Microsoft has announced a new upcoming feature that aims to solve a decades-old DNS security conundrum.
The feature is called ZTDNS, or Zero Trust Domain Name System, and is currently going into private preview. Microsoft promised a separate announcement once the feature hits the Insiders program.
In a blog postMicrosoft explained how almost from the beginning, the process of translating human-readable domain names into IP addresses posed a major risk from a security perspective. Because of the way DNS is designed, IT administrators were often faced with a choice: either add cryptographic authentication and encryption to DNS and risk losing visibility over malicious traffic, or route DNS traffic in clear text and leave no option for the server and the client device to authenticate each other, which is just as risky.
No new protocols
To solve this problem, Microsoft decided to integrate the Windows DNS engine with a core component of Windows Firewall – Windows Filtering Platform – directly into end devices.
Comment for Ars Technica, VP of research and development at Hunter Strategy, Jake Williams, said the integration of these engines will allow Windows Firewall to be updated on a per-domain name basis. In other words, organizations can tell customers that they will “only use our DNS server, which uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”
“To use DNS servers as protective DNS servers for ZTDNS lockdown, the minimum requirement is to support DNS over HTTPS (DoH) or DNS over TLS (DoT), as ZTDNS will disable Windows’ use of plaintext DNS prevent. Microsoft explained in its blog post. “Optional use of mTLS on the encrypted DNS connections will allow Protective DNS to apply a resolution policy on a per-customer basis.”
Finally, Microsoft emphasized that ZTDNS does not include any new network protocols, which should enable an “interoperable approach” to domain name-based locking.