Microsoft Bringing Zero Trust to DNS Security

Microsoft has announced that Zero Trust DNS (ZTDNS), which aims to restrict device access to untrusted domains in Windows, is currently in private preview.

In a blog post announcing the private preview, Microsoft stated that ZTDNS was crafted with interoperability in mind, leveraging network protocols from open standards to meet Zero Trust criteria outlined in OMB M-22-09 and NIST SP 800-207. This solution will provide an option to administrators seeking to utilize domain names as indicators of network traffic.

Per Microsoft:

By using ZTDNS to augment their Zero Trust deployments, administrators can achieve name labeling of all outbound IPv4 and IPv6 traffic without relying on intercepting plain-text DNS traffic, engaging in an arms race to identify and block encrypted DNS traffic from apps or malware, inspecting the soon-to-be encrypted SNI, or relying on vendor-specific networking protocols. Instead, administrators can block all traffic whose associated domain name or named exception cannot be identified.

In the blog post, Microsoft's Tommy Jensen, of the Windows Core Networking team, breaks down exactly how ZTDNS will work:

  • Provisioning of Protective DNS Servers: Windows is provisioned with a set of DNS servers capable of DNS over HTTPS (DoH) or DNS over TLS (DoT), expected to resolve only allowed domain names. This provisioning may also include a list of approved IP address subnets and certificates for server validation.
  • Traffic Blocking: Windows blocks all outbound IPv4 and IPv6 traffic except for connections to the Protective DNS servers and essential network discovery traffic.
  • Dynamic Allow Listing: DNS responses from Protective DNS servers trigger outbound exceptions for the corresponding IP addresses, allowing connections to approved destinations.
  • Default Deny Policy: Traffic to IP addresses not learned through ZTDNS or listed as exceptions is blocked by default, assuming all traffic is forbidden unless explicitly allowed.

While the new feature will help to block incoming attacks on certain devices, Microsoft said that ZTDNS in its current early state still has some shortcomings. Because of networking concerns and the development stage of the service, the following can still bypass the security feature: VPN and SASE/SSE tunnels, Hyper-V VMs, including WSL, stack bypass technologies and deactivation of said feature by local administrators.

Microsoft noted that it will announce when Insiders can start testing ZTDNS once the private preview has concluded.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube