Modern cybersecurity threats increasingly target the foundational protocols that power everyday business operations. While organizations invest heavily in perimeter defenses and endpoint protection, sophisticated attackers exploit infrastructure protocols designed decades ago as entry points for broader network compromises.
Due to this rising threat, the U.S. government issued Executive Order 14028 in 2021, directing all federal agencies to encrypt data in transit. The subsequent M-22-09 memo provided specific implementation guidance that alerted organizations to a fundamental vulnerability they had long ignored: plain-text Domain Name System (DNS) traffic. When a laptop requests hostname-to-IP resolution, it typically communicates over port 53 with no encryption. This creates an open channel for attackers to intercept, analyze, or manipulate critical network intelligence.
To understand how Microsoft is addressing this challenge, The Tolly Group recently spoke with Aditi Patange, the product manager responsible for Windows networking components including DNS, DHCP, and the Windows Time Service. Patange's team has developed Zero Trust DNS (ZTDNS), a new Windows feature currently in public preview that encrypts every DNS query and enforces strict policy controls at each endpoint. The objective is straightforward: provide the capability to enforce domain name based lockdown at the endpoint level and enforce policies set by the Protective DNS (PDNS) server on the endpoint without requiring additional agents.
DNS Infrastructure's Hidden Risk
"I have only met people at the extreme ends of the spectrum, either they don't know what DNS is or they are DNS experts," Patange told us.
Many enterprises treat DNS as 'set and forget' infrastructure. A resolver gets configured, the service runs reliably, and nobody revisits the setup unless domain resolution fails. This hands-off approach creates two critical security vulnerabilities. First, attackers can monitor DNS traffic to map organizational infrastructure and identify potential targets. Second, without domain-based access controls, malware can bypass the system lookups by leveraging rogue resolution methods to reach command-and-control servers even within supposedly segmented networks. ZTDNS directly addresses both attack vectors.
How Microsoft's Zero Trust DNS Works
ZTDNS augments Windows' traditional DNS stub resolver with an enhancement that mandates the use of encrypted DNS for every query. Currently supporting DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), the system only accepts responses from administrator-specified protective DNS (PDNS) resolvers. When applications attempt to connect to IP addresses that ZTDNS hasn't learned from these trusted resolvers or weren't set as exceptions by the administrators, Windows blocks the outbound traffic entirely.
Because ZTDNS ships as an integrated Windows component, deployment can begin with a small pilot group of Windows Insiders machines before expanding fleet-wide. Licensing details will be announced when the feature exits Preview and reaches General Availability.
The ZTDNS and PDNS Partnership
The architecture separates policy intelligence from enforcement. PDNS serves as the policy brain, maintaining allow-lists and deny-lists that determine which domains are legitimate for specific users or device groups. ZTDNS functions as the enforcement arm, running locally on Windows to block unauthorized connections, permitting only traffic to validated IP addresses.
The distributed design enables enterprises to continue using their encrypted DNS-capable PDNS server including third-party SaaS providers while gaining local enforcement across all Windows devices. Patange emphasizes interoperability, working with major industry PDNS server providers to ensure ZTDNS functions seamlessly across diverse DNS infrastructures.
Dispelling Common DNS Security Myths
Patange frequently encounters misconceptions when discussing DNS security with enterprise leaders. The first myth suggests zero trust is a single purchasable solution. In reality, it's an architectural approach spanning identity, devices, networks, and applications, with ZTDNS securing just the DNS component.
"A lot of people when they talk about zero trust in general, they're looking for one solution that can help them get zero trust … and it really doesn't work that way," she noted.
The second myth stems from operational conservatism; administrators avoid implementing DNS security enhancements because they view any modifications to this critical infrastructure as too risky to operational stability.
Despite these challenges, organizations across multiple sectors are recognizing the value of DNS security and moving forward with implementation.
Early Adoption Patterns
Patange reports interest from U.S. federal agencies in ZTDNS due to the Executive Order requirements. She suggests that international government agencies, academic institutions, and highly regulated industries like banking, healthcare, air-gapped environments may benefit from ZTDNS enforcement that enables them to prove every outbound connection was explicitly allowed by their organizational policy with minimal operational overhead.
Implementation Guidance
Organizations still relying on plain-text DNS should begin by enabling DoH or DoT on existing resolvers. For ZTDNS evaluation, join the public preview by enrolling a small pilot group in the Windows Insider program and following the configuration guidance at https://aka.ms/ztdnspreview.
Before testing ZTDNS, review guidance on Deployment Considerations for Windows ZTDNS client. During testing, begin with ZTDNS in audit mode and monitor ZTDNS logs to refine the ZTDNS exceptions list. Next, enable ZTDNS in enforcement mode on the small pilot group and ensure that resources necessary for employee productivity are reachable. Once you have refined your ZTDNS exceptions list as well as allow and block lists on your PDNS server, you can begin broader deployment.
The Strategic Value of DNS Security
DNS represents one of the Internet's foundational protocols, but that legacy status shouldn't perpetuate vulnerability. Microsoft's Zero Trust DNS encrypts every query and enforces policy directly at the endpoint, transforming Windows devices into active participants in protective DNS strategies without requiring additional agents. For security teams managing compliance deadlines, ransomware threats, and constrained budgets, ZTDNS provides a streamlined path to integrating DNS into comprehensive zero-trust architectures.
As cyber threats continue to evolve and target fundamental network protocols, organizations that proactively secure their DNS infrastructure will gain a significant advantage over those that maintain the status quo. The question isn't whether DNS security will become standard practice, but how quickly enterprises can implement solutions like ZTDNS to stay ahead of increasingly sophisticated attacks.
Learn More
For detailed implementation guidance and technical documentation, visit https://aka.ms/ztdnspreview. Technical questions and preview feedback can be directed to the project team at ztdnspreview@microsoft.com or connect directly with Aditi Patange on LinkedIn for deeper discussions about enterprise deployment strategies.