Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Overview
Zero Trust DNS (ZTDNS) is a security feature that enables enterprise IT administrators to natively enforce domain-name-based network access controls on their Windows endpoints. It addresses the critical need to ensure that enterprise Windows devices only communicate with trusted network destinations, reducing the risk of a range of network attacks from malware communication to data exfiltration.
ZTDNS is an enhancement of the Windows DNS client that blocks all outbound IP traffic from the Windows device by default and only allows IP traffic to destinations resolved by the trusted DNS server or explicitly approved by the enterprise IT administrator. When paired with a policy-aware Protective DNS (PDNS) server, ZTDNS acts as the policy-enforcement point on the Windows device. This approach reduces the need for deep packet inspection or reliance on insecure signals like plain-text DNS or Server Name Indication (SNI) when attempting to determine the domain name associated with outbound traffic. Aligning with the Zero Trust principles, ZTDNS follows the "deny by default and allow by exception for a limited time" approach.
How Zero Trust DNS works
ZTDNS operates by integrating the Windows DNS client with the Windows Filtering Platform (WFP) to enable domain-name-based network lockdown. When you configure ZTDNS on a Windows device to use PDNS servers that support DNS over HTTPS (DoH) or DNS over TLS (DoT), the system ensures:
- Encrypted DNS enforcement: The Windows DNS client forces the use of encrypted DNS and sends queries only to the configured PDNS servers
- Approved traffic only: Outbound traffic is permitted only to IP addresses resolved by these trusted PDNS servers or to IP ranges with manual exceptions configured by the enterprise IT administrator
- Default denial: All other IPv4 and IPv6 outbound traffic is blocked by default, adhering to the "deny by default" principle of Zero Trust
- Connection logging: The device maintains a comprehensive log of attempted outbound connections for monitoring and troubleshooting
Traffic flow process when ZTDNS is configured on a Windows device
Initial lockdown: Windows blocks all outbound IPv4 and IPv6 traffic except for connections to the configured Protective DNS servers, explicitly allowed IP ranges, and essential network discovery traffic (DHCP, DHCPv6, and NDP)
DNS resolution: When applications need to connect to a destination, they query the trusted PDNS servers through encrypted channels (DoH or DoT)
Dynamic allow listing: DNS responses from PDNS servers that contain IP address resolutions trigger outbound allow exceptions for those specific IP addresses for a specified time
Traffic enforcement: Applications can then connect to the resolved IP addresses, while connections to any other IP addresses are blocked unless they're on the manual exceptions list
Security benefits
ZTDNS provides significant security advantages by addressing various network-based threats:
DNS hijacking protection
By ensuring that only DNS resolutions from trusted PDNS servers are used, ZTDNS helps prevent bad actors from redirecting traffic to malicious sites through DNS hijacking attacks.
Malicious communications prevention
Only allowing outbound connections to IP addresses resolved through trusted DNS queries helps disrupt phishing attempts and prevents non-administrative malware stagers and beacons from communicating with command and control servers.
Data exfiltration mitigation
Restricting outbound traffic to approved domains reduces the risk of sensitive data being transmitted to unauthorized destinations without requiring analysis of domain name resolution patterns.
Supports end-to-end encryption
Unlike traditional network filtering that relies on plain-text signals or deep packet inspection, ZTDNS is effective even when DNS traffic and SNI are encrypted, providing future-proof security controls.
Windows edition and licensing requirements
The following table lists the Windows editions that support Zero Trust DNS (ZTDNS):
| Windows 11 Home | Windows 11 Pro | Windows 11 Enterprise | Windows 11 Education |
|---|---|---|---|
| No | No | Yes | Yes |
Zero Trust DNS (ZTDNS) license entitlements are granted by the following licenses:
| Windows Enterprise E3 | Windows Enterprise E5 | Windows Education A3 | Windows Education A5 |
|---|---|---|---|
| Yes | Yes | Yes | Yes |
For more information about Windows licensing, see Windows licensing overview.