Microsoft has announced a new, upcoming feature, that aims to solve a decades-old conundrum with DNS security.
The feature is called ZTDNS, or Zero Trust Domain Name System, and is currently entering private preview. Microsoft promised a separate announcement once the feature makes it to the Insiders program.
In a blog post, Microsoft explained how virtually since its inception, the process of translating human-readable domain names into IP addresses was, from a security standpoint, a major risk. Due to the way DNS was designed, IT admins were often faced with a choice: to either add cryptographic authentication and encryption to DNS and risk losing visibility over malicious traffic, or route DNS traffic in clear text and leave no option for the server and the client device to authenticate each other, which is as equally risky.
No new protocols
To solve this problem, Microsoft decided to integrate the Windows DNS engine with a core part of Windows Firewall – Windows Filtering Platform – directly into end devices.
Commenting for Ars Technica, VP of research and development at Hunter Strategy, Jake Williams, said integrating these engines will allow Windows Firewall to be updated with a per-domain name basis. In other words, organizations will be able to tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”
“For DNS servers to be used as Protective DNS servers for ZTDNS lockdown, the minimum requirement is to support either DNS over HTTPS (DoH) or DNS over TLS (DoT), as ZTDNS will prevent the use of plain-text DNS by Windows,” Microsoft explained in its blog post. “Optionally, use of mTLS on the encrypted DNS connections will allow Protective DNS to apply per-client resolution policies.”
To conclude, Microsoft stressed that ZTDNS doesn’t include new network protocols, which should enable an “interoperable approach” to domain-name-based lockdown.