Post

Zero Trust DNS: Finally, a Network Security Topic!

Posted Updated
By Otto Gudszent
2 min read

After weeks of AI-this and Copilot-that, let’s talk about something foundational: DNS. Yes, the thing that’s been quietly routing your internet traffic since 1985. And now, Microsoft has a Zero Trust version for Windows 11. :D

If you ever wanted to lock down your network so that devices can only talk to approved destinations, Zero Trust DNS (ZTDNS) is your new best friend.

What is Zero Trust DNS?

Traditional DNS is basically the phone book of the internet. You ask “What’s the IP for gudszent.hu?” and it tells you. Zero Trust DNS adds a bouncer: it not only resolves the name but also ensures only approved destinations are resolvable.

  • Encrypted DNS: Uses DNS over HTTPS (DoH) or DNS over TLS (DoT).
  • Policy Enforcement: Only resolves domain names that match your allow-list.
  • Block Everything Else: If it’s not on the list, no connection. Period.

The Setup (Step-by-Step, Without Breaking Everything)

Step 0: Prerequisites (The Boring But Necessary Part)

  • Windows 11 Enterprise or Education (latest build).
  • Admin privileges (obviously).
  • Encrypted DNS server that supports DoH or DoT (you need this set up first).

Step 1: Force Apps to Use Windows DNS

Some browsers (cough Chrome cough) have their own DNS clients. We need to turn that off.

  • Microsoft Edge: Set BuiltInDnsClientEnabled policy to disable custom DNS.
  • Chrome: Same policy, different location.

Step 2: Add Exceptions (Before You Lock Yourself Out)

This is critical. Some apps don’t use DNS to find servers—they use hardcoded IPs. If you forget to allow these, they’ll break.

Example: Let’s say my lab uses a legacy monitoring tool at 10.42.0.0/24 and my homelab domain is lab.gudszent.local. I need to add exceptions:

netsh ztdns add exception name=HomeLabMonitoring description="Monitoring tools on lab.gudszent.local" subnets=10.42.0.0/24

You’ll also need to add Microsoft 365 IP ranges if you use Teams, Exchange, or SharePoint.

Step 3: Configure Your Trusted DNS Server

Point ZTDNS to your encrypted DNS server. Let’s say I’m using Cloudflare’s DoH at dns.gudszent.network (hypothetically!):

netsh ztdns add server type=doh address=1.1.1.1 template=https://dns.gudszent.network/dns-query priority=0

Step 4: Enable Audit Mode (Test Before You Wreck)

Do NOT skip this step. Audit mode logs what would be blocked without actually blocking it.

netsh ztdns set state enable=yes audit=yes

Now monitor the logs. You’ll see what applications are trying to reach that aren’t on the allow-list. Add exceptions as needed.

Step 5: Flip the Switch (Enforcement Mode)

Once you’re confident everything critical is allowed:

netsh ztdns set state enable=yes audit=no

Step 6: Reboot (Seriously, Just Do It)

Apps cache IP addresses. A reboot clears that cache and ensures ZTDNS is enforced from the start.

Conclusion

This is proper Zero Trust networking. It’s not flashy AI magic; it’s foundational security done right. The ability to say “This device can only talk to lab.gudszent.local and these 10 approved IPs” is incredibly powerful for locking down endpoints.

The audit mode is brilliant. Too many security tools are “all or nothing.” Being able to test the impact without breaking production is chef’s kiss.

If you manage a fleet of Windows 11 devices and haven’t looked at ZTDNS yet, put it on your list. It’s one of those “boring but incredibly effective” security layers that quietly does its job.

Now, back to your regularly scheduled AI content.

Windows, Security, Networking
ZeroTrust DNS Windows11 Network
This post is licensed under CC BY 4.0 by the author.