Microsoft just gave us a first look at the future of its DNS services
Zero Trust DNS is coming from Microsoft
Microsoft has announced a new, upcoming feature, that aims to solve a decades-old conundrum with DNS security.
The feature is called ZTDNS, or Zero Trust Domain Name System, and is currently entering private preview. Microsoft promised a separate announcement once the feature makes it to the Insiders program.
In a blog post, Microsoft explained how virtually since its inception, the process of translating human-readable domain names into IP addresses was, from a security standpoint, a major risk. Due to the way DNS was designed, IT admins were often faced with a choice: to either add cryptographic authentication and encryption to DNS and risk losing visibility over malicious traffic, or route DNS traffic in clear text and leave no option for the server and the client device to authenticate each other, which is as equally risky.
No new protocols
To solve this problem, Microsoft decided to integrate the Windows DNS engine with a core part of Windows Firewall - Windows Filtering Platform - directly into end devices.
Commenting for Ars Technica, VP of research and development at Hunter Strategy, Jake Williams, said integrating these engines will allow Windows Firewall to be updated with a per-domain name basis. In other words, organizations will be able to tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”
“For DNS servers to be used as Protective DNS servers for ZTDNS lockdown, the minimum requirement is to support either DNS over HTTPS (DoH) or DNS over TLS (DoT), as ZTDNS will prevent the use of plain-text DNS by Windows,” Microsoft explained in its blog post. “Optionally, use of mTLS on the encrypted DNS connections will allow Protective DNS to apply per-client resolution policies.”
To conclude, Microsoft stressed that ZTDNS doesn’t include new network protocols, which should enable an “interoperable approach” to domain-name-based lockdown.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- You’ve embraced Zero Trust, now let’s make it a reality
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.