Microsoft plans to lock down Windows DNS like never before. Here’s how.

Good pictures

Translating human-readable domain names into numeric IP addresses has long been fraught with security risks. After all, searches are rarely end-to-end encrypted. Servers that provide domain name lookups provide translations for any IP address—even if they are known to be malicious. And many end-user devices can be easily configured to stop using authorized search servers and use malicious ones instead.

Microsoft offered on Friday to peek In an elaborate framework, the Domain Name System (DNS) aims to sort through the confusion so that it is better locked within Windows networks. This is called ZTDNS (zero trust DNS). Its two main features are (1) encrypted and cryptographically authenticated connections between end-user clients and DNS servers and (2) the ability for administrators to tightly control the domains these servers resolve.

Mine clearance

One reason DNS is such a security minefield is that these two features can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility administrators need to prevent user devices from connecting to malicious domains or detect anomalous behavior within the network. As a result, DNS traffic is sent in clear text or encrypted to allow administrators to decrypt it. Enemy-in-the-middle attack.

Administrators are left to choose between equally unpleasant options: (1) direct DNS traffic in clear text with no way for the server and client device to authenticate each other, so that malicious domains can be blocked and network monitoring possible, or (2) encrypt and authenticate DNS traffic, allowing domain control and network Remove visibility.

See also  Lee Anderson refuses to apologize for Islamist claims about Sadiq Khan

ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine, a core component of Windows Firewall, with Windows Firewall directly on client devices.

Jake Williams, VP of research and development at consultancy Hunter Strategies, said the union of these previously disparate engines will allow updates to Windows Firewall on a per-domain-name basis. The result is, in essence, a mechanism that allows organizations to tell customers “use our DNS server, it uses TLS, and only resolves certain domains.” Microsoft calls this DNS server or servers a “secure DNS server”.

By default, the firewall denies resolutions to all domains except those listed in whitelists. A separate whitelist contains the IP address subnets on which clients must run authorized software. The key to doing this work is within an organization with rapidly changing needs. Networking security expert Royce Williams (no relation to Jake Williams) called it “a bidirectional API for the firewall layer, so you can both trigger firewall actions (via input *to* the firewall), and trigger external actions based on the firewall. status (* output from firewall). So instead of reinventing the firewall wheel whether you’re an AV vendor or whatever, you join WFP.

Leave a Reply

Your email address will not be published. Required fields are marked *