Microsoft's 'Zero Trust DNS' could finally rid Windows of widespread DNS vulnerabilities

Z

zohaibahd

Posts: 81   +1
Staff
The big picture: The domain name lookup process is one of the most significant holes in network security. Despite being crucial for translating human-friendly web addresses into IP numbers that computers can understand, DNS is too "open." Everything from your browser to apps to operating system components broadcast DNS requests in the clear, making them vulnerable to snooping and hijacking attacks.

Microsoft is finally doing something about this DNS vulnerability. The company recently released a preview of its new "Zero Trust DNS" (ZTDNS) framework to secure Windows DNS traffic. From what we have seen, it's a pretty comprehensive security overhaul.

The core concept behind ZTDNS is just as it sounds – never automatically trust any domain resolution request until it's thoroughly validated. Under this model, Windows PCs configured for Zero Trust DNS will flatly refuse to connect to any server unless its domain name is explicitly approved and its DNS lookup encrypted and authenticated.

"[Zero Trust DNS] renders the use of hard-coded IP addresses or unapproved encrypted DNS servers irrelevant without having to introduce TLS termination and miss out on the security benefits of end-to-end encryption.," Microsoft explains.

Zero Trust DNS utilizes two existing Windows technologies – the DNS client for handling lookups and the Windows Filtering Platform for enforcing network policies. When enabled, ZTDNS blocks all outbound IPv4 and IPv6 traffic by default, except for approved DNS servers and the bare minimum needed for network discovery. So, any DNS response containing an IP address unlocks an exception for that destination, allowing the corresponding app or service to connect. In contrast, attempts to access an unapproved IP get stonewalled instantly.

Microsoft hopes that widespread Zero Trust DNS adoption helps to block potentially malicious traffic using unverified domain names. The framework could eliminate entire categories of DNS-based attacks and data leaks for businesses and high-risk environments.

Of course, the feature is still in the early preview stage, with no firm timeline for a stable release. However, Microsoft has committed to flighting it to Windows Insiders soon for broader testing.

Microsoft is undergoing a protection overhaul after the US Cyber Safety Review Board criticized past security practices as "inadequate." The Board's concerns arose after major incidents like the Exchange Online hack. The review prompted CEO Satya Nadella to take action. Earlier this week, he dispatched a company-wide memo instructing employees to prioritize security over everything else.

Microsoft's renewed focus explains the unveiling of the ZTDNS framework, potentially one of the first changes corresponding to the shakeup.

Permalink to story:

Microsoft's 'Zero Trust DNS' could finally rid Windows of widespread DNS vulnerabilities

 
This is exciting news for Windows users! DNS vulnerabilities are a major security concern, and Microsoft's Zero Trust DNS sounds like a big step towards solving that. By validating requests and encrypting lookups, ZTDNS could significantly reduce DNS-based attacks.
 
  • Like
Reactions: yesnt
A zero trust environment is also a zero privacy environment. I can only imagine how much more of your information MS can scrape up with this and send off to the government to build profiles on you, not to mention advertisers.
 
  • Like
Reactions: Aus spot
I see this being used in two places:

The first and most obvious is work-from-home devices.

Instead of a work-from-home laptop being able to get DNS from wherever, the feature locks down the DNS server to a "protective DNS server" - a fancy term for a trusted DNS server that a company sets up. That server also (optionally) has a policy for what is allowed to be accessed, anything outside that and the laptop won't be allowed to connect to it because it will be blocked in the firewall - the laptop's Windows Firewall will automatically sync to the DNS server.

This ensures that DNS traffic remains encrypted while also ensuring that organizations can enforce policy on DNS requests (today you can get one or the other, but not both).

The second use case is very similar to the above, but available to everyone. If you setup you system to use a trusted malware filtering DNS type of system, then you could in theory prevent your machine from connecting to any malware hosting domains. It could also be used for advertising blocking. The personal use case described here is a bit less interesting, though, since end users can already do this over regular DNS, encrypted or otherwise. The main thing lacking is dynamic firewall protection.

As I understand it, the difference between this use case and the organizational one is that a "protective DNS" server that an organization would create wouldn't have to be a full-fledged DNS server. It could route to other DNS servers to keep the IP address updated while still enforcing domain policy controls. Thus, I expect the organizational use case is the only area where we will see this really used.
 
You must log in or register to reply here.

Similar threads

Z
For Microsoft, it's now security first and everything else second – just ask Satya
Replies
11
Views
72
zamroni111
Z
A
ExpressVPN disables security feature that was leaking DNS requests to third-party servers
Replies
2
Views
166
return
return
A
This third-party app blocks integrated Windows 11 advertising
Replies
10
Views
58
takaozo
takaozo

Latest posts

Back