Translating human-readable domain names to numeric IP addresses has long been fraught with significant security risks. Finally, the search is rarely end-to-end encrypted. Servers that offer domain name lookups provide translations for almost any IP address – even if it’s known to be malicious. Many end-user devices can easily be configured to stop using authorized search servers and use malicious servers instead.
Microsoft launched one on Friday Bleak A comprehensive framework aimed at de-cluttering the Domain Name System (DNS) to make it more secure on Windows networks. This is called ZTDNS (Zero Trust DNS). Two key benefits are (1) encrypted and cryptographically authenticated communication between end-user clients and DNS servers, and (2) the ability for administrators to strictly limit the scopes that these servers resolve.
Clearing the minefield
One of the reasons DNS has become a security minefield is that these two functions can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility administrators need to prevent user devices from connecting to malicious domains or detecting unusual behavior within the network. As a result, DNS traffic is either sent in plain text or encrypted in a way that allows administrators to decrypt it in transit, essentially via ciphertext. Enemy attacks in the middle.
Administrators are faced with a choice of equally attractive options: (1) forward DNS traffic in plain text without allowing servers and clients to authenticate each other, blocking malicious domains and allowing network monitoring, or (2) encrypt and authenticate DNS – domain control and discard traffic from network visibility.
ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering System – the core component of Windows Firewall – directly into client devices.
Combining these previously disparate engines would make it possible to perform Windows Firewall updates per domain name, said Jake Williams, vice president of research and development at consulting firm Hunter Strategies. The result is a process that essentially allows companies to “direct customers to use only our DNS servers, which use TLS and only resolve certain domains,” he said. Microsoft refers to this DNS server or servers as “defensive DNS servers”.
By default, the firewall denies resolution to all domains except those included in the whitelist. A separate permission list contains subnets with IP addresses that clients must run the authorized software on. Being able to do this at scale is key in an organization with rapidly changing needs. Network security expert Royce Williams (no relation to Jake Williams) describes it as “a two-way API for the firewall layer, so you can trigger firewall actions (by typing * in firewall) and trigger external actions, which depend on the firewall. In stateful protection (output *from* the firewall), if you’re an AV provider or something, just call WFP.