Microsoft Bringing Zero Trust to DNS Security -- Redmondmag.com

Microsoft Bringing Zero Trust to DNS Security

By Chris Paoli
05/06/2024

Microsoft has announced that Zero Trust DNS (ZTDNS), which aims to restrict device access to untrusted domains in Windows, is currently in private preview.

In a blog post announcing the private preview, Microsoft stated that ZTDNS was crafted with interoperability in mind, leveraging network protocols from open standards to meet Zero Trust criteria outlined in OMB M-22-09 and NIST SP 800-207. This solution will provide an option to administrators seeking to utilize domain names as indicators of network traffic.

Per Microsoft:

By using ZTDNS to augment their Zero Trust deployments, administrators can achieve name labeling of all outbound IPv4 and IPv6 traffic without relying on intercepting plain-text DNS traffic, engaging in an arms race to identify and block encrypted DNS traffic from apps or malware, inspecting the soon-to-be encrypted SNI, or relying on vendor-specific networking protocols. Instead, administrators can block all traffic whose associated domain name or named exception cannot be identified.

In the blog post, Microsoft's Tommy Jensen, of the Windows Core Networking team, breaks down exactly how ZTDNS will work:

Provisioning of Protective DNS Servers: Windows is provisioned with a set of DNS servers capable of DNS over HTTPS (DoH) or DNS over TLS (DoT), expected to resolve only allowed domain names. This provisioning may also include a list of approved IP address subnets and certificates for server validation.
Traffic Blocking: Windows blocks all outbound IPv4 and IPv6 traffic except for connections to the Protective DNS servers and essential network discovery traffic.
Dynamic Allow Listing: DNS responses from Protective DNS servers trigger outbound exceptions for the corresponding IP addresses, allowing connections to approved destinations.
Default Deny Policy: Traffic to IP addresses not learned through ZTDNS or listed as exceptions is blocked by default, assuming all traffic is forbidden unless explicitly allowed.

While the new feature will help to block incoming attacks on certain devices, Microsoft said that ZTDNS in its current early state still has some shortcomings. Because of networking concerns and the development stage of the service, the following can still bypass the security feature: VPN and SASE/SSE tunnels, Hyper-V VMs, including WSL, stack bypass technologies and deactivation of said feature by local administrators.

Microsoft noted that it will announce when Insiders can start testing ZTDNS once the private preview has concluded.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

SQL Server vNext: When and What Is Coming

Ahead of Microsoft Build (and a possible SQL Server announcement), let's break down what we know and speculate about what we don't.
Microsoft Readies Fall Release for System Center 2025

Microsoft this week announced that System Center 2025, the newest version of its long-term servicing channel, will be generally available in the fall of 2024.
2 Zero-Day Flaw Highlights Small Microsoft May Patch

After April's larger-than-usual security update, Microsoft has pumped the brakes for May, issuing a slimmed-down 59 CVEs (Common Vulnerabilities and Exposures).
How Big Are the AI Security and Privacy Pitfalls?

Enterprise IT has been thrusted the task of integrating gen AI into their environments, while grappling with emerging security and ethical issues.
OpenAI Demonstrates Next Evolution of ChatGPT

OpenAI on Monday announced a new iteration of its flagship GPT-4 large multimodal language model.