Microsoft is implementing stricter security policies and is therefore addressing security at Domain Server Name (DNS) level. The company recently provided insight into how zero trust DNS (ZTDNS) can better secure networks on Windows.
With the new technology, the tech giant wants to better prevent possible connections between devices or clients with malicious IP addresses. This is done by better addressing security at DNS level and checking both IPv4 and IPv6 addresses for malicious activity and then blocking them.
Microsoft calls the now developed technology zero trust DNS or ZTDNS. The technology primarily provides encrypted and cryptographically authenticated connections between end-user devices or clients and DNS servers. Secondly, ZTDNS allows administrators to severely restrict the (access to) domain names that these servers facilitate.
All this to minimize the various possible attack factors to which DNS servers are vulnerable.
Windows DNS engine and Filtering Platform integration
Under the hood, ZTDNS integrates the Windows DNS engine with the Windows Filtering Platform. This is the most important part of the Windows Firewall. This integration is in turn directly integrated into end-user devices.
The integrations of the previously separate engines in ZTDNS make it possible to implement updates to the Windows Firewall based on separate domain names. This allows companies to tell their employees’ clients to only use their own DNS server with TLS that only gives access to certain domain addresses. Microsoft calls these DNS server(s) the ‘protective DNS server’.
This way, by default, the firewall will block requests to all domain addresses except those specified in allowed lists. A separate list allows IP address subnets associated with permitted software used by employees.
Not without risks
The use of ZTDNS is not entirely without risks. Experts told Ars Technica that the implementation of ZTDNS could disrupt important network operations. To avoid these disruptions, administrators should first make significant changes to network designs.
Tightening security measures
With the introduction of ZTDNS, Microsoft appears to be taking the first steps in tightening its own security measures. These measures, or the lack thereof, have received a lot of criticism in recent months.
The company has now started an extensive process for improvements at multiple levels with its Secure Future Initiative. In addition, the tech giant has also appointed a number of new managers who should significantly improve communication about security with customers, among others.
Techzine recently discussed the security problems at Microsoft in Techzine Talks. Listen to the podcast here:
