DNS Security Practices for Windows

The Domain Name System (DNS) is often called the “phonebook of the internet.” It translates human-friendly names like companyportal.com into machine-readable IP addresses. On a Windows network, DNS is absolutely critical—not just for web browsing, but for Active Directory authentication, Group Policy updates, and internal resource discovery.

However, because DNS was designed for speed and availability rather than security, it is a prime target for attackers. A single compromised DNS setting can redirect your entire organization to malicious sites, steal credentials, or bypass your firewall. Let’s break down the real threats and how to harden DNS security on your Windows clients and servers.

The Main Threats

Before applying fixes, you need to understand what you’re up against:

1. DNS Spoofing (Cache Poisoning): An attacker injects fake records into a DNS resolver’s cache. A user tries to visit outlook.com but is silently redirected to a fake login page that steals their password.
2. Man-in-the-Middle (MITM) on DNS: On an unencrypted network, an attacker can intercept plaintext DNS requests (port 53) and reply with a malicious IP before the real DNS server responds.
3. Local Hosts File Hijacking: Many legacy Windows threats modify the C:\Windows\System32\drivers\etc\hosts file. This local file overrides DNS—so even if your DNS server is clean, the machine goes to a bad address.
4. DNS Tunneling: Malware uses DNS queries (which are rarely inspected) to exfiltrate stolen data or receive command-and-control instructions.

Hardening Windows DNS Security

Here is a practical, layered approach to securing DNS on your Windows endpoints and servers:

1. Enable DNSSEC (Domain Name System Security Extensions)
DNSSEC uses digital signatures to verify that a DNS response came from the authoritative server and wasn’t tampered with. On Windows Server DNS, you can sign your internal zones. For clients, ensure they are validating DNSSEC responses. This stops cache poisoning cold.

2. Move to Encrypted DNS (DoH/DoT)
Standard DNS queries are sent in plaintext. Windows 11 and Windows Server 2022 support DNS over HTTPS (DoH) . When you configure DoH, all queries are wrapped in HTTPS encryption—the same level of security as online banking. To enable it:

• Go to Settings > Network & Internet > Ethernet/Wi-Fi > DNS server assignment > Edit.
• Enter a DoH-compatible server (Cloudflare 1.1.1.1 or Quad9 9.9.9.9) and set “DNS over HTTPS” to “On.”
• For domain-joined machines, use Group Policy to enforce DoH across the fleet.

3. Lock Down the Hosts File
Use Windows Defender Attack Surface Reduction (ASR) rules to prevent unauthorized writing to the hosts file. You can also configure AppLocker to block scripts that attempt to modify it. Monitor for unexpected changes via Microsoft Defender for Endpoint or a SIEM.

4. Restrict Recursive Queries on DNS Servers
If you run your own Windows DNS server, ensure it only resolves queries for internal clients. An open resolver on the internet will be abused for DDoS amplification attacks. Under the DNS server’s properties, go to Recursion > Advanced and restrict recursion to specific IP ranges (your LAN subnets only).

5. Use DNS Policies (Windows Server 2016+)
Windows Server supports DNS policies that act like a firewall for DNS. You can block queries to known malicious domains, split-brain DNS (different responses for internal vs. external users), and even rate-limit queries to prevent tunneling attacks.

6. Monitor DNS Logs
Most admins ignore DNS logs, which is a mistake. Enable debug logging on your Windows DNS server or forward logs to a SIEM. Look for:

• Queries to very long, random-looking subdomains (tunneling).
• Repeated NXDOMAIN responses (a client scanning for internal servers).
• Unusual query volumes from a single endpoint.

A Quick Checklist for Today

• [ ] Are all Windows 11 clients using DoH via Group Policy?
• [ ] Is DNSSEC validation enabled on internal zones?
• [ ] Do you have an alert for changes to C:\Windows\System32\drivers\etc\hosts?
• [ ] Are your DNS servers blocking recursion for external IPs?
• [ ] Is DNS logging turned on and integrated with your monitoring system?

Final Thought

DNS security on Windows is not “set and forget.” Attackers know that DNS is often the weakest link because it’s rarely monitored. By encrypting queries, validating responses with DNSSEC, and actively monitoring logs, you turn DNS from a silent vulnerability into a powerful detection layer. Start with DoH on your clients today—it takes five minutes and immediately stops most on-path DNS attacks.