Microsoft just gave us a first look at the future of its DNS services

News
By published

Zero Trust DNS is coming from Microsoft

The word DNS on a globe with a question mark underneath
(Image credit: ExpressVPN)

Microsoft has announced a new, upcoming feature, that aims to solve a decades-old conundrum with DNS security.

The feature is called ZTDNS, or Zero Trust Domain Name System, and is currently entering private preview. Microsoft promised a separate announcement once the feature makes it to the Insiders program. 

In a blog post, Microsoft explained how virtually since its inception, the process of translating human-readable domain names into IP addresses was, from a security standpoint, a major risk. Due to the way DNS was designed, IT admins were often faced with a choice: to either add cryptographic authentication and encryption to DNS and risk losing visibility over malicious traffic, or route DNS traffic in clear text and leave no option for the server and the client device to authenticate each other, which is as equally risky.

No new protocols

To solve this problem, Microsoft decided to integrate the Windows DNS engine with a core part of Windows Firewall - Windows Filtering Platform - directly into end devices.

Commenting for Ars Technica, VP of research and development at Hunter Strategy, Jake Williams, said integrating these engines will allow Windows Firewall to be updated with a per-domain name basis. In other words, organizations will be able to tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”

“For DNS servers to be used as Protective DNS servers for ZTDNS lockdown, the minimum requirement is to support either DNS over HTTPS (DoH) or DNS over TLS (DoT), as ZTDNS will prevent the use of plain-text DNS by Windows,” Microsoft explained in its blog post. “Optionally, use of mTLS on the encrypted DNS connections will allow Protective DNS to apply per-client resolution policies.” 

To conclude, Microsoft stressed that ZTDNS doesn’t include new network protocols, which should enable an “interoperable approach” to domain-name-based lockdown.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
digital key
Microsoft really wants users to ditch passwords and switch to passkeys
A wall of data on a large screen.
“It's the same doors that the good guys use, that the bad guys can walk through” - former White House tech advisor on data-centric security in the wake of Salt Typhoon
A hand laying out a password
Microsoft fixes concerning issue with its Entra ID authentication tool
Security padlock in circuit board, digital encryption concept
Best Zero Trust Network Access Solution of 2025
Dr Chase Cunningham speaking at ZTW25
The grand delusion: endpoint protection isn’t the magic pill, says Dr Zero Trust
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
Microsoft is changing the way logins work: here’s what that means for you
Latest in Security
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Latest in News
Garmin Instinct 3 in Neotropic Green
"I'm an idiot": Garmin user reveals how fixing one setting completely changed their training after months of making no progress
The main battle pass characters in Fortnite Lawless, including Midas, Sub Zero and a large wolf-man
You'll finally be able to play Fortnite on Windows 11 Arm-powered laptops as Epic Games partners with Qualcomm
DeepSeek on an iPhone
OpenAI calls on US government to ban DeepSeek, calling it ‘state-subsidized’ and ‘state-controlled’
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Stress
Complexity of IT systems could be increasing security risks for businesses
Warhammer 40,000: Space Marine 3
Warhammer 40,000: Space Marine 3 enters development as team promises to support Space Marine 2 'with exciting content and regular updates in the coming years'
More about security
Abstract image of cyber security in action.

MassJacker malware targets those looking for pirated software
An American flag flying outside the US Capitol building against a blue sky

The FCC is creating a security council to bolster US defenses against cyberattacks
The Meridian Ellipse in front of a house plant and a pink background.

I tested Meridian’s super-smart wireless speaker for a month – here’s my verdict on whether it’s worth that high price tag
See more latest
Most Popular
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
The main battle pass characters in Fortnite Lawless, including Midas, Sub Zero and a large wolf-man
You'll finally be able to play Fortnite on Windows 11 Arm-powered laptops as Epic Games partners with Qualcomm
Garmin Instinct 3 in Neotropic Green
"I'm an idiot": Garmin user reveals how fixing one setting completely changed their training after months of making no progress
DeepSeek on an iPhone
OpenAI calls on US government to ban DeepSeek, calling it ‘state-subsidized’ and ‘state-controlled’
Warhammer 40,000: Space Marine 3
Warhammer 40,000: Space Marine 3 enters development as team promises to support Space Marine 2 'with exciting content and regular updates in the coming years'
An AMD Radeon RX 9070 XT vs RX 9070 against a red two-tone background
Well, AMD's Radeon RX 9070 series launch isn't going as smoothly as we thought - and it's because retailers have inflated prices
Mark and Devon sitting in a car in Severance season 2 episode 9
Severance season 2 episode 9 recap: 7 new theories I have about 'The After Hours', and answers for Mr Bailiff, devour feculence, Svalbard, and more
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD describes its recent RDNA 4 GPU launch as 'unprecedented' and promises restocking the Radeon RX 9070 XT as 'priority number one'
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Mercedes-Benz CLA 2025
I’ve tried the new Mercedes-Benz Superscreen – and its Google Gemini-powered smarts push EV infotainment to the next level