Microsoft has announced a new upcoming feature that aims to solve a decades-old conundrum with DNS security.
The feature is called ZTDNS, or Zero Trust Domain Name System, and is currently in private preview. Microsoft promised a separate announcement once the feature hits the Insiders program.
In a blog post, Microsoft explained how practically from its inception, the process of translating human-readable domain names into IP addresses was, from a security perspective, a significant risk. Because of the way DNS was designed, IT administrators were often faced with a choice: add cryptographic authentication and encryption to DNS and risk losing visibility into malicious traffic, or route DNS traffic in clear text and leaving no option for the server and client device to authenticate each other, which is equally risky.
No new protocols
To solve this problem, Microsoft decided to integrate the Windows DNS engine with a core part of Windows Firewall (the Windows filtering platform) directly on end devices.
Commenting for Ars Technique, vice president of research and development at Hunter Strategy, Jake Williams, said that the integration of these engines will allow Windows Firewall to update by domain name. In other words, organizations will be able to tell customers to “only use our DNS server, which uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”
“For DNS servers to be used as protective DNS servers for ZTDNS blocking, the minimum requirement is to support DNS over HTTPS (DoH) or DNS over TLS (DoT), as ZTDNS will prevent the use of plain text DNS by part of Windows. ”Microsoft explained in its blog post. “Optionally, using mTLS on encrypted DNS connections will allow the Protective DNS to enforce resolution policies on a per-client basis.”
In conclusion, Microsoft highlighted that ZTDNS does not include new network protocols, which should allow for an “interoperable approach” to domain name-based blocking.