Microsoft plans to secure Windows DNS like never before. Here’s how.

Translating human-readable domain names into numeric IP addresses has long been fraught with significant security risks. After all, searches are rarely end-to-end encrypted. Servers that provide domain name lookups provide translations for almost any IP address — even when they are known to be malicious. Many end-user devices can easily be configured to stop using approved search servers and use malicious servers instead.

Microsoft on Friday introduced a Glance In a comprehensive framework aimed at untangling the Domain Name System (DNS) clutter so that it is better secured within Windows networks. It is called ZTDNS (Zero Trust DNS). Two main advantages are (1) encrypted and cryptographically authenticated communications between end-user clients and DNS servers and (2) the ability of administrators to tightly restrict the ranges that these servers will resolve.

Clearing the minefield

One of the reasons DNS can become a security minefield is that these two features can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility that administrators need to prevent user devices from connecting to malicious domains or detect anomalous behavior within the network. As a result, DNS traffic is either sent in clear text or is encrypted in a way that allows administrators to decrypt it in transit over what is essentially a Enemy attack in the middle.

Administrators are left to choose between equally unattractive options: (1) route DNS traffic in clear text with no way for the server and client machine to authenticate each other so that malicious domains can be blocked and the network can be monitored, or (2) encrypt and authenticate DNS traffic and discard From domain control and network visibility.

ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering System – the core component of Windows Firewall – directly into client devices.

The union of these previously disparate engines will allow Windows Firewall updates to be made on a per-domain name basis, said Jake Williams, vice president of research and development at consulting firm Hunter Strategies. The result is a mechanism that allows organizations, in essence, to tell customers “to use only our DNS server, which uses TLS, and will only resolve certain domains,” he said. Microsoft calls this DNS server or servers a “protective DNS server.”

By default, the firewall will reject solutions for all domains except those listed in the allow lists. A separate allow list will contain subnets of IP addresses that clients need to run approved software. The key to getting this work done at scale within an organization with rapidly changing needs. Network security expert Royce Williams (no relation to Jake Williams) described this as “a kind of two-way API for the firewall layer, so you can trigger firewall actions (by input *to* the firewall), and trigger external actions that depend on the firewall Stateful protection (output *from* the firewall). So instead of having to reinvent the firewall wheel if you’re an AV vendor or something else, just call WFP.