Microsoft introduces Zero Trust DNS Private Preview (ZTDNS) to block encrypted traffic from apps and malware

It will allow blocking of traffic with a forbidden domain name

News

Reading time icon 2 min. read

Calendar icon Updated on

by Kazim Ali Alvi 

updated on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Microsoft Zero Trust DNS

In a move aimed at boosting the security infrastructure, Microsoft is bringing Zero Trust DNS (ZTDNS) to Windows devices. Currently in the Private Preview, ZTDNS will soon be available to Windows Insiders.

In the official announcement, Microsoft explains how ZTDNS, integrated with the Windows DNS (Domain Name System) client and the Windows Filtering Platform (WFP), works.

First, Windows is provisioned with a set of DoH or DoT capable Protective DNS servers; these are expected to only resolve allowed domain names. This provisioning may also contain a list of IP address subnets that should always be allowed (for endpoints without domain names), expected Protective DNS server certificate identities to properly validate the connection is to the expected server, or certificates to be used for client authentication.

Elaborating on the next step in the authentication process, Microsoft explains,

In simple words, any network traffic (IPv4 and IPv6) to an IP address not a part of ZTDNS will be blocked. With this, administrators can quickly and securely block traffic whose associated domain names are not identified.

In another blog post highlighting deployment considerations for Windows’ Zero Trust DNS, Microsoft highlights that the feature might conflict with printing, file sharing, Windows updates, teleconferencing apps, media streaming, and casting to wireless displays. However, all these can be resolved through some quick modifications!

Microsoft also explains that ZTDNS might not be as effective when deployed alongside VPNs, SASE/SSE tunnels, and Hyper-V VMs. Besides, anyone with administrative privileges on the PC can disable Microsoft’s Zero Trust DNS via the built-in settings. So, admins should reconsider the permissions they grant to users!

There will be several improvements in Zero Trust DNS before it’s finally introduced in the stable version of Windows, as confirmed by Microsoft.

If you are aiming for speed, learn how to find the fastest DNS server near you!

What is your first impression of Microsoft’s Zero Trust DNS? Share with our readers in the comments section.

More about the topics: DNS, microsoft, security

Kazim Ali Alvi

Kazim Ali Alvi Shield

Windows Hardware Expert

Kazim has always been fond of technology, be it scrolling through the settings on his iPhone, Android device, or Windows PC. He's specialized in hardware devices, always ready to remove a screw or two to find out the real cause of a problem. Long-time Windows user, Kazim is ready to provide a solution for your every software & hardware error on Windows 11, Windows 10 and any previous iteration. He's also one of our experts in Networking & Security.