Admins are left to choose between equally unappealing options: route DNS traffic in clear text with no means for the server and client device to authenticate each other so malicious domains can be blocked and network monitoring is possible, or encrypt and authenticate DNS traffic and do away with the domain control and network visibility. ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform-the core component of the Windows Firewall-directly into client devices. The result, he said, is a mechanism that allows organizations to, in essence, tell clients “Only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “Protective DNS server.”

Source: Microsoft plans to lock down Windows DNS like never before. Here’s how.

Huh…