ZTDNS logs, debug ZTDNS, share feedback, and report bugs to the team. Some known issues are also listed. Retrieving ZTDNS configuration You can find information on the commands to retrieve trusted server information, manually allowed exceptions, state of ZTDNS, and more by running the following in command prompt: netsh ztdns show help Updating ZTDNS configuration You can add new exceptions or servers while ZTDNS is running on your device using the same commands from ZTDNS deployment process. You can run the following in command prompt to get more information: netsh ztdns add help You can find information on the commands to delete certain configurations like trusted servers, manually allowed exceptions, and more by running the following in command prompt: netsh ztdns delete help Finding ZTDNS logs When you have ZTDNS running your device, you can check Event Viewer to see logs for all attempted connections from the device. Search for ‘Event Viewer’ in Start menu and open it. In the left panel, go under ‘Applications and Service Logs’ -> ‘Microsoft’ -> ‘Windows’ -> ‘ZTDNS’. You should see three logs under this folder: BlockedConnections – contains logs about connections blocked by ZTDNS. Each blocked connection log contains information about the time of the blocked connection, source IP address, source port, destination IP address, destination port, and name of initiating process. Operational – contains logs about ZTDNS configuration and service state changes. PermittedConnections – contains logs about connections allowed by ZTDNS. Each permitted connection log contains information about the time of the permitted connection, source IP address, source port, destination IP address, destination port, and name of initiating process. (Note: this log is disabled by default and can be enabled by right clicking on ‘PermittedConnections’ in the left panel and selecting ‘Enable Log’.) Debugging ZTDNS If you experience connectivity issues after enabling ZTDNS, verify that ZTDNS has at least one trusted DNS server set. To see all trusted DNS servers set for ZTDNS, run the following in command prompt: netsh ztdns show server Check connectivity to the trusted DNS server using ping and try resolving an allowed domain name using the trusted DNS server with Resolve-DnsName. After this, ping to the resolved IP address should succeed. Alternatively, you can ping an allowed domain name directly which should use the Windows DNS client and trusted DNS server for name resolution. This will check connectivity to the trusted DNS server as well as the resolved endpoint. If your issue still persists, please file a bug. You can restore network connectivity by disabling ZTDNS. In an administrator command prompt, run: netsh ztdns set state enable=no audit=no Reporting feedback and bugs We value your feedback! Your feedback from testing ZTDNS in preview is crucial for us as we get ready for GA. To share your feedback or report a bug: Search for ‘Feedback Hub’ in Start Menu and open it. In the left panel, click ‘Feedback’. Click ‘+ Give new feedback’ button to enter new feedback or upvote an existing entry that matches your feedback. In section 1. ‘Summarize your feedback’ text box, enter ‘[ZTDNS]’ and then your feedback. In section 2. ‘Choose a category’, select ‘Problem’ if you want to report a bug and ‘Suggestion’ if you want to give feedback. For the left dropdown box, choose ‘Network and Internet’ and for the right dropdown box, choose ‘DNS’. Fill out Section 3. and 4. Click ‘Submit’. Known issues Chromium-based WebView2 applications (including new Outlook and Teams) use their own encrypted DNS clients instead of using the Windows DNS client. On a Windows 11 device with ZTDNS enabled, based on the DNS server being contacted by the WebView2 DNS client, these applications will fail to send traffic to any resolved IP addresses. We are actively working to solve this for all applications using Chromium under the hood, including our own. You can track the linked Chromium issue for the latest updates.
DC Client DNS Config
Hello, We have two buildings and two DCs in each building. The network speed within each building, between DCs, is 10Gb. The network speed between the buildings is 1Gb. There is a single domain and a single AD site. Each DC has AD integrated DNS. What should the DNS settings be on each server? I'm thinking.. Building 1 DC1 Building 1 DC2 Building 2 DC1 Building 2 DC2 Loopback Building 1 DC2 Building 1 DC1 Building 2 DC1 Building 2 DC2 Loopback Building 2 DC1 Building 2 DC2 Building 1 DC1 Building 1 DC2 Loopback Building 2 DC2 Building 2 DC1 Building 1 DC1 Building 1 DC2 Loopback If there were two AD sites, I'd have each site DC1 point to DC2 on the same site and itself by loopback. I'd have DC2 point to DC1 on the same site and itself by loopback. But with a 1Gb link between buildings, it doesn't seem necessary to have two AD sites so I have four DCs in the same AD site. Thoughts and references if possible. Many thanks.Untagged VLAN - Server 2025 Hyper-V
Hi, I have a strage issue and not finding a solution. Using Server 2025 with two node Hyper-V cluster. Most of the machines using VLANs which works fine. Some machines using no VLAN config. Which usually means the "Access VLAN 1" regarding our switch configuration. With Server 2019 this worked fine. With Server 2025 same NIC port, same server/NIC hardware "Untagged" VMs don't get any network connection. If I add a second NIC to the VM "Untagged" the NIC get immidiatly an IP address and has a proper connection. If I remove the first NIC, the second NIC stop working. It looks like something has changed with Server 2025 (maybe already with Server 2022). Do you have any idea what kinde of problem I have found? Thanks Jack
365 family subscription bug
Hello, I was using microsoft Powerpoint this morning, when my account was deactivated because “subscription expired”. I have a family 365 subscription and yet everything is in order. The license holder deleted me and remitted without success since the link works but once on my account is displayed "your subscription has expired since October 27, 2013" I even deleted my linked devices but without success. Despite my subscription being in order and the link working, I'm systematically returned to the "your subscription has expired since October 27, 2013" box, even though I'm currently under an active 365 family subscription.
Choosing motherboard for Win 2022 Server
Hello, I'm trying to build a new box that can host Windows Server 2022 Standard. One possible motherboard product I've learned of is the Gigabyte B550M DS3H AC. Has anyone used this board for a Server 2022 deployment? If not, can you recommend one? Thanks, anwr98Bypass LBFO Teaming deprecation on Hyper-V and Windows Server 2022
Starting with Windows Server 1903 and 1909, Hyper-V virtual switches on an LBFO-type network adapter cluster are deprecated (see documentation). The technology remains supported, but it will not evolve. It is recommended to create an aggregate of type SET. In practice The SET is a very interesting technology that has some constraints. The interfaces used must have identical characteristics: Manufacturer Model Link speed Configuration Even if these constraints do not seem huge, we are very far from the flexibility of LBFO Teaming. As a reminder, this one has absolutely no constraints. In practice the SET is recommended with network interfaces of 10Gb or more. Therefore, we are very far from the target of the LBFO (use of all integrated boards with motherboard pro, Home Lab, refurbish). If SET cannot be used As of Windows Server 2022, it is not possible to use the Hyper-V Management Console to create a virtual switch with LBFO, as it will prompt an error saying that LBFO have been depreciated. However, it is possible to use PowerShell to create this virtual switch. First, create the Teaming of your network cards using the Server Manager, in my case the teaming will be with LACP mode and Dynamic load balancing mode. Then execute the below PowerShell Command to create the virtual switch based on the teaming created in the previous step: New-VMSwitch -Name "LAN" -NetAdapterName "LINK-AGGREGATION" -AllowNetLbfoTeams $true -AllowManagementOS $true In detail: The virtual switch will be named "LAN" The network adapter cluster teaming is named "LINK-AGGREGATION" The aggregate remains usable to access the Hyper-V host. You will see your network teaming up and running on Hyper-V host. Thats it!
