Microsoft plans to lock down Windows DNS like never before. Here’s how.

Microsoft plans to lock down Windows DNS like never before.  Here's how.

Getty Images

Translating human-readable domain names into numeric IP addresses has long been fraught with major security risks. Finally, searches are rarely end-to-end encrypted. The servers that provide domain name lookup provide translations for virtually any IP address – even if it is known to be malicious. And many end-user devices can easily be configured to stop using authorized search servers and use malicious servers instead.

Microsoft provided one on Friday peek in a comprehensive framework that aims to clean up the chaos in the Domain Name System (DNS) so that it is better protected on Windows networks. It’s called ZTDNS (Zero Trust DNS). Its two main features are (1) encrypted and cryptographically authenticated connections between end-user clients and DNS servers and (2) the ability for administrators to strictly restrict the domains that these servers resolve.

Clearing the minefield

One of the reasons DNS is such a security minefield is because these two functions can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility administrators need to prevent user devices from connecting to malicious domains or detecting anomalous behavior within a network. Therefore, DNS traffic is either sent in plain text or encrypted in a way that allows administrators to decrypt it in transit Opponent-in-the-middle attack.

Administrators are faced with a choice between equally unattractive options: (1) forward DNS traffic in plain text without allowing the server and client device to authenticate each other, allowing malicious domains to be blocked and network monitoring possible, or (2) to encrypt and authenticate Block DNS traffic and eliminate the need for domain control and network visibility.

ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform – the core component of the Windows Firewall – directly into client devices.

Jake Williams, vice president of research and development at consulting firm Hunter Strategies, said uniting these previously disparate engines would allow Windows Firewall updates to be made on a per-domain-name basis. The result, he said, is a mechanism that essentially allows companies to tell customers to “only use our DNS server, which uses TLS and only resolves certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”

By default, the firewall denies resolutions for all domains except those included in allow lists. A separate allow list contains IP address subnets that clients need to run authorized software. The key to making this work at scale in a business with rapidly changing needs. Network security expert Royce Williams (no relation to Jake Williams) referred to this as “a kind of two-way API for the firewall layer, so you can trigger both firewall actions (by typing *into* the firewall) and external actions based on the firewall .” state (output *from* the firewall). So instead of having to reinvent the firewall wheel as an AV provider or whatever, just align with WFP.”

Source link